In the last few weeks, one of the most common infections that has been appearing on websites we have cleaned is hack for placing pharmaceutical adverts on sites.
The hack, is a type of malicious search engine ranking boosting technique that takes advantage of vulnerabilities in mostly (but not limited to) WordPress or Joomla websites. It’s goal is to make pharmaceutical sites appear higher in Google results than they otherwise would. The Google search engine ranks the list of hits for a given Web site according to (among other factors) the number of external sites that link to it. By inserting the rogue code into an unsuspecting victim’s site, the hack in effect links that site to the cracker’s site. If done on a large enough scale, this tactic can result in the cracker’s Web site showing up near the tops of various hit lists resulting from keyword-based searches.
Why Did It Take Me So Long To Know My Site Was Hacked ?
The hack can be difficult to detect because it does not affect the displayed pages of the compromised Web site or blog. So the spam (generally about Viagra, Cialis, etc) only shows up if the user is a search crawler (GoogleBot, etc) or the user is approaching the users site from a search result. Because of this behavior, many sites have been compromised for months with those spam keywords and the website owner is blissfully unaware. A quick way to check if your site is compromised is by searching on Google for “site:yourdomain.com cheap viagra”
Because Web site owners cannot readily see when they have been pharma hacked, the online reputation of a legitimate company or individual can be seriously damaged before the rogue code can be removed. Victims of this hack will have decreased traffic to their sites and, in some cases, removal of their sites by Google from search result lists.
How Do I Remove It From My Website ?
Once discovered, the code can be taken out of the affected files, although the process can take considerable time and effort. The infection is a bit tricky to remove and if not done properly will keep reappearing
Some Of The Key Bits To Fix Are As Follows..
File Injection : Certain files will be adjusted on the file system that run the hack as and when needed (example of this is a plugin directory)
Compromised & New User (System,CMS & Database Accounts) : Often hackers will have left an account for them to use such as a FTP account,etc. Check all users on your Systema and change all passwords. Also make sure you change SALTS.
Top Tip 1: Check For Encoded Content
A common trick Of Hackers is to hide the infection in your executable files in a form of encoded content so it basically unreadable to the average person. You can find such encoded content with commands such as: find . -name ‘*.php’ -print | xargs grep “base64”
Top Tip 3: Check All .HTACCESS Files
You can find them all with a command such as : find /home/youdomainaccount/public_html/ \( -name “.htaccess” \) -type f -print
Top Tip 2: See Your Site Like a Bot
One of the best ways to see the injected content in all its detail, is to access your website pretending to be a GoogleBot. You can do this via the command line iwtha command such as: curl -L -A “Googlebot/2.1 (+http://www.google.com/bot.html)” http://yourdomain.com
Top Tip 4: Keep Up To Date
As always, we recommend that you update your software to the latest version. For example if you use WordPress then update to the latest WordPress version please update all of your plugins, themes, etc. Keep your stuff up to date, and it will minimize the risk of infection significantly.
In Summary
Well there is no doubt the Hackers put a lot of work in to stopping you finding the infection and being able to remove it. The key point to remember is if you only remove a part of the infection then even though all looks good for a day or two it will unfortunately all come back again. If you need any help cleaning up the infection just remember OneHourSiteFix is here to help.
OneHourSiteFix.com
Helping Make Internet A Safer Place!
Leave A Comment