Spamdex - Spam Archive

Report spam

Send in your spam and get the offenders listed

Forward the spam you receive to questions@spamdex.co.uk

Also in google.com

Official Google Webmaster Central Blog

Official Google Webmaster Central Blog

Link to Google Webmaster Central Blog

#NoHacked: Fixing the Injected Gibberish URL Hack

Posted: 24 Aug 2015 09:53 PM PDT

Today in our #NoHacked campaign, we’ll be discussing how to fix the injected gibberish URL hack we wrote about last week. Even if your site is not infected with this specific type of hack, many of these steps can be helpful for fixing other types of hacks. Follow along with discussions on Twitter and Google+ using the #NoHacked tag. (Part 1, Part 2, Part 3, Part 4)


Temporarily Take your Site Offline

Taking your site offline temporarily will prevent your site’s visitors from going to hacked pages and give you time to properly fix your site. If you keep your site online, you run the risk of getting compromised again as you clean up your site.

Treating your Site

The next few steps require you to be comfortable making technical changes to your site. If you aren’t familiar or comfortable enough with your site to make these changes, it might be best to consult with or hire someone who is. However, reading through these steps will still be helpful.

Before you start fixing your site, we advise that you back up your site. (This backed up version will still contain hacked content and should only be used if you accidentally remove a critical file.) If you’re unsure how to back up your site, ask your hosting provider for assistance or consult your content management system (CMS) documentation. As you work through the steps, any time you remove a file, make sure to keep a copy of the file as well.

Checking your .htaccess file

In order to manipulate your site, this type of hack creates or alters the contents of your .htaccess file. If you’re not sure where to find your .htaccess file, consult your server or CMS documentation.

Check the contents of your .htaccess file for any suspicious content. If you’re not sure how to interpret the contents of the .htaccess file, you can read about it on the Apache.org documentation, ask in a help forum, or you can consult an expert. Here is an example of a .htaccess modified by this hack:

  • <IfModule mod_rewrite.c> 
  •   RewriteEngine On  
  •   #Visitors that visit your site from Google will be redirected  
  •   RewriteCond %{HTTP_REFERER} google\.com 
  •   #Visitors are redirected to a malicious PHP file called happypuppy.php 
  •   RewriteRule (.*pf.*) /happypuppy.php?q=$1 [L] 
  • </IfModule>

Identifying other malicious files

The most common types of files that are modified or injected by this hack are JavaScript and PHP files. Hackers typically take two approaches: The first is to insert new PHP or JavaScript files on your server. The inserted files can sometimes be named something very similar to a legitimate file on your site like wp-cache.php versus the legitimate file wp_cache.php. The second approach is to alter legitimate files on your server and insert malicious content into these files. For example, if you have a template or plugin JavaScript file on your site, hackers might add malicious JavaScript to the file.

For example, on www.example.com a malicious file named happypuppy.php, identified earlier in the .htaccess file, was injected into a folder on the site. However, the hackers also corrupted a legitimate JavaScript file called json2.js by adding malicious code to the file. Here is an example of a corrupted json2.js file. The malicious code is highlighted in red and has been added to the very bottom of the json2.js file:

To effectively track down malicious files, you’ll need to understand the function of the JavaScript and PHP files on your site. You might need to consult your CMS documentation to help you. Once you know what the files do, you should have an easier time tracking down malicious files that don’t belong on your site.

Also, check your site for any recently modified files. Template files that have been modified recently should be thoroughly investigated. Tools that can help you interpret obfuscated PHP files can be found in the Appendix.

Removing malicious content

As mentioned previously, back up the contents of your site appropriately before you remove or alter any files. If you regularly make backups for your site, cleaning up your site might be as easy as restoring a clean backed-up version.

However, if you do not regularly back up your site, you have a few alternatives. First, delete any malicious files that have been inserted on your site. For example, on www.example.com, you would delete the happypuppy.php file. For corrupted PHP or JavaScript files like json2.js, you’ll have to upload a clean version of those files to your site. If you use a CMS, consider reloading a fresh copy of the core CMS and plugin files on your site.

Identifying and Fixing the Vulnerability

Once you’ve removed the malicious file, you’ll want to track down and fix the vulnerability that allowed your site to be compromised, or you risk your site being hacked again. The vulnerability could be anything from a stolen password to outdated web software. Consult Google Webmaster Hacked Help for ways to identify and fix the vulnerability. If you’re unable to figure out how your site was compromised, you should change your passwords for all your login credentials,update all your web software, and seriously consider getting more help to make sure everything is ok.

