Website has been hacked / not showing in Google! Please Help

9 replies
  • WEB DESIGN
  • |
Hey warriors,

A company I work for on and off called me today with a problem that I need some advice on. About a month ago they launched a new version of their website, same URL, but complete from the ground up rebuild. They hired a freelance consultant they had not worked with before to build it.

Today they just noticed that their website is not showing in Google, Bing, or Yahoo search results. They are not sure if it has been showing at all during this last month, or if this just happened, but it absolutely was before the site rebuild. The website also had a PR of 5 with google, not it just show N/A

In google websmaster tools it shows google has been crawling the website consistently and there is no malware detected. However, when I ran the website through the free report at woorank.com it says the meta description is missing, and.... the headers it detected are webcam, and webcam girls!

This led me to check out the source code where I found this snippit of code:

<div style="display:none"><h1><a href="http://www.sexchatwebcam.org" title="<h1>sex chat</h1>">sex chat</a></h1><h1><a href="http://www.sexchatwebcam.org" title="<h1>sex Chat</h1>">sex Chat</a></h1><h1><a href="http://www.sexchatwebcam.org/" title="<h1>webcams</h1>">webcams</a></h1><h1><a href="http://www.sexchatwebcam.org" title="<h1>webcams</h1>">webcams</a></h1></div>


Please let me know your opinion on all of this. Which elements of these problems do you think are connected, are any? And where do I start to look for how this happened and how to prevent it in the future? Why is the website not showing in any search results but google has been crawling it consistently and does not state any malware has been found? What in the hell is going on???

Thank you all so so much for your time! It is greatly appreciated!

I can PM you the URL if you want to look into it further and help.
#google #hacked #showing #website
  • Profile picture of the author envisionit2011
    I dont think google would detect malware as those are just links...

    POSSIBLY what could have happened are two things:

    Whoever rebuilt the site included these with the "display none" CSS element so nobody could see them EXCEPT the search engines...which would give credit as a backlink....

    Also what makes me think that is the fact they used H1 headers with the display none element because why use headers if people aren't going to see it? My guess is because Headers have greater SEO that just plain text.

    OR

    The person that rebuilt your site used a template that had these links already inside them and he didn't catch it, which is possible and does happen...

    Those are just my opinions tho. I think it would be highly unlikely someone would go through the trouble to hack your site JUST to include some porn links...especially seeing that they aren't even affiliate links.
    {{ DiscussionBoard.errors[5323352].message }}
    • Profile picture of the author caseycase
      Originally Posted by envisionit2011 View Post

      I dont think google would detect malware as those are just links...

      POSSIBLY what could have happened are two things:

      Whoever rebuilt the site included these with the "display none" CSS element so nobody could see them EXCEPT the search engines...which would give credit as a backlink....

      Also what makes me think that is the fact they used H1 headers with the display none element because why use headers if people aren't going to see it? My guess is because Headers have greater SEO that just plain text.

      OR

      The person that rebuilt your site used a template that had these links already inside them and he didn't catch it, which is possible and does happen...

      Those are just my opinions tho. I think it would be highly unlikely someone would go through the trouble to hack your site JUST to include some porn links...especially seeing that they aren't even affiliate links.

      I agree with option one above as the most likely culprit. Check the CSS to see if it is in there. If it is Wordpress, change out the theme and see if it still shows up.

      Also, run the site through sucuri.net to see if it catches anything.

      Once you do figure it out, I would suggest they rebuild the site to make sure it is completely clean. And they need to make sure all of their passwords are changed on anything related to the site.
      Signature

      Free IM Info, No Junk - http://www.ironcladim.com



      {{ DiscussionBoard.errors[5323400].message }}
  • Profile picture of the author jleavitt13
    Thanks guys, after some further research the site does not have any malware on it. My biggest problem right now is I can not find where this code is located:

    <div style="display:none"><h1><a href="http://www.sexchatwebcam.org" title="<h1>sex chat</h1>">sex chat</a></h1><h1><a href="http://www.sexchatwebcam.org" title="<h1>sex Chat</h1>">sex Chat</a></h1><h1><a href="http://www.sexchatwebcam.org/" title="<h1>webcams</h1>">webcams</a></h1><h1><a href="http://www.sexchatwebcam.org" title="<h1>webcams</h1>">webcams</a></h1></div>

    check all of my theme files, including the htaccess file, check all pluggins. That code snippit shows on ever page... so I guess it is some how being inserted into the header or something. Any ideas?
    {{ DiscussionBoard.errors[5323532].message }}
  • Profile picture of the author envisionit2011
    I know you said you checked all your theme files, but I just want to make sure, You did check HEADER.PHP right?

    And you went through your STYLE.CSS File as well?

    Since this is wordpress theme there is a chance this could be getting injected with a code, so you wouldnt actually see the content you have posted...Try to look for a code that starts with "EVAL" and a string of numbers or odd set of characters that make a long path...This would typically be in the header.php, functions.php, and/or mainindex.php file(s)

    NOTE: if you find a string of code that doesn't look normal DO NOT TRY TO REMOVE IT if you haven't done it before, 9 out 10 times when you just delete the code your site will show up in error and you won't get it back!! best bet is to make a copy of any file (injected or not) and put it in you notepad so if you mess it up you can copy/replace it long enough to get your site back and get it properly figured out.

    But like caseycase said above, unfortunately you might be better off starting over with a clean theme.
    {{ DiscussionBoard.errors[5323613].message }}
    • Profile picture of the author jleavitt13
      Alright thanks so much for the advice. I did double and triple check those files without finding anything odd. This is getting ridiculous. Here is the url if anyone wants to take a look. higherbalance.com
      {{ DiscussionBoard.errors[5323664].message }}
  • Profile picture of the author jleavitt13
    took a second run at my pluggins, found it was one of them.... had to delete it to make the code go away not just deactivate.... wierd.
    {{ DiscussionBoard.errors[5323710].message }}
    • Profile picture of the author cbrauer
      The best thing to do is just load a backup of the site from a couple after it went live. Websites should be scheduled to back up once a week in case something like that happens. My guess would be it was not hacked someone just got lucky with the FTP login and uploaded some ad code. Make sure you use secure passwords like !385GoobeR$9327 on hosting and FTP clients.

      Passwords should have capital letters, numbers, and special characters and should be at least 10 characters in length.
      Signature
      Jixty Is a new search engine with tons of cool features including low cost PPC. Preview full functioning websites before clicking links to ensure high quality results.

      ArticleHomestead post articles for free and share them with the world. Do follow backlinks, please only submit quality articles.
      {{ DiscussionBoard.errors[5323765].message }}
  • Profile picture of the author envisionit2011
    Yeah I checked, there is def something in the header...Any chance you could have got slammed with a comment that had an injection in it?? Also somewhere in your files someone could have added a tiny image file that typically wouldn't be seen, but is anchored with the codes...

    Also look for basecode_64 or similar....

    Id say send me copies of your files and I could check them but I dont know how you feel about that...let me know and i will give you my email.
    {{ DiscussionBoard.errors[5323756].message }}
    • Profile picture of the author envisionit2011
      LOL I was still writing the last post when you posted you found it

      A plugin, that doesn't surprise me! Glad you found it!!
      {{ DiscussionBoard.errors[5323766].message }}

Trending Topics