Join 3,438 readers in helping fund MetaFilter (Hide)


Is there any way to prevent external sites from linking to me?
June 12, 2012 12:27 PM   Subscribe

Is there any way to prevent external sites from linking to me?

I am temporarily managing the main website for my employer. Google has recently flagged this site as "compromised" because some external (link farm?) sites are linking to non-existent query pages on our site.

(Note: I am neither a developer or a webmaster, but seeing as how I am the most technologically aware person in our very-small company, I have been tasked with managing our site for now. I know just enough to get myself in trouble.)

There are approximately 400 of these incoming links, all related to prescription drug purchasing (ex: mydomain.com/?query=cymbalta-overnight-delivery). These URLs do not exist in either our database or our CMS (Joomla, if it matters), and no malware has been installed on the site. I am fairly confident that the back-end has not been compromised.

However, all these incoming links are causing Google to mark our site as "compromised". Also, many of our clients are US federal government agencies, some of who have let me know that they are no longer able to access our site on their network. This is decidedly Not Good.

I have blocked all query URLs via robots.txt, and asked Google to remove them individually from their search results, but I'm not sure that will be enough to un-block our site for these clients. I'm also concerned that new links will keep popping up and this will be a never-ending project for me to monitor.

Is there any way to prevent these external sites from linking to us at all? (I know who the culprits are.) I've done some basic Googling and haven't found much, but I'm hoping AskMe will have some suggestions. Any help is much appreciated!

(Anon because, well, work-related. Also incompetence-related.)

*Bonus question: any idea what the motivation behind this is, other than to give me a major headache? I can't quite figure out how this benefits these sites or draws more traffic to them, since all links are incoming and just redirect to our homepage.
posted by anonymous to Computers & Internet (11 answers total) 1 user marked this as a favorite
 
However, all these incoming links are causing Google to mark our site as "compromised".

Do you know that is the reason, or do you assume that is the reason? If this was possible it would be extremely easy, and prevalent, for a nefarious person to essentially erase a site from Google with just a few hundred ingoing links. If that were the case we would hear about it a lot more. I suspect there is something else that is (at least) giving the impression that your site is comprimised, and that you haven't found it yet.

Good luck!
posted by dirtdirt at 12:35 PM on June 12, 2012 [5 favorites]


Is there any way to prevent these external sites from linking to us at all?

Since a link is nothing more than a URL referenced in an HTML document, I don't think there's any way to prevent an external site from linking to yours. Sorry.

I'd double check to make absolutely sure nothing has been uploaded to your webserver. Scan the entire filesystem for anything that looks weird.

any idea what the motivation behind this is, other than to give me a major headache?

I'm guessing that something out there thinks it was successful in uploading something to your webserver and it has generated the links as a way of keeping track of the compromise.
posted by RonButNotStupid at 12:36 PM on June 12, 2012


Don't be so sure your site hasn't been compromised just because the links appear dead when you visit them. I've seen CMS attacks that only deliver the compromised content to the Google Bot (for search ranking purposes) or check cookies so they only deliver compromised content to not logged in first time visitors. Everyone else gets a standard (fake) 404 page. The compromised content could be hidden in a randomly named base64 encoded file hidden who knows where.

You can see examples of compromised sites with this google search: site:.edu cymbalta-overnight-delivery
posted by ChrisHartley at 12:49 PM on June 12, 2012 [2 favorites]


In PHP you can use something like $_SERVER['HTTP_REFERER'] to get the referring page (not infallible but pretty useful in practice) and also some other similar $_SERVER variables to get the REQUEST_URI and QUERY_STRING. More info here.

Once you have detected those values match something, you can do a number of things from presenting a special page to sending HTTP error messages of various types.

You can also so a lot of this type of thing in .htaccess - example1, example2, example3.
posted by flug at 12:51 PM on June 12, 2012


Is there any way to prevent external sites from linking to me?

Nope.

Google has recently flagged this site as "compromised" because some external (link farm?) sites are linking to non-existent query pages on our site.

Also nope. You don't get flagged because you're being linked to; you get linked to (and flagged) because you've been compromised.
posted by toomuchpete at 1:29 PM on June 12, 2012 [3 favorites]


From a commenter that would like to remain anonymous:
this might help
posted by mathowie at 1:58 PM on June 12, 2012


Google is not incorrect about your site being compromised in some fashion. Involve a professional if you're not sure how to proceed with a proper investigation. If this site is customer facing in any way, or has access to customer data you should proceed with extreme caution.
posted by odinsdream at 2:06 PM on June 12, 2012


Chiming in that your site has almost certainly been hacked, and there is a lot of information available by searching for "Joomla pharma hack" but if the advice there seems over your head, I heartily recommend biting the bullet and hiring a professional to do the cleaning, as well as doing a general security review of your site and your hosting environment.
posted by camcgee at 3:34 PM on June 12, 2012


Joining the chorus. I recently went through a Joomla compromise that sounds a lot like this one. I took the time to read through the (base64_enocded) compromise code and it was doing as ChrisHartley suggested: checking to see if the client was a search engine bot or a logged in user before executing.

If you're not a capable sysadmin, it will be be hard to do the necessary analysis and cleanup, but one thing you can and should do right now is get a Google Webmaster Tools account, claim the site so you can get reports on it, and request a malware review. When that report comes back, it will include any malicious code found on the page, which might help you narrow down where in the templates the code is being invoked.

If you get that far, just keep in mind that removing or cleaning a few suspect files won't necessarily fix things for good. The first Joomla crack I ever encountered left code around that did nothing but check for previously installed malicious code and quietly wrote it back into place.
posted by mph at 6:22 PM on June 12, 2012


Get thee to Google Webmaster Tools, register the site, then see what the Googlebot is actually viewing on your site: many injection compromises hide themselves from regular browsers.

And then hire a pro to clean it up.
posted by holgate at 7:12 PM on June 12, 2012


This happened on my Joomla site; turned out the site had been hacked (via SQL injection).
posted by nicebookrack at 6:33 AM on June 13, 2012


« Older So, this was me. The company c...   |  How do I embed code from the F... Newer »
This thread is closed to new comments.