Next Steps

Once you’re done cleaning your site, use the Fetch as Google tool to check if the hacked pages still appear to Google. You'll need to bring your site back online to test with Fetch as Google. Don’t forget to check your home page for hacked content as well. If the hacked content is gone, then, congratulations, your site should be clean! If the Fetch as Google tool is still seeing hacked content on those hacked pages, you still have work to do. Check again for any malicious PHP or JavaScript files you might have missed.

Bring your site back online as soon as you’re sure your site is clean and the vulnerability has been fixed. If there was a manual action on your site, you’ll want to file a reconsideration request in Search Console. Also, think about ways to protect your site from future attacks. You can read more about how to secure your site from future attacks in the Google Hacked Webmaster Help Center.

We hope this post has helped you gain a better understanding of how to fix your site from the injected gibberish URL hack. Be sure to follow our social campaigns and share any tips or tricks you might have about staying safe on the web with the #nohacked hashtag.

If you have any additional questions, you can post in the Webmaster Help Forums where a community of webmasters can help answer your questions. You can also join our Hangout on Air about Security on August 26.

Appendix

These are tools that may be useful. Google doesn't run or support them.

PHP Decoder, UnPHP: Hackers will often distort PHP files to make them harder to read. Use these tools to clean up the PHP files so you understand better what the PHP file is doing.


---------------------------

All titles, content, publisher names, trademarks, artwork, and associated imagery are trademarks and/or copyright material of their respective owners. All rights reserved. The Spam Archive website contains material for general information purposes only. It has been written for the purpose of providing information and historical reference containing in the main instances of business or commercial spam.

Lets beat spam together
Many of the messages in Spamdex's archive contain forged headers in one form or another. The fact that an email claims to have come from one email address or another does not mean it actually originated at that address!
Please use spamdex responsibly.


Yes You! Get INVOLVED - Send in your spam and report offenders

Create a rule in outlook or simply forward the junk email you receive to questions@spamdex.co.uk | See contributors

Google + Spam | 2010- 2017 Spamdex - The Spam Archive for the internet. unsolicited electric messages (spam) archived for posterity. Link to us and help promote Spamdex as a means of forcing Spammers to re-think the amount of spam they send us.

The Spam Archive - Chronicling spam emails into readable web records index for all time

Please contact us with any comments or questions at questions@spamdex.co.uk. Spam Archive is a non-profit library of thousands of spam email messages sent to a single email address. A number of far-sighted people have been saving all their spam and have put it online. This is a valuable resource for anyone writing Bayesian filters. The Spam Archive is building a digital library of Internet spam. Your use of the Archive is subject to the Archive's Terms of Use. All emails viewed are copyright of the respected companies or corporations. Special thanks: We would like to thank Benedict who is a SEO Consultant who has freely given up his time to advise us on how best to maximise on our organic search traffic strategy and also for his wonderful creative vision on how to spread the word about Spamdex and how we try to combat spam across the globe. Click here for more information.

Our inspiration is the "Internet Archive" USA. "Libraries exist to preserve society's cultural artefacts and to provide access to them. If libraries are to continue to foster education and scholarship in this era of digital technology, it's essential for them to extend those functions into the digital world." This is our library of unsolicited emails from around the world. See https://archive.org. Spamdex is in no way associated though. Supporters and members of http://spam.abuse.net Helping rid the internet of spam, one email at a time. Working with Inernet Aware to improve user knowlegde on keeping safe online. | Link to us | Terms | Privacy | Cookies | Complaints | Copyright | Spam emails / ICO | Spam images | Sitemap

Important: Users take note, this is Spamdex - The Spam Archive for the internet. Some of the pages indexed could contain offensive language or contain fraudulent offers. If an offer looks too good to be true it probably is! Please tread, carefully, all of the links should be fine. Clicking I agree means you agree to our terms and conditions. We cannot be held responsible etc etc.

The Spam Archive - Chronicling spam emails into readable web records

The Glass House | London | SW19 8AE |
Spamdex is a digital archive of unsolicited electronic mail 4.8 out of 5 based on reviews
Spamdex - The Spam Archive Located in London, SW19 8AE. Phone: 080000 0514541.