1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Website compromised assistance

Discussion in 'Web Hosting' started by reinie, Dec 16, 2015.

  1. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,577
    Likes Received:
    1,040
    Google webmaster is showing that my site was penalized for having spamy links and possibly been hacked.

    I looked at some of the faulty links in my control panel and it showed several spamy links pointing to other spam links in my site.

    Here is an example
    mysite.com/wp-content/upgrade/headbands6.php?pants=lululemon-business-practices-22uy.php

    However these links don't exist. (hence the error) So it seems like these spam links were created after my site was hacked and then somehow deleted again?

    I'm really confused as to what has happened here. Anyone have any idea what might have happened?

    As of now my site is till penalized, none of the spam links are indexed and I can't find anything suspicious on my server.
     
  2. McPatrick

    McPatrick Regular Member

    Joined:
    Feb 1, 2015
    Messages:
    244
    Likes Received:
    103
    Gender:
    Male
    Occupation:
    Problem-solver
    Location:
    London
    Home Page:
    Did you fix that already or you changed nothing? Possible the links are working only for Google crawlers. What error do you get when you go to that link?
     
    • Thanks Thanks x 1
  3. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,577
    Likes Received:
    1,040
    I changed nothing, seem they were just deleted?
    I can't find them in my ftp software and gets a 404 when trying to visit it.
    Google also says it's pointed to from an external source but doesn't exist.

    So i guess my confusion is that google says the destination doesn't exist, but it still tells me the site was hacked...
     
  4. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,229
    Occupation:
    Retired
    Location:
    Old Peoples Home
    I can take a look for you if you want - skype id is custombot if you need to chat.

    Otherwise, have a look in the upgrade directory to see if there are any files you haven't put there.
    Check the htaccess file to see if there have been changes

    Thats a start, but install wordfence and let that scan your site. Others here may be able to tell you how to do disavowing of links in google webmaster tools etc to start your clean up.
     
    • Thanks Thanks x 2
  5. McPatrick

    McPatrick Regular Member

    Joined:
    Feb 1, 2015
    Messages:
    244
    Likes Received:
    103
    Gender:
    Male
    Occupation:
    Problem-solver
    Location:
    London
    Home Page:
    Is this part: "/upgrade/headbands6.php" not in your directory as well or just the second part? You can ignore anything that is after first .php anyways for now. Its hard to determine whats wrong and what did you looked for without knowing what is your php proficiency.
     
    • Thanks Thanks x 1
  6. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,457
    Likes Received:
    32,383
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Looks like you may have been compromised. Are you using any outdated or nulled themes and plugins?

    Can you list what is in the following directory:
    mysite.com/wp-content/upgrade/
     
    • Thanks Thanks x 1
  7. Haspel

    Haspel Power Member

    Joined:
    Oct 7, 2008
    Messages:
    647
    Likes Received:
    985
    Judging by the link yea it seems your site has been compromised. Start by reporting the issue to your hosting company and ask them to clear any malicious code that is probably still somewhere around the site.When everything is cleaned up changee all your passwords and install a service like sitelock.com for your domain.
     
    • Thanks Thanks x 1
  8. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,577
    Likes Received:
    1,040
    Thanks guys

    I looked inside the Upgrade folder but its empty. I deleted it anyway.

    Guess ill go ahead and contact Hostgator and get the security upgrade packages they have been trying to sell me over email these last few months lol
     
  9. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,229
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Noooooooooooo - don't give them any more money. You can probably do what they will for free!
     
    • Thanks Thanks x 1
  10. McPatrick

    McPatrick Regular Member

    Joined:
    Feb 1, 2015
    Messages:
    244
    Likes Received:
    103
    Gender:
    Male
    Occupation:
    Problem-solver
    Location:
    London
    Home Page:
    Or for fraction of the cost and better!
     
    • Thanks Thanks x 1
  11. thesam

    thesam Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 13, 2013
    Messages:
    461
    Likes Received:
    62
    Its look you used some nulled themes or plugin that contain suspicious codes, that are auto-generated pages. Please logout to wp-admin or use different browser to verify that link is opening or not. You need to scan your complete site (themes + plugins), try some security plugins maybe they help you to find that suspicious coding.
     
    • Thanks Thanks x 1
  12. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,577
    Likes Received:
    1,040
    Fatboy is on it an assisting me. So much appreciation for everyone that chimed in!
     
  13. fatboy

    fatboy Elite Member

    Joined:
    Aug 13, 2008
    Messages:
    1,618
    Likes Received:
    3,229
    Occupation:
    Retired
    Location:
    Old Peoples Home
    Well, had a quick look through the active theme and didn't spot anything, gave wordfence and install and kicked off a scan, nothing there. None of the htaccess files that I looked at had any redirection in so not sure what was going on.

    Just had a look in google using the site:<ops domain> and didn't see any of the links mentioned either. Quite a strange one!
    Will keep an eye on the visitors hitting the site to see if they are going to any strange place on the site.
     
    • Thanks Thanks x 2
  14. McPatrick

    McPatrick Regular Member

    Joined:
    Feb 1, 2015
    Messages:
    244
    Likes Received:
    103
    Gender:
    Male
    Occupation:
    Problem-solver
    Location:
    London
    Home Page:
    Wouldn't this be just a test then? To see what websites are under control of hacker before he really launches the campaign? Its just assumptions, but it looks like it and I think it is one that makes sense.
     
    • Thanks Thanks x 1
  15. reinie

    reinie Elite Member

    Joined:
    Jan 16, 2009
    Messages:
    1,577
    Likes Received:
    1,040
    I'm very grateful for Fatboy's help, so good to have people like that around the forum. Thanks bud!

    Yes McPatrick, that is what I think too! The links were added and removed, so it must have been some sort of test.
     
  16. bermanHost

    bermanHost Regular Member

    Joined:
    Aug 19, 2014
    Messages:
    478
    Likes Received:
    40
    In general php malware scripts are indulged in the directories of the server for spamming kind of activities. Usually the hackers will not bother to remove those spamming scripts from the server but in your case it was surprising. But anyway you should harden your server inorder to avoid such happenings in future. I don't mean that hardening will be the perfect solution but it can be effective to some extend.
     
    • Thanks Thanks x 1