Spammed/ Hacked/ Spammed - How to Deal

25 replies
  • SEO
  • |
Hey All,

Over the past few months, my website was spammed with Fiverr Links which I disavowed.
Two weeks later my website was hacked badly, the main page was turned into a Malware download and AVG/ Kapersky blacklisted my site. It took me one week to remove and get un-blacklisted.


Today I have just got another 3k back-links from 250 Japanese porn sites which I can see and will disavow.

Here's the question: There's no doubt that even if I clear this up, it's going to have a bad effect. There must be people out there which do not understand this stuff, do Google understand this happens? If so, what are they doing about it?
Also, why bother doing any of this? There doesn't seem to be a point.
#deal #hacked or #spammed #spammed or
  • Profile picture of the author Aussie_Al
    Sorry to hear it but it happens to the best of us

    I had one of my money sites hacked a few years back - the host gator people were super helpful in fixing my site and the software creators supplied me a patch to avoid further hacks

    A year later the same site got hacked this time I found out as the head of security at Chase bank called me telling me their was some malicious code in my site used as a third party for someone hacking Chase bank accounts!!!

    Luckily for me they could see I was not the culprit but having the head of internet security at a major bank calling me nearly gave me a heart attack

    The bottom line is you can and will bounce back from this - my site was also blacklisted and eventually bounced back

    In my eyes its all part of the growing and learning process - hang in there Paul!
    {{ DiscussionBoard.errors[9659391].message }}
    • Profile picture of the author paulgl
      Sorry, but that sounds quite bogus. The head of security at chase bank
      would not be calling. If would be very suspicious if someone identified
      themselves as such.

      Paul
      Signature

      If you were disappointed in your results today, lower your standards tomorrow.

      {{ DiscussionBoard.errors[9659405].message }}
      • Profile picture of the author Aussie_Al
        tell me about it

        I was skeptical until i got home and got a message from hostgator backing up his claims
        {{ DiscussionBoard.errors[9659670].message }}
  • Profile picture of the author Paul Tovey
    I just found another folder copied into my site containing 1,125 additional websites.
    myurl.com/creams/1125varients.html

    All of which link to various other internally created pages in this folder.

    I've just had an additional 3,000 links built to all pages in the 'cremes' folder. Why is this happening?
    Do you think it's automated or targeted?
    {{ DiscussionBoard.errors[9659719].message }}
    • Profile picture of the author beautyuno1
      how did you find the folder?
      {{ DiscussionBoard.errors[9659752].message }}
      • Profile picture of the author Paul Tovey
        I did a random Ahrefs check on my site and saw 3,256 links coming into my site TODAY.

        I mean, this sticks out link a sore thumb. So I went to see where they were linking too and they were all linking to a page that I never created and according to my WP installation do not exist, they must have been put in via FTP, the url was: 'myurl/creams'.

        I don't know what the purpose of this is, there were thousands of interlinking pages, just two lines of content with anchor rich beauty products, with loads of external links coming in to the pages. It's like they were doing SEO from the 90's, there were NO external links going from these pages which is the weirdest thing.
        {{ DiscussionBoard.errors[9659824].message }}
  • Profile picture of the author IMLab
    Originally Posted by Paul Tovey View Post

    Here's the question: There's no doubt that even if I clear this up, it's going to have a bad effect. There must be people out there which do not understand this stuff, do Google understand this happens? If so, what are they doing about it?
    Also, why bother doing any of this? There doesn't seem to be a point.
    Sorry to know about all that.

    The best way to solve your problem is to start with a brand new domain. There is no point now to fix the linking profile of your old domain as that will take a long time and it might not work even.

    Start fresh with a new domain, de-index and disable the old one, then transfer your old files to the new one. Make sure as well you scan your website files for malicious codes and be careful next time when organizing your link building campaigns.

    Hope that helps!
    Signature
    Our SEO Website: Labinator.com
    Complete Link Building Guide For 2016: Click Here
    {{ DiscussionBoard.errors[9660536].message }}
    • Profile picture of the author Kevin Maguire
      Originally Posted by IMLab View Post

      Sorry to know about all that.

