Website compromised assistance

reinie

Elite Member
Joined
Jan 16, 2009
Messages
1,582
Reaction score
1,055
Google webmaster is showing that my site was penalized for having spamy links and possibly been hacked.

I looked at some of the faulty links in my control panel and it showed several spamy links pointing to other spam links in my site.

Here is an example
mysite.com/wp-content/upgrade/headbands6.php?pants=lululemon-business-practices-22uy.php

However these links don't exist. (hence the error) So it seems like these spam links were created after my site was hacked and then somehow deleted again?

I'm really confused as to what has happened here. Anyone have any idea what might have happened?

As of now my site is till penalized, none of the spam links are indexed and I can't find anything suspicious on my server.
 
Did you fix that already or you changed nothing? Possible the links are working only for Google crawlers. What error do you get when you go to that link?
 
Did you fix that already or you changed nothing? Possible the links are working only for Google crawlers. What error do you get when you go to that link?

I changed nothing, seem they were just deleted?
I can't find them in my ftp software and gets a 404 when trying to visit it.
Google also says it's pointed to from an external source but doesn't exist.

So i guess my confusion is that google says the destination doesn't exist, but it still tells me the site was hacked...
 
I can take a look for you if you want - skype id is custombot if you need to chat.

Otherwise, have a look in the upgrade directory to see if there are any files you haven't put there.
Check the htaccess file to see if there have been changes

Thats a start, but install wordfence and let that scan your site. Others here may be able to tell you how to do disavowing of links in google webmaster tools etc to start your clean up.
 
Is this part: "/upgrade/headbands6.php" not in your directory as well or just the second part? You can ignore anything that is after first .php anyways for now. Its hard to determine whats wrong and what did you looked for without knowing what is your php proficiency.
 
I changed nothing, seem they were just deleted?
I can't find them in my ftp software and gets a 404 when trying to visit it.
Google also says it's pointed to from an external source but doesn't exist.

So i guess my confusion is that google says the destination doesn't exist, but it still tells me the site was hacked...

Looks like you may have been compromised. Are you using any outdated or nulled themes and plugins?

Can you list what is in the following directory:
mysite.com/wp-content/upgrade/
 
Judging by the link yea it seems your site has been compromised. Start by reporting the issue to your hosting company and ask them to clear any malicious code that is probably still somewhere around the site.When everything is cleaned up changee all your passwords and install a service like sitelock.com for your domain.
 
Thanks guys

I looked inside the Upgrade folder but its empty. I deleted it anyway.

Guess ill go ahead and contact Hostgator and get the security upgrade packages they have been trying to sell me over email these last few months lol
 
Noooooooooooo - don't give them any more money. You can probably do what they will for free!
 
Its look you used some nulled themes or plugin that contain suspicious codes, that are auto-generated pages. Please logout to wp-admin or use different browser to verify that link is opening or not. You need to scan your complete site (themes + plugins), try some security plugins maybe they help you to find that suspicious coding.
 
Fatboy is on it an assisting me. So much appreciation for everyone that chimed in!
 
Well, had a quick look through the active theme and didn't spot anything, gave wordfence and install and kicked off a scan, nothing there. None of the htaccess files that I looked at had any redirection in so not sure what was going on.

Just had a look in google using the site:<ops domain> and didn't see any of the links mentioned either. Quite a strange one!
Will keep an eye on the visitors hitting the site to see if they are going to any strange place on the site.
 
Wouldn't this be just a test then? To see what websites are under control of hacker before he really launches the campaign? Its just assumptions, but it looks like it and I think it is one that makes sense.
 
I'm very grateful for Fatboy's help, so good to have people like that around the forum. Thanks bud!

Yes McPatrick, that is what I think too! The links were added and removed, so it must have been some sort of test.
 
In general php malware scripts are indulged in the directories of the server for spamming kind of activities. Usually the hackers will not bother to remove those spamming scripts from the server but in your case it was surprising. But anyway you should harden your server inorder to avoid such happenings in future. I don't mean that hardening will be the perfect solution but it can be effective to some extend.
 
Back
Top