1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

this is freakin' crazy

Discussion in 'BlackHat Lounge' started by korfx04, Feb 26, 2015.

  1. korfx04

    korfx04 Junior Member

    Joined:
    Feb 27, 2009
    Messages:
    153
    Likes Received:
    96
    My wordpress, woocommence site is showing crazy urls in Google when i search for site:mydomain.com and the results return not only my product urls, but also

    mydomain.com/new-casinos-online
    mydomain.com/online-blackjack-download

    and a lot more casino ones. I have looked everywhere and i can not find these no where on my server!
     
  2. mickyfu

    mickyfu Jr. VIP Jr. VIP

    Joined:
    Dec 14, 2011
    Messages:
    6,876
    Likes Received:
    19,772
    Occupation:
    King Of Crypto C
    Location:
    Solihull Young Offenders
    What happens when you click on them?
     
  3. Panther28

    Panther28 Jr. VIP Jr. VIP

    Joined:
    May 2, 2010
    Messages:
    2,548
    Likes Received:
    3,567
    Occupation:
    Internet.
    Location:
    Internet.
    Home Page:
    log into your ftp, and check the structure of your site, these files are coming from somewhere.
     
  4. korfx04

    korfx04 Junior Member

    Joined:
    Feb 27, 2009
    Messages:
    153
    Likes Received:
    96
    it takes me to a page that seems to be on my domain that is a casino landing page.


    Here is some of the code from the page

    <html><head><title>Slots Games - Updated On: 25-Feb 2015</title></head><body style="margin: 0; padding: 0; height: 100%; overflow: hidden;" cz-shortcut-listen="true"><div style="position:absolute; left: 0; right: 0; bottom: 0; top: 0px;"><iframe width="100%" height="100%" frameborder="0" src="http://spechin.com/?h=1&p=http%3A%2F%2FMYDOMAIN.com-slots-games&r=https%3A%2F%2Fwww.google.com%2F&q=0"></div></body></html></iframe></div><div id="techsmith-snagitchrome-extension"></div></body><iframe allowtransparency="true" frameborder="0" id="abs-top-frame" src="chrome-extension://flliilndjeohchalpbbcdekjklbdgfkk/html/top.html?1424976635662#minimized" style="position: fixed; z-index: 4294967295; overflow: hidden; top: 0px; left: 0px; right: 0px; width: 138px; height: 13px; max-height: none; min-height: 0px; margin: 0px auto; padding: 0px; border: 0px; display: block; background-color: transparent;"></iframe></html>
     
  5. korfx04

    korfx04 Junior Member

    Joined:
    Feb 27, 2009
    Messages:
    153
    Likes Received:
    96
    I just downloaded the database and searched through the entire thing, and nothing shows up related to those pages. I'm now going through the entire structure of my site again as suggested.
     
  6. Brad100

    Brad100 Supreme Member

    Joined:
    Nov 9, 2014
    Messages:
    1,348
    Likes Received:
    966
    Gender:
    Male
    The website I put on my sales thread as a sample got the same issue, I'm guessing it was neg seo because I also started seeing backlinks with porn and viagra anchor text to that domain. Maybe you "shared" your site here or at any other forum?
     
  7. korfx04

    korfx04 Junior Member

    Joined:
    Feb 27, 2009
    Messages:
    153
    Likes Received:
    96
    Never shared it the domain name here. I Hired SEO work from a top rated person on fiverr about a month ago.
     
  8. SERPkiller

    SERPkiller Junior Member

    Joined:
    Feb 12, 2014
    Messages:
    132
    Likes Received:
    6
    That casino thing should be hidden somewhere in your code
     
  9. korfx04

    korfx04 Junior Member

    Joined:
    Feb 27, 2009
    Messages:
    153
    Likes Received:
    96
    I couldn't find anything that shouldnt be there. I submitted a URL removal request to Google to remove all those urls (14 in all). SERPkiller, That is what i'm doing. I'm downloading the entire site and going to search through the files with those keywords in sublime text.
     
  10. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,407
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:

    Dude, that is awesome, how has it worked out?


    Scan your site with some online scanners:
    http://sitecheck.sucuri.net/
    https://app.webinspector.com/
    https://www.qualys.com/forms/freescan/?lsid=6660
    http://www.acunetix.com/vulnerability-scanner/
    https://www.scanmyserver.com/
    http://vms.drweb.com/online/?lng=en
    http://www.quttera.com/
    http://www.quttera.com/website-malware-scanner
    https://www.virustotal.com/uk/

    Your server is probably compromised and is serving those pages up, one of your plugins or the theme may have been exploited.
    Search all directories on the server and see if you have any suspicious php files.
     
    • Thanks Thanks x 4
  11. netmoney1

    netmoney1 Executive VIP

    Joined:
    Feb 21, 2012
    Messages:
    3,607
    Likes Received:
    10,982
    Fiverr SEO is THE BEST!!!!!!
     
    • Thanks Thanks x 2
  12. The illustrator

    The illustrator Regular Member

    Joined:
    Nov 17, 2012
    Messages:
    244
    Likes Received:
    87
    Location:
    SOCAL
    Fiverr SEO is a joke. you CANT be serious.
     
  13. fun4uoc

    fun4uoc Supreme Member

    Joined:
    Dec 25, 2007
    Messages:
    1,200
    Likes Received:
    1,042
    Location:
    ☆ ♔ ☆ ♔ ☆ ♔ ☆
    Clearly you don't get sarcasm...
     
