Monday, April 07, 2008 at 11:37 AM
Written by Nathan Johns, Search Quality TeamAll right, you got hacked. It happens to many webmasters, even despite the hard work you devote to prevent this type of thing from happening. Prevention tips include keeping your site updated with the latest software and patches, creating an account with Google Webmaster Tools to see what's being indexed, keeping tabs on your log files to make sure nothing fishy's going on, etc. (There's more information in the Quick Security Checklist we posted last year.)
Remember that you're not alone—hacked sites are becoming increasingly common. Getting hacked can result in your site being infected with badware (more specifically malware, one type of badware). Take a look at StopBadware's recently released report on Trends in Badware 2007 for a comprehensive analysis of threats and trends over the previous year. Check out this post on the Google Online Security Blog which highlights the increasing number of search results containing a URL labeled as harmful. For even more in-depth technical reports on the analysis of web-based malware, see The Ghost in the Browser (pdf) and this technical report (pdf) on drive-by downloads. Read these, and you'll have a much better understanding of the scope of the problem. They also include some real examples for different types of malware.
The first step in any case should be to contact your hosting provider, if you have one. Often times they can handle most of the technical heavy lifting for you. Lots of webmasters use shared hosting, which can make it difficult to do some of the things listed below. Certain tips labeled with an asterisk (*) are cases in which webmasters using shared hosting will most likely require assistance from their hosting provider. In the case that you do have full control over your server, we recommend covering these four bases:
Getting your site off-line
- Take your site off-line temporarily, at least until you know you've fixed things.*
- If you can't take it off-line, return a 503 status code to prevent it from being crawled.
- In the Webmaster Tools, use the URL removal tool to remove any hacked pages or URLs from search results that may have been added. This will prevent the hacked pages from being served to users.
Damage Assessment
- It's a good idea to figure out exactly what the hacker was after.
- Were they looking for sensitive information?
- Did they want to gain control of your site for other purposes?
- Look for any modified or uploaded files on your web server.
- Check your server logs for any suspicious activity, such as failed login attempts, command history (especially as root), unknown user accounts, etc.
- Determine the scope of the problem—do you have other sites that may be affected?
Recovery
- The absolute best thing to do here is a complete reinstall of the OS from a trusted source. It's the only way to be completely sure you've removed everything the hacker may have done.*
- After a fresh re-installation, use the latest backup you have to restore your site. Don't forget to make sure the backup is clean and free of hacked content too.*
- Patch any software packages to the latest version. This includes things such as weblog platforms, content management systems, or any other type of third-party software installed.
- Change your passwords - https://www.google.com/account
s/PasswordHelp
Restoring your online presence
- Get your system back online.
- If you're a Webmaster Tools user, sign in to your account
- If your site was flagged as having malware, request a review to determine whether your site is clean
- If you used the URL removal tool on URLs which you do want in the index, request that Webmaster Tools re-include your content by revoking the removal.
- Keep an eye on things, as the hacker may try to return.
Answers to other questions you may be asking:
Q: Is it better to take my site off-line or use robots.txt to prevent it from being crawled?
A: Taking it off-line is a better way to go; this prevents any malware or badware from being served to users, and prevents hackers from further abusing the system.
Q: Once I've fixed my site, what's the fastest way to get re-crawled?
A: The best way, regardless of whether or not your site got hacked, is to follow the Webmaster Help Center guidelines.
Q: I've cleaned it up, but will Google penalize me if the hacker linked to any bad neighborhoods?
A: We'll try not to. We're pretty good at making sure good sites don't get penalized by actions of hackers and spammers. To be safe, completely remove any links the hackers may have added.
Q: What if this happened on my home machine?
A: All of the above still applies. You'll want to take extra care to clean it up; if you don't, it's likely the same thing will happen again. A complete re-install of the OS is ideal.
Additional resources you may find helpful:
- If your site's been flagged by Google as serving malware, we'll alert you when you visit Webmaster Tools.
