1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Security] Any Anti-Hackers On Here? I REALLY Need Help Getting My Sites UnBlacklisted..

Discussion in 'BlackHat Lounge' started by BreaknBrix, Nov 17, 2014.

  1. BreaknBrix

    BreaknBrix Power Member

    Joined:
    Mar 25, 2014
    Messages:
    751
    Likes Received:
    4,189
    Location:
    NE US
    I've been having an on-going issue now for over a month. And it's seriously distracting me from work.

    One day I wake up and notice all 4 of my sites (on a shared Godaddy hosting plan) have the "this site may be hacked" warning.

    I contacted a guy on fiver. He found a bunch of viagra and cialis text on my site. So I paid him $80 to "fix" all the pages. Little did I know he didn't really fix anything.

    I wait a week, the notice never goes away. So I got desperate and reregistered my most important site with WMT. It was registered years ago in WMT but I dropped it while upgrading servers a year ago and never registered it till recently.

    So I login to WMT and find out the site is getting 15,000 impressions a day! When it's a local site and the MOST it ever use to get (when it ranked #1 for all its primaries) was 1000-1500 impressions. Then I noticed someone had created like 138 spam pages on the site targeting long tail "download" type keywords. And I also noticed those pages were ranking better than my pages were (you can see the traffic they were getting before sucuri came in).

    [​IMG]

    At this point I'm furious. So I register with Securi (their $299/year plan). They go in and clean up all of the sites. They also gave me lists of what they did on each site.

    On just 1 site (my main money site), this is what they did:




    Hi there,

    sorry for the delay, weekends are a very busy time here.

    Your site is looking clean now. We've done a number of things and you'll find them listed below.

    Please read and follow our post-cleanup instructions here:
    http://sucuri.net/kb/after-the-cleanup

    We also highly recommend that you add a Firewall on your site to prevent more attacks:

    https://waf.sucuri.net/
    http://cloudproxy.sucuri.net/

    If you have any issues all you have to do is respond to this ticket and we will investigate.

    That being said, here is the list of what was cleared, removed or hardened:
    return ob_get_clean();'.
    OK: Hardened upload directory (./wp-content/uploads)
    OK: Removing backdoor from uploads directory: ./wp-content/uploads/temp_spb307v9ac/backupbuddy_dat.php
    OK: Removing backdoor from uploads directory: ./wp-content/uploads/temp_m7yuo01dms/backupbuddy_dat.php
    WARN: Found suspicious file: ./wordpress/wpinstall.php (NOT CLEANED) - Manual inspection required (php.malware.generic.046): Content: '$sOutContent = file_get_contents('http://'.$contro'.
    OK: Hardening ./zbac/wp-admin/setup-config.php on WordPress on WordPress
    WARN: Found suspicious file: ./site/wpinstall.php (NOT CLEANED) - Manual inspection required (php.malware.generic.046): Content: '$sOutContent = file_get_contents('http://'.$contro'.
    OK: Hardened upload directory (./img/wp-content/uploads)
    OK: Hardening ./img/wp-admin/setup-config.php on WordPress on WordPress
    WARN: Found suspicious file: ./img/wp-blog-header.php (NOT CLEANED) - Manual inspection required (php.spam-seo.gen.015): Content: 'file_get_contents('.log');
    echo '<domain>'.$chekdo'.
    OK: Hardening ./wp-admin2/setup-config.php on WordPress on WordPress
    OK: Hardening ./wp-admin/setup-config.php on WordPress on WordPress
    CLEARED: Cleared malware from file: ./wp-admin/hx_desk.php. Details: php.malware.eval_gen.001


    During our cleanup process we identified the following out-of-date software on your server:

    Warning: Found outdated WordPress install inside: ./zbac - Version: 3.5 (please update asap) - from ./zbac/wp-includes/version.php.

    ---


    Outdated software is the leading cause of site infections, and reinfections. It is highly encouraged that you upgrade all software immediately.

    *If you can not update it, we recommend looking at our CloudProxy WAF to virtually patch and protect your site:
    https://login.sucuri.net/cloudproxy/


    Thanks for using Sucuri!





    That was the 1st site they worked on. The other site's they found similar problems and allegedly cleaned up most the problems. IMMEDIATELY after all the work was done I changed ALL my passwords. Everything was up to date. No shady, unused plugins. All passwords changed.

    And I was especially happy when they wrote "all sites are now clean and we're sending them to Google to remove the hack warning".

    Now 3 weeks have passed by... and ALL 4 SITES STILL HAVE THIS STUPID F#CKING HACK WARNING.

    I checked WMT tools to see why they're still flagging my 1 money site (the other sites aren't registered in WMT). And WMT is pointing to the spammed pages as the problem. The thing is, there is NO CONTENT on these pages. When Sucuri deleted the eval all the content on these pages disappeared. But the URLs are still there.


    I really can't explain how annoying this is . I just want these warnings GONE. I know they're hurting my CTR and most likely my ranks as well.

    So my questions are....

    1) If Sucuri said "we sent your sites to Google to remove the hack warning" what exactly does that mean? Till this day I'm not sure how or who they sent the sites to.

    2) Should **I** now have Google fetch the pages on my money site and confirm if the hack was removed or not? They say to do that, then request a security review from them.

    3) Do I need to manually delete the spam urls?

    http://www.xxxxxxxx.com/2014/10/12/free-download-suara-sirine-polisi/
    http://www.xxxxxxxx.com/2014/10/20/lauren-kate-fallen-download-ebook/
    http://www.xxxxxxxx.com/2014/10/21/star-plus-tv-shows-download/

    Even if there is no content/source code on them?

    The problem is, I don't even know how to access these pages. I can't find them via my WP admin. I read a WP tut that says pages are stored in mysql.... but I can't find it via ftp. This problem has been persisting for over a month now and I can't get these g/damn hack notices removed no matter what. Are there any tricks I can do to get the noticed removed? Like should I switch servers for a few weeks then switch back to my normal servers? My brother said that might help.

    -BB
     
    Last edited: Nov 17, 2014
  2. BabyAngel

    BabyAngel Newbie

    Joined:
    Nov 2, 2014
    Messages:
    19
    Likes Received:
    6
    I know a guy that can fix this up. problem is he is expensive and would need FTP access to your sites if you are concerned about your files. He doesn't deal in fixing backlinks just links / javascript entered into pages.
     
  3. koolkake

    koolkake Regular Member

    Joined:
    Jul 2, 2014
    Messages:
    220
    Likes Received:
    217
    Do the links exist? Or are they simply blank pages? Are the links directory links? Do they have an index page- if so, are they index.php?

    It seems to me that Google is just still basing their assumption off of cached pages. But if there's no 404 error and instead a blank page, there still may be an issue. Add my skype if you want me to take a quick look.
     
  4. reoman

    reoman Junior Member

    Joined:
    Sep 13, 2013
    Messages:
    129
    Likes Received:
    139
    Location:
    703
    If its a local site, block all the countries except yours.


    I block BRIC nations (sorry Putin) for all my sites, they account for less than 5% of my sales, and over 90% of my headaches.
     
  5. ttrox

    ttrox Regular Member

    Joined:
    Jun 28, 2013
    Messages:
    217
    Likes Received:
    75
    Hey mate,

    Probably, most of these URLs were generated before and they have yet to re-index and notice that they don't exist anymore, thus no security problems. Other thing you could try (although I have to say that I doubt it's the case) is trying to enter to those URLs with a different referrer, such as those used by Google crawlers, if you're paranoid thinking it might still be there.