  14. Zwielicht

    Zwielicht Moderator Staff Member Moderator Jr. VIP

    Joined:
    Aug 31, 2013
    Messages:
    6,619
    Likes Received:
    11,754
    Gender:
    Male
    Occupation:
    Private Investigator
    Location:
    Riverside, California
    Home Page:
    Last week, I had a client hire me to work on their website and they were going through the exact same thing (same casino anchor links with similar header codes). On top of this, the pages that were ranking for odd keywords in Google were redirecting to other dubious websites. Since they didn't want to "start fresh" I had to work with their website without doing a clean install of Wordpress. After looking through their website using Google Webmaster Tools, I saw that the website had a partial penalty for being a hacked website. I managed to get rid of the penalty and clean up the site by doing the following:
    1. I used Wordfence to scan the website and delete any suspicious files (this also got rid of the redirecting scripts).
    2. I updated all plugins and themes.
    3. I changed the passwords and usernames for all accounts (including the hosting account).
    4. I added new security plugins to the website (Wordfence, Login Lockdown, Rename wp-admin, etcetera).
    5. I removed any and all outdated and unmaintained plugins and themes.
    6. I used Google Webmaster Tools to find any remaining suspicious links on hidden pages (you can easily find these on the search queries page).
    7. I searched over many files manually to see if there were ant dubious codes I missed
    8. Finally, I requested a review of the website to remove the penalty (which I did successfully).
    On top of this, I looked through the SQL database and discovered that my client's previous web designer/search engine optimiser had given someone who my client was unaware of access to her website as well as a private e-mail address on my client's domain. Anyway, try doing what I mentioned above and you should be able to get rid of any malicious codes and files (if you need a more specific guide, I can send you one).
     
    • Thanks Thanks x 1
    Last edited: Feb 27, 2015
  15. Darkhodge

    Darkhodge Newbie

    Joined:
    Feb 27, 2015
    Messages:
    15
    Likes Received:
    3
    Occupation:
    Web Developer
    Location:
    Surrey, UK
    Zwielicht has already posted a lot of useful information but I just wanted to contribute my 2-cents. Apologies to Zwielicht in advance if I do accidentally repeat any of his points, and/or if I'm pointing out the obvious.

    I also recently had to sort out WordPress sites that's been hacked. I approached by installing a fresh installation of WordPress. When I say fresh installation, it doesn't mean that you'll lose any of the changes you've made to the site however. I've been trying to Google to find the instructions I found but to no avail. It essentially consisted of deleting the core WordPress files (you keep some files/folders such as wp-config.php, /wp-content/ etc... and of course the database) and then reupload them from a freshly downloaded copy of WordPress. This way, you don't have to sift your way through hundreds of core files to find malicious code. Sorry but I really can't seem to find the particular article I read, but it's definitely worth checking out the WordPress codex. I can't post links on here yet, but if you search for "wordpress faq my site was hacked" on Google, it should be the first link and should say WordPress Codex.

    In terms of looking for malicious code in the files that weren't replaced in the above process, you may find that the code is being injected in rather than being hard coded. This often makes use of functions such as base64() and eval(), so I'd definitely keep an eye out for those functions. As I say, you only need to check this in the files that weren't replaced. Open each file and visually check the code for anything that looks out of place. I would also use the search functionality to look for those functions in case you missed them. It's usually quite easy to spot the malicious code, as it's often at the beginning or end of a file, and contains code that's not human readable. Obviously delete any blocks of code that look dodgy.

    I'd also check the database, but you said you've already inspected that.

    Lastly, I doubt this would have anything to do with it, but maybe it's worth checking the .htaccess file in the root folder in case that's been changed somehow.

    Once you've sorted your installation, it's time to take some measures to try and prevent this happening in the future.

    The first step is to update WordPress and any plugins. Make sure you keep it up-to-date in the future as well, to minimise the chance of someone using an older well-known exploit.

    I'd then go ahead and change all passwords as Zwielcht mentioned. When he mentioned hosting account login credentials, it doesn't just mean your cPanel/FTP but also your database username/password as well.

    In terms of plugins, I personally use iThemes Security. It'll guide you through the process of securing the site. There's various things on there such as changing the login URL, adding automated malware scanning, removing the WordPress version in the generator tag etc... Slowly and carefully go through the recommendations. Please note that some of the changes will make changes to your files and database, so may require you to back up the files/database. The plugin will warn you when it needs to be done though.

    Also I personally don't activate file change monitoring as I heard that uses quite a lot of resources.

    I hope some of the above will help you, and good luck!

    Kind regards,

    Hodaka
     
  16. monazky5050

    monazky5050 Registered Member

    Joined:
    Aug 17, 2009
    Messages:
    99
    Likes Received:
    198
    Hello,
    I got this problem and i fixed it now
    i made new website then after 7 days i found this shit pages in g00gle
    i searched for it then started to disable all plugin in my wordpress website
    when i deactivated all-in-one-seo pro (nulled of course) and click the shit url i found that the url became not found
    then i deleted it from my plugin and set up an old nulled version i was have ;)
    I hope it will be useful for you and sorry for my bad English
     
  17. Tuff Dreamer

    Tuff Dreamer Registered Member

    Joined:
    Jun 29, 2015
    Messages:
    56
    Likes Received:
    70
    Occupation:
    Sales
    Location:
    East Coast
    Fiverr CEO work is top notch!!
     
  18. MoneyEmpire

    MoneyEmpire Newbie

    Joined:
    Jul 22, 2014
    Messages:
    23
    Likes Received:
    5
    I would follow what Zwielicht and Darkhodge said!

    I had a similar issue before and what they just talked about seemed to have solved my issues in the past.