      The best way to solve your problem is to start with a brand new domain. There is no point now to fix the linking profile of your old domain as that will take a long time and it might not work even.

      Start fresh with a new domain, de-index and disable the old one, then transfer your old files to the new one. Make sure as well you scan your website files for malicious codes and be careful next time when organizing your link building campaigns.

      Hope that helps!
      Terrible advice.

      What on earth does his domain name have to do with a hack? And why on earth would he have to drop the entire domain when his problems are based around an upload injection? If he rooted and moved domain the exploit still remains. If he clean installs the exploit will still be open no matter what url the files sit on.

      Paul, your site clearly has an open upload point somewhere that's being injected with the page generation script.

      What you need to do is.

      Have the opening found and closed
      Clean install to a server with https://atomicorp.com/products/asl.html , tough to beat.
      Pray it wasn't a targeted attack (very rare).
      {{ DiscussionBoard.errors[9660611].message }}
      • Profile picture of the author elcidofaguy
        Originally Posted by Kevin Maguire View Post

        Paul, your site clearly has an open upload point somewhere that's being injected with the page generation script.
        For sure second that! Start by looking through your server log files... look for calls made to non obvious web pages, system/set-up related etc. Look for IPs that are not yours or that of your webhost... In my case this helped identify the vulnerability and get a fix implemented asap... Example repeated calls made to xmlrpc.php is an attempt to logon to wp via the back door with brute force... Once in they may install some scripts to inject page generation.. Another could be plugins from a dodgy source to say the least... which provides the back door.... For sure the clues are all on your server !!!
        Signature
        Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
        {{ DiscussionBoard.errors[9661110].message }}
        • Profile picture of the author Paul Tovey
          Thank you all, some great advise in here. I'm not going to de-index the domain etc as somebody suggested as that's kinda mad

          I'll check the site thoroughly, is Google doing anything to prevent this kind of action affecting their search results?
          {{ DiscussionBoard.errors[9661423].message }}
      • Profile picture of the author IMLab
        Originally Posted by Kevin Maguire View Post

        Terrible advice.

        What on earth does his domain name have to do with a hack? And why on earth would he have to drop the entire domain when his problems are based around an upload injection? If he rooted and moved domain the exploit still remains. If he clean installs the exploit will still be open no matter what url the files sit on.

        Paul, your site clearly has an open upload point somewhere that's being injected with the page generation script.
        Hi there!

        If you read my answer properly and the original question, you would notice that it is not only a security issue but also a signal of negative SEO campaign.

        If the whole negative SEO campaign is done on purpose then cleaning after the mess would surely take long time and would require persistent work. Changing the domain name would solve this issue instantly if you don't have a brand connected to it.

        Apart from that, it is clear as you said that he might also be facing a serious security issue which needs to be solved instantly.

        Note: It is not professional at all to label my answer as "terrible" without reading it and understanding the original question - The original question is not only about "cracking" but also about negative SEO. Besides that, this section of the forum is not for advertising your services around. Moderators might give you a warning if you keep posting your links.

        Thanks!
        Signature
        Our SEO Website: Labinator.com
        Complete Link Building Guide For 2016: Click Here
        {{ DiscussionBoard.errors[9663762].message }}
  • Profile picture of the author devenn27
    I second that what Kevin Maguire said.

    Most probably the hacker brute forced your login (i assume it's a wordpress site and you left the username unchanged as "admin"?). Once they have guessed your password with brute force they can do anything they want with SQL injection.

    I'd suggest you to take XML database backup or clean up your MYSQL database first and take a backup of it for fresh install. With new install make sure you change the username "admin" to something else and also have a strong password.

    Additionally you can use (what i do) rename login plugin (there are several others, but i use it because it's simple and light plugin) to anything else. For example: Change YourDomain.com/wp-admin to Yourdomain.com/new-login-url that way the hacker won't know the login url which is needed for brute force attack...if he/she/bot doesn't have your login url, brute force doesn't make sense, and they will probably give up and move on to next target.

