|A hacking visible only to Google|
September 14, 2010
Has your website been infected by link spam visible only to Google? If your site’s Google page rank has recently plummeted, do a Google search on the URL of your site and click on a few of the “Cached” links in the returned search results. See a bunch of spam links down at the bottom of one of the cached pages? If those links don’t appear in the current (non-cached) version of the page, then you’re probably the victim of a hacking that only targets the Google search bot.
Let’s be clear about why an intrusion like this is a big problem. Although the public can’t see those links, Google can, and that’s destroying your Google ranking. You need to remove the intrusion fast – and then you need to prevent it from reappearing.
I found the above code lurking in one of my Joomla! 1.5.20 sites. It had been appended to the bottom of the index.php file of my current template (/templates/my_template_name/index.php). And at the top of the file, a single line had been inserted:
That immediately rang alarm bells, as there shouldn’t be any PHP code above this line:
defined('_JEXEC') or die('Restricted access');
There were a few clever things going on there. The intruder didn’t attack the index.php file in the public_html directory – which is the usual target of attacks on Joomla! sites. He or she opted instead to modify the site template. Making the link spam visible only to Google meant that the attack stayed undetected for longer than would otherwise have been the case. And turning off error reporting in that script was a canny extra tweak.
Having found the problem, I inspected my FTP logs and found that the server had been accessed from an IP address that wasn’t my own. The logs showed that the intruder had also modified the index.php files of my other templates (no surprise there) and had uploaded a file: /administrator/includes/pcl/gzip.lib.php.
Fortunately, I had a clean site backup to hand. I reinstalled the site, scanned my computer for FTP password stealing malware, strengthened my FTP password (it might have been broken by a brute force attack), blocked the intruder’s IP address in Cpanel, and tightened up a few other things on the site. And after a few days, the intrusion not having reoccurred, I contacted Google via Google Webmaster Tools to let them know that I had removed the intrusion.