- Don't forget about the Google Webmaster Help Group; it's full of extremely knowledgeable users, and Googlers as well. For a nice, on-topic example, check out this thread. There's also a Stop Badware group.
- Matt Cutts recently posted Three tips to protect your WordPress installation on his blog, and there are lots of great comments below the post as well.
Feel free to leave additional tips you have in the comments.
37 comments:
I wonder, do you have any ideas what to do about a Yahoo Group being 'copied' to another blog and BlogSpot ignores our requests to take it down?
You could file a DMCA takedown request; see the last couple paragraphs of this article for details.
My google LINK has been hacked, but my site seems fine. If I go to my actual URL that google shows, it goes the right place. But if I click on the link from google, it gets redirected.
How does that happen????
I'm the 6th result for bankruptcy means test. Click that link and it redirects to a hacker page I've since deleted. But if you put that URL into the browser, it works fine. Why?
I see that the backup tip has an asterisk. Having worked for shared hosting providers I would advise not to rely on them for this. Always do your own off site backups.
Make sure they are off site so in the worst case scenario you can take your business elsewhere.
If you are hacked, having a known good copy can help. There are many applications that will check and display the differences among files to see what was changed.
Also if your tech saavy enough get a list of MD5 hashes of all your files before they get uploaded and keep it in a safe place. You can then compare the hashes against the files on the server to see what was modified since they were uploaded.
Don't always trust the time stamps since they are easily manipulated with things like 'touch'.
Query on terminology.
You say "malware is a type of badware".
I'd always understood malware as pretty much any *ware that is bad (mal being a normal English prefix for something that is bad, from the Latin).
When google started using "badware" this seemed to be part of the normal dumbing down of language that's current at the moment (e.g. avian 'flu suddenly became bird 'flu when tabloid journalists decided their readers and viewers were too stupid to know what "avian" meant and too stupid to possibly learn) and disliked the term for this reason (I don't think the average person is too stupid to learn what "avian" means if they didn't already know, and didn't think they were too stupid to learn what "mal-" meant either).
Now learning that the two are being used by google as different things (one a hyponym of the other) has be curious as to just how the two are being defined.
@ajr The first thing I'd suspect is that someone has cracked (hmm, I seem to use "hack" with a different definition to google also) the site and set it to redirect if the user comes from google, but not otherwise so it would go undetected for longer (quite clever). Just a vague theory, but worth looking at.
///A: We'll try not to. We're pretty good at making sure good sites don't get penalized by actions of hackers and spammers. To be safe, completely remove any links the hackers may have added.
Sure you say that now - but everyone knows this was NEVER the case before.
Remember the case of Jennifer convertibles? As with that and many others, you took down the entire domain.
After constant ranting and raving by SearchEnginesWeb on Matt Cutts' blog - that is when you finally become more perspective and less draconian about the banning policy.
But it was certainly not that way before
Good info, thanks for this. I made my self a forum as well (opeon.net) and I'm trying to give forum-support there for people and their webmasters. So this sure is info I can let them read!
Kind regards
Susan,
I recently fix this blog which was hacked:
http://www.kcrobotics.com/blog/
I have sent many re-inclusion requests since the hacked files have been fixed and yet the blog itself is not indexed at all. Any ideas why?
It doesnt appear ranking for the keyword "kc robotics blog".
@Talliesin:
StopBadware's glossary explains the difference between badware and malware.
@incrediblehelp:
Actually the blog is indexed (I see 20-odd pages); but they're all labeled with a malware warning. If you want to get that warning removed, you'll need to request a malware review, not file a reconsideration request.
Thanks Susan. Yes I have put a request in with Stopbadware. Hopefully they will act on it sometime soon.
Don't dare "take your page temporaily offline" as described. It will be a disaster for any PR that you may have built over the years. You wull not recover from this as we are a prime example. PR5-6 before our "temporary" removal. PR 0 since...
Travel-Ascending.com
Nice link to the Quick security checklist for webmasters
Very interesting. I encountered a malware tag in the search results. It was due to a not well coded plugin in my WordPress site.
