There's spam in Google's cache of my site
July 8, 2011 11:03 AM Subscribe
I have spam showing up in my website header and cached copy on Google's search results.
When searching for my name, the first Google result goes to my firstnamelastname.com website, which is my professional portfolio. However, it's showing up in search results with "BUY Naltrexone ONLINE NO PRESCRIPTION" at the beginning of the description. If I go to Google's cached copy of my site, it has "BUY CHLORAMPHENICOL ONLINE NO PRESCRIPTION | BUY CHLORAMPHENICOL ONLINE NO PRESCRIPTION" across the top where my contact information should be. The first instance is a link to my webpage. There is no such spam on my actual, non-cached website.
Searching for these phrases shows that a lot of other pages have this stuff in their search results, too. What is this, and how can I get rid of it?
I'm running the most current version of Wordpress, if that helps.
When searching for my name, the first Google result goes to my firstnamelastname.com website, which is my professional portfolio. However, it's showing up in search results with "BUY Naltrexone ONLINE NO PRESCRIPTION" at the beginning of the description. If I go to Google's cached copy of my site, it has "BUY CHLORAMPHENICOL ONLINE NO PRESCRIPTION | BUY CHLORAMPHENICOL ONLINE NO PRESCRIPTION" across the top where my contact information should be. The first instance is a link to my webpage. There is no such spam on my actual, non-cached website.
Searching for these phrases shows that a lot of other pages have this stuff in their search results, too. What is this, and how can I get rid of it?
I'm running the most current version of Wordpress, if that helps.
Your site's been compromised by folks who are using its PageRank to juice their own spam links. The .htaccess file at the root and/or WordPress level is sensing if a visitor is a real person or a web spider, and passing off the latter to a special php file which injects the links. If these terms don't make sense to you, you'll need to talk to somebody who does understand them in order to fix the problem. The compromise came either through an exploit of WordPress or some other dynamic code you have on the site.
posted by squid patrol at 11:14 AM on July 8, 2011 [1 favorite]
posted by squid patrol at 11:14 AM on July 8, 2011 [1 favorite]
Best answer: There is no such spam on my actual, non-cached website.
Are you sure about that? Go to Google Webmaster Tools, register your site, and choose the "Fetch as Googlebot" option. There's a possibility that the spam is being injected outside of the <html> tags, which shows up on Google but not in View Source.
posted by holgate at 11:15 AM on July 8, 2011
Are you sure about that? Go to Google Webmaster Tools, register your site, and choose the "Fetch as Googlebot" option. There's a possibility that the spam is being injected outside of the <html> tags, which shows up on Google but not in View Source.
posted by holgate at 11:15 AM on July 8, 2011
The compromise came either through an exploit of WordPress or some other dynamic code you have on the site.
I've seen this sort of things a couple of times and it was actually done via ftp... which was actually handy because the ftp logs listed every file that was altered. Injections via exploited code are a bitch.
If you do find a problem in your .htaccess, don't assume its the only thing they changed. If it was done over ftp you might be able to access the logs and know exactly what was altered so you can fix it. Otherwise I'd recommend backing up your theme and any media files you might have uploaded then deleting all the files on your server and re-installing wordpress and any plugins you were using. Just checking your theme for injected code is a much smaller task that pouring over your whole site file by file - especially if you're not a coder and don't know what you're looking for.
posted by missmagenta at 11:24 AM on July 8, 2011
I've seen this sort of things a couple of times and it was actually done via ftp... which was actually handy because the ftp logs listed every file that was altered. Injections via exploited code are a bitch.
If you do find a problem in your .htaccess, don't assume its the only thing they changed. If it was done over ftp you might be able to access the logs and know exactly what was altered so you can fix it. Otherwise I'd recommend backing up your theme and any media files you might have uploaded then deleting all the files on your server and re-installing wordpress and any plugins you were using. Just checking your theme for injected code is a much smaller task that pouring over your whole site file by file - especially if you're not a coder and don't know what you're looking for.
posted by missmagenta at 11:24 AM on July 8, 2011
Best answer: Your site has been compromised. Just because you don't see it when you visit doesn't mean it's not there. It could be configured to only display when Google vists, but regardless, the fact that someone was able to gain access and add or modify files to your site means that there is a vulnerability somewhere that you need to fix. If left unfixed, you are likely to get removed from the Google index, or have the "malicious website" warning scaring away people from clicking.
posted by Rhomboid at 11:38 AM on July 8, 2011
posted by Rhomboid at 11:38 AM on July 8, 2011
This happened to me too, ftp account was compromised and my .htaccess file was modified.
