As I posted earlier I’m out of the client game, but I got bored this morning and checked the rankings of the old client services site (old habits die hard). I usually own the top spot for [link building] and what can I say it’s a matter of pride. Well today I was a bit perplexed that not only was AndyHagans.com not ranking #1 for [link building], it was nowhere to be found! However, the site wasn’t banned–an internal page was still ranking in the top 100 for [link building]. I figured that maybe I hit some sort of filter. I wasn’t going to lose any sleep over its rankings considering the site isn’t monetized at all.
Then later today I got an email from a friendly contact letting me know I had about a thousand animal sex-related links which were hidden below the footer on the AndyHagans.com homepage. (Apparently, this contact sometimes refers to my site–which I coded myself–when showing people the benefits of clean code & the efficient use of CSS. Take that, Pearson!)
Anyway, I wonder how someone was able to hack my site and inject these links. Some sort of “exploit”? (I don’t even really know what that means.) Maybe I shouldn’t have used [password] as my password. (Just kidding.) I’ll fix it later in the week, meanwhile I am trying to figure out if any black hat SEO has a grudge against me, but honestly I’m not sure I even know any black hat dudes! Could be just a coincidence, but my instict says it isn’t.
Thibault tells me it looks like the links pointed elsewhere earlier this week, but they were updated to animal sex-related topics recently (judging from the cache). Anyone have a theory how this hack could have happened? I don’t want to fix it only to have it hacked again the next day… any help is very appreciated and will be rewarded in link equity.
Check it out: AndyHagans.com (view the source code to see the animal sex links)
Update: in case it helps, some more details on the site–it’s hosted on Dreamhost (normal shared plan), and runs on PHP (custom files, no CMS, I mainly use PHP just to include files like the header and footer).
Update2: OK so this affected another site I host on the same account. Shoemoney pointed out it only is happening on the index.* files. So either someone broke into my ftp with a script, or somehow they did it to all the files named index.* hosted on this Dreamhost box?
Update3: Frederick Townes tells me:
about the injection issue (I wrote an article about this long ago) about XSS and injections etc.
My best guess is your host has a very old copy of apache:
Apache/1.3.37 (Unix) mod_throttle/3.1.2 DAV/1.0.3 mod_fastcgi/2.4.2 mod_gzip/184.108.40.206a PHP/4.4.4 mod_ssl/2.8.22 OpenSSL/0.9.7e
That, combined with those other modules, which are also very old means that there are tons of opportunities for someone to exploit your site - it’s a matter of time and checking the changelog for those different software packages.
There also could be other holes (potentially) in youâ€™re your web site as you seem to use PHP, for server side includes no doubt, unnecessarily. Swithing to flat HTML with Server Side Includes is a good move if you don’t want to change hosts.
You can always parse PHP files in your server side includes if you need some advanced scripting.
Ugh. Sounds about right, but still not sure what exactly to do to remove the current links and script?
Update4: Thibault is telling me he doesn’t think its the XSS thing, but instead either weak code, or they just cracked my password.
Update5: Thibault and Bapin SSH’d in and found the problem. Looks like someone just cracked the FTP password and put a file in every domain’s directory which then injected the links. Bapin is helping me fix it and meanwhile it’s a spring cleaning, we’re deleting a bunch of old junk like Movable Type test installations, etc. This was a great way to spend my afternoon!
Update6: OK Bapin fixed everything. Fingers crossed it doesn’t happen again, all the passwords are changed and we deleted some files which may have been vulnerable…Â
Did you enjoy this article?
Don't forget to subscribe to the Tropical SEO feed!