    Clean up and do a fresh install is what i'd suggest. Good luck!
    {{ DiscussionBoard.errors[9661431].message }}
    • Profile picture of the author Mike Anthony
      Unfortunately if its serp competition motivated there is little you can do about the spam part except getting links that insulate you from the affect
      Signature

      {{ DiscussionBoard.errors[9661476].message }}
  • Profile picture of the author KingServers01
    Firewall security is what I would recommend for every servers. Also, customers using CMS should update there websites regularly. You can use double authentication system so that password doesn't get stolen.
    Signature
    Managed & Unmanaged VPS Hosting & Dedicated Servers
    Europe & USA by King-Servers.com
    {{ DiscussionBoard.errors[9661642].message }}
  • Profile picture of the author Paul Tovey
    Hey Guys,

    I've fixed the hacks and the site is back to 100% but I am getting 8,000 backlinks per day from spam domains sent to my site and to that specific page that was created (it's been removed).

    What can I do at this point? I'm updating my disavow file daily at the moment, this is not good.
    {{ DiscussionBoard.errors[9663712].message }}
    • Profile picture of the author devenn27
      Originally Posted by Paul Tovey View Post

      Hey Guys,

      I've fixed the hacks and the site is back to 100% but I am getting 8,000 backlinks per day from spam domains sent to my site and to that specific page that was created (it's been removed).

      What can I do at this point? I'm updating my disavow file daily at the moment, this is not good.
      De-index that new folder/directory url that the hacker created. You can remove that url in webmaster tools.
      {{ DiscussionBoard.errors[9665654].message }}
      • Profile picture of the author yukon
        Banned
        Originally Posted by devenn27 View Post

        De-index that new folder/directory url that the hacker created. You can remove that url in webmaster tools.
        That would only remove the problem page/s from the SERPs, it wouldn't stop Google from slapping a compromised site. Google is still looking at all the pages/links.
        Signature
        Hi
        {{ DiscussionBoard.errors[9665766].message }}
  • Profile picture of the author sweezeter
    There is nothing you can do besides getting those links removed. Wasting time on the disavow isn't the answer either as that won't work at helping an attack like this.

    The good thing is that you patched the site, right? I'd actually spend a few bucks with a Wordpress expert to make sure you've got everything patched.

    The hackers goal was to hack the website and then spam it so that it would rank, meanwhile you aren't the wiser as they usually cover their tracks pretty well.

    If you hadn't been watching your links this could have gotten really bad. A friend of mine had close to 250,000 links created because his site was hacked to death and had been for some time.

    It's time to be proactive at this point, get started on link removals, like today.
    {{ DiscussionBoard.errors[9664986].message }}
  • Profile picture of the author Icematikx
    Quite a common occurrence. I often check blog spam on my PBN, and see things such as this.

    Who's your host? I assume you're on shared hosting? Correct me if I'm wrong.

    You need to move to a host which takes security seriously. I've NEVER been hacked, and I've only ever used shared hosts like Siteground and Site5. Perhaps I'm lucky, who knows?

    The next step would be to consider a VPS and harden it right up. Restrict wp-admin folder access to your IP address only - problem solved. Also, add HTTP authentication to WP-ADMIN. There's no chance anybody can access your WP install by going through HTTP authentication + Apache/NGINX IP restriction unless they have access to the server itself.

    Once WP is installed, restrict any new folders from being created. If you need to install a plugin, take the restriction off and install it. Keep everything locked down.

    To then "hack" you, they'd need to do it at ROOT level with Administrative access to the VPS. This is only going to happen if somebody seriously needs to get rid of you from the market. Chances are, it's just a mass attack on hundreds of sites on the same host.

    Then you can get security from Linux level and Wordpress level. Restrict everything. Captcha code everything that matters - such as PHPMYADMIN.