I changed all my passwords, cleaned up the .htaccess file and waited to see what happened.
That was enough to fix it but it's not unheard of to do a restore from a backup you know is clean.
posted by dolface at 11:58 AM on July 8, 2011
I changed all my passwords, cleaned up the .htaccess file and waited to see what happened.
That was enough to fix it but it's not unheard of to do a restore from a backup you know is clean.
posted by dolface at 11:58 AM on July 8, 2011
Response by poster: Thanks, folks - my .htaccess files don't seem to be compromised, so maybe it's somewhere else. I'm trying to find out if my host keeps FTP logs somewhere.
The only one that has been modified recently is in my public_html directory:
RewriteEngine on
# Use PHP5 as default
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml
Options All -Indexes
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^portfolio\/?$ "http\:\/\/myfirstnamemylastname\.com\/" [R=301,L]
(I want to send people who go to http://myblogsite.com/portfolio to http://myfirstnamemylastname.com)
In my firstnamelastname.com directory (which is a subdir of my public_html directory), it's just the standard Wordpress stuff:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
I did check looking at the site as the Googlebot, and the spam stuff is there, so something is clearly hacked, but I'm still not sure what. Plus, I just upgraded my Wordpress today, so most of my files are clean. I guess once I hear back from my host whether I can get an FTP log, that will help; otherwise I'll have to ply my Wordpress guru friends with liquor to see if they can work it out for me.
posted by Addlepated at 2:34 PM on July 8, 2011
The only one that has been modified recently is in my public_html directory:
RewriteEngine on
# Use PHP5 as default
AddHandler application/x-httpd-php5 .php .php4 .php3 .phtml
Options All -Indexes
RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^portfolio\/?$ "http\:\/\/myfirstnamemylastname\.com\/" [R=301,L]
(I want to send people who go to http://myblogsite.com/portfolio to http://myfirstnamemylastname.com)
In my firstnamelastname.com directory (which is a subdir of my public_html directory), it's just the standard Wordpress stuff:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
I did check looking at the site as the Googlebot, and the spam stuff is there, so something is clearly hacked, but I'm still not sure what. Plus, I just upgraded my Wordpress today, so most of my files are clean. I guess once I hear back from my host whether I can get an FTP log, that will help; otherwise I'll have to ply my Wordpress guru friends with liquor to see if they can work it out for me.
posted by Addlepated at 2:34 PM on July 8, 2011
Best answer: If you've just upgraded wordpress - first disable all your plugins (if you have any) and check it again as googlebot - if the problem is gone then its one of your plugins, you can find out which one by a process of elimination (turn them on one at a time checking with google each time until the problem recurrs). If the problem is still there then the problem is probably in your theme. Try the default theme, if the problem is still there, download a clean theme and install it. If the problem is *still* there then the update didn't replace all the files. Delete everything but the wp-content folder and install fresh from a downloaded version of WP.
posted by missmagenta at 2:57 PM on July 8, 2011
posted by missmagenta at 2:57 PM on July 8, 2011
Response by poster: Beautiful, Missmagenta - I didn't even think to check again, I just assumed it was still broken! It seems to be all medication spam-free now, and I'm going to change my password to something really keyboard mashy and still wait on those FTP logs from my host to make sure nothing else was compromised. Thanks to everyone for your advice!
posted by Addlepated at 3:14 PM on July 8, 2011
posted by Addlepated at 3:14 PM on July 8, 2011
Response by poster: Well, as an update, there wasn't any unauthorized FTP access to my account, so I guess they got in through a vulnerability in Wordpress. But geez, I had everything up to date (I thought). Sigh. I've changed my Wordpress password and my FTP password just in case.
posted by Addlepated at 7:17 PM on July 8, 2011
posted by Addlepated at 7:17 PM on July 8, 2011
I had this same problem and just solved it. In the htaccess file an IfModule had been added, which referred search bots to a file called wp-common. Delete that IfModule and the file wp-common. That resolved it for me.
posted by kirby1 at 11:07 AM on December 14, 2011
posted by kirby1 at 11:07 AM on December 14, 2011
This thread is closed to new comments.
posted by missmagenta at 11:14 AM on July 8, 2011