nedragdnuos Posted April 23, 2010 Share Posted April 23, 2010 Hi all, I have just checked my hosting cPanel latest visitors list and found these very strange entries as listed below. Now when i click on the links it takes me to my homepage, but I have checked my site and run sitemonitor (no file changes) and none of these files or even this /?cdoc directory or whatever it is is there. Ive also done a quick file search in cPanel for ?cdoc and come up zilch. If anyone has come across this before and could explain what it means then that would be greatly appreciated /?cdoc=st+patrick+s+day+history Http Code: 200 Date: Apr 22 08:32:11 Http Version: HTTP/1.0 Size in Bytes: 28959 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) /?cdoc=saint+patrick+s+day+2010 Http Code: 200 Date: Apr 22 09:20:58 Http Version: HTTP/1.0 Size in Bytes: 4414 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) /?cdoc=piperlime Http Code: 200 Date: Apr 22 10:00:10 Http Version: HTTP/1.0 Size in Bytes: 28921 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) Link to comment Share on other sites More sharing options...
rbandit Posted April 27, 2010 Share Posted April 27, 2010 While I'm sorry to say I don't know the answer, I've recieved something very similar in the form of ?sdoc, not ?cdoc= blah+blah+blah. The worst part for me is that these have shown up as backlinks to google (reported in Google Webmaster Tools), but, the link profile includes 500 links from garbage sites! My organic rankings have plummeted since the same time these links were detected, thanks to this spammy link profile. I submitted the site for reconsideration. If I had to guess, I would say it was a blackhat scraping program that's doing all this to mass-promote the content we're seeing in the blah+blah... but this is a very uneducated guess and if anyone has another intuition, I'd love to know. In the meantime, I did an htaccess redirect to root from all those ?sdoc= links and made sure my root page was marked as canonical, which I hope will avoid at least some of the consequences of having 500 varied links to my root page from foreign sites. Hi all, I have just checked my hosting cPanel latest visitors list and found these very strange entries as listed below. Now when i click on the links it takes me to my homepage, but I have checked my site and run sitemonitor (no file changes) and none of these files or even this /?cdoc directory or whatever it is is there. Ive also done a quick file search in cPanel for ?cdoc and come up zilch. If anyone has come across this before and could explain what it means then that would be greatly appreciated /?cdoc=st+patrick+s+day+history Http Code: 200 Date: Apr 22 08:32:11 Http Version: HTTP/1.0 Size in Bytes: 28959 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) /?cdoc=saint+patrick+s+day+2010 Http Code: 200 Date: Apr 22 09:20:58 Http Version: HTTP/1.0 Size in Bytes: 4414 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) /?cdoc=piperlime Http Code: 200 Date: Apr 22 10:00:10 Http Version: HTTP/1.0 Size in Bytes: 28921 Referer: - Agent: Mozilla/5.0 (compatible; Yahoo! Slurp/3.0; http://help.yahoo.com/help/us/ysearch/slurp) Link to comment Share on other sites More sharing options...
rbandit Posted April 27, 2010 Share Posted April 27, 2010 I'm thinking now this has to do with the injection hack with the base64 code in php files, given that I found that code in each one. Check out the post on that if you haven't already, also in security (eval64, etc. etc.). In the directory that the decoded injection pointed to, I found a bunch of files with the same keyphrases as mentioned in ?sdoc=blah+blah - so, what's left to do I guess is follow the great advice given by members of this forum and finally secure and cleanse it all properly. Link to comment Share on other sites More sharing options...
nedragdnuos Posted April 27, 2010 Author Share Posted April 27, 2010 Thanks rbandit for the reply. My site is now cleansed about 3 weeks ago after that base64 code attack. My site is now clean, and secure AFAIK, its just a bit worrysome that these links still redirect to my site, and yes my rankings have fallen quite a bit. Can you explain how you did that htacces thingy you mentioned... and dare I ask, how do you mark your root page as "canonical" and what is canonical LOL. Thansk for the reply, Cheers! Link to comment Share on other sites More sharing options...
spooks Posted April 27, 2010 Share Posted April 27, 2010 and what is canonical LOL. emove & Prevent duplicate content with the canonical tag http://addons.oscommerce.com/info/7163 Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
rbandit Posted April 27, 2010 Share Posted April 27, 2010 Happy to hear it's fixed! Mine's definitely getting there, but the organic ranking drop may take longer to recover. The canonical fix that spooks posted is probably the most important step to keeping those ?cdoc urls from being seen as duplicate content, whereas I'm not actually sure if the .htaccess thing I did is definitely good or bad (we'll see)... my theory behind using it is shaky at best, but basically what it's doing is re-directing any visits to site.com/?sdoc=blah+blah to just site.com/ Make a file called .htaccess in your store root if you don't already have one, and try this code: Options +FollowSymLinks RewriteEngine On RewriteCond %{QUERY_STRING} ^cdoc\=(.*)$ RewriteRule .? http://www.yoursite.com/? [L,R=301] Note that if you already have an htaccess file, it likely already has those top two lines and those only need to be in there once. I don't have much faith in this step helping yet though. Hopefully submitting a URL for reconsideration to google can work (you can do this through Google Webmaster Tools). Good luck! Thanks rbandit for the reply. My site is now cleansed about 3 weeks ago after that base64 code attack. My site is now clean, and secure AFAIK, its just a bit worrysome that these links still redirect to my site, and yes my rankings have fallen quite a bit. Can you explain how you did that htacces thingy you mentioned... and dare I ask, how do you mark your root page as "canonical" and what is canonical LOL. Thansk for the reply, Cheers! Link to comment Share on other sites More sharing options...
spooks Posted April 27, 2010 Share Posted April 27, 2010 The canonical fix that spooks posted is probably the most important step to keeping those ?cdoc urls from being seen as duplicate content, whereas I'm not actually sure if the .htaccess thing I did is definitely good or bad (we'll see)... my theory behind using it is shaky at best, but basically what it's doing is re-directing any visits to site.com/?sdoc=blah+blah to just site.com/ Yes, if you install that, just add cdoc (or sdoc) to the removed param list, then you wont have an issue & you wont need the htaccess addition. Sam Remember, What you think I ment may not be what I thought I ment when I said it. Contributions: Auto Backup your Database, Easy way Multi Images with Fancy Pop-ups, Easy way Products in columns with multi buy etc etc Disable any Category or Product, Easy way Secure & Improve your account pages et al. Link to comment Share on other sites More sharing options...
nedragdnuos Posted April 28, 2010 Author Share Posted April 28, 2010 Thank you very much for your help spooks, it is very much appreciated! Cheers! Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.