    It's about finding out how and why you were hacked, and a shared host is rarely going to help here.
    Signature

    Just got back from a #BrightonSEO. I was given room 404 in the hotel I stayed at. Couldn’t find it anywhere!

    {{ DiscussionBoard.errors[9665899].message }}
  • Profile picture of the author Paul Tovey
    Hey guys, sorry to bring this up again, but i'm really unsure on what I should do.

    I have had 3,000 spam links sent to my site for the past 7 days in a row and it doesn't look like it's going to stop anytime soon. Should I give up now? Rankings are now dropping across the board and there is nothing I can do to stop these links coming in..
    {{ DiscussionBoard.errors[9668585].message }}
  • Profile picture of the author elcidofaguy
    In that case I would be tempted to try this out: http://www.warriorforum.com/search-e...ansferred.html

    In sum: redirect at htaccess level - page for page to a new domain and again back out... I would not do it at domain level...

    I also think that G should be smart enough to tell the difference between -ve seo versus attempts to game the system... Seriously its about time G clamped down on -ve seo by simply ignoring these links....

    That said good luck and hang in there!
    Signature
    Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
    {{ DiscussionBoard.errors[9668595].message }}
  • Profile picture of the author Paul Tovey
    Just had a though, they are only building links to specific parts of the site. If I was to 301 redirect these parts, would it help?
    {{ DiscussionBoard.errors[9668617].message }}
    • Profile picture of the author elcidofaguy
      Originally Posted by Paul Tovey View Post

      Just had a though, they are only building links to specific parts of the site. If I was to 301 redirect these parts, would it help?
      I've never tried it personally - but it just might work... It just occurred to me that the following approach might also work also but again I cannot verify ....

      Create a sub domain site from penalized one - with giving it a name which may help with branding e.g. words like official, original, www.official.<domainname>.com etc...

      Copy the content from old one and make sure to use cannonicalize tag on the penalized domain and new sub domain so that you avoid duplicate flag from G... Canonicalization ensures that the link juice is attributed correctly - and it may even filter out the penalty...

      After that you could just leave it like that with the new pages now being able to rank for the content based on canonicalization or additionally apply the page level redirect (which will bring in traffic from old site to new sub domain site)...

      The reason why I mention the subdomain is that G see's this as a separate domain...

      I hope that helps...
      Signature
      Clickbank Affiliates. Are You One Of The 95% That Struggle To Make An Online Income? Introducing The Game Changing Strategy That You Need to Know About... Click Here!
      {{ DiscussionBoard.errors[9668692].message }}
  • Profile picture of the author Paul Tovey
    I will most probably end up re-directing the domain and start again. Is this still a viable idea or will I just be forwarding a problem to a new website?
    {{ DiscussionBoard.errors[9668822].message }}
    • Profile picture of the author IMLab
      Originally Posted by Paul Tovey View Post

      I will most probably end up re-directing the domain and start again. Is this still a viable idea or will I just be forwarding a problem to a new website?
      Hi there!

      As i mentioned before, you need first to spot the original problem. An action plan will be like this:

      Step 1: Scan your website and server for malicious codes and errors. You really need to spot the origins of the problem and fix any security holes before doing anything. If you can't do that on your own, then it is recommended to hire a firm to do that for you.

      Step 2: You need to disavow all the bad links that you managed to spot. I highly recommend you to hire an expert to do this for you as well.

      Step 3: If the disavow tool did not work well for you and you are still penalized by Google, then surely you need to change the domain name and de-index your old website. However, changing the domain name does not fix your security issues (maybe that is too obvious to mention on here).

      Note: If your website is penalized and not getting traffic then there is no point in re-directing it to the new website. If you are still getting good clients and huge amount of traffic to your old domain, then it might worth the shot.

      Hope that helps!
      Signature
      Our SEO Website: Labinator.com
      Complete Link Building Guide For 2016: Click Here
      {{ DiscussionBoard.errors[9670289].message }}

Trending Topics