For the french people : j'ai traduit cet article sur WordPress-tuto.fr : http://wordpress-tuto.fr/conseils-google-sites-pirates-369
Q: I've cleaned it up, but will Google penalize me if the hacker linked to any bad neighborhoods?
A: We'll try not to. We're pretty good at making sure good sites don't get penalized by actions of hackers and spammers. To be safe, completely remove any links the hackers may have added.
First, thanks for the great post and suggestions on recovering from a hack attack. It doesn't cover uploads of phishing software that takes over your site and uses it to send phishing emails out (without compromising the site pages themselves), but that's exactly what happened to us. And despite the self-promotion, google didn't really go out of its way to make "sure good sites don't get penalized by actions of hackers and spammers". We got no email notification and even after a month have had little or no obvious response to our efforts to get this cleaned up.
We had the phishing software cleaned out within a day of noticing the problem, and plugged up the security breach, but google still has yet to lift its warning that we're trying to steal information. We've made numerous attempts to have google reassess the site, to no avail as yet.
In fairness it's not just google - it's mcafee and site advisor, it's yahoo!, and undoubtedly others. The draconian approach is sort of like the fourth grader suddenly allowed to take names. The sky's the limit.
Have you tried this form? I believe it's the best (only?) way to request review of a site that's been marked as phishing.
I have been told to contact you, because when I was trying to download some images onto my bebo account a message came up that said 'Image uploader encountered some problem, if you see this message contact web master' So I came onto this website and this was the only way of contacting you that I could find.
Iv had it with google! this site is fucked,it used to be excellent, but you guys are so into making your billions your forgetting the customer.
try googleing any name or known business, then click the name or business that is headlined, it comes up with nothing you want or need, including porn or nothing to do with the title or business it even transferes you to other serch engines to start all over again, what a waste of time google has become, I have simmilar complaints from many others who are switching from google because its fucking usless. wake up!
Hi.
I had a blogspot blog which I deleted as I was new to blogging and had no idea on hackers and spammers.
To my dismay someone revived my blog, with all my posts in it and still using my username. I don't know come that when you click on the author's profile, my own profile shows and not that of the hacker/spammer. In the past months, there's been adult contents in the blog under the impression that I still own and manage it.
I don't know how to get this blog back. I've been searching for help online. I hope you could help me with this.
This is the blog: The Free Videos
Please help me get this blog back.
Thank you.
I have a website which has a wordpress blog on it. Unfortunately I was complacent about downloading updates from the wordpress website for blocking security weaknesses.
Anyway cut a long story short my blog got hacked. I did not realise to start with, as the hacker had not put malware on the site. He had simply added hundreds of invisible links to the bottom of many of the blog posts.
He also used adult related keywords in the anchor text. My site is not an adult site so this would have been bad as well.
My website took a severe drop in rankings, so much so that it did not even rank number one for the words in its domain name.
We eventually found what we think is the problem and that is the invisible links on the site. We removed them. We put in a reconsideration request about 3 weeks ago. But the thing is we did not add these links, but until someone reads our reconsideration request at Google no one will know this.
Is there anything extra I can do to help get my site looked at quicker? If not how long can I expect to wait before the site improves?
I know why Google penalizes sites and I agree with there system as it keeps the quality high in the index. But for honest people it can be hard when someone hacks yours site and it is not recognised as hacked by Google. No Malware was inserted, they just sabotaged our site which we work very hard on to keep a useful resource for our visitors. Please give me any advice you can.
Many Thanks
I have not heard back from you regarding my blog being hacked and hundreds of links being dumped into it. I think this is what caused my website to be penalised by Google.
My website is www.ukfinancialoptions.co.uk
Please could you give me any advice on what I could do to get the penalty lifted. I have put in a reconsideration request but seeing as we have not done anything wrong ourselves I was wondering if there was anything else we could do to speed the process up.
We have corrected the problem now.
How long does a review take once you've cleaned up your site?
Not that there is ever a good time for this kind of thing, but my site was hacked just after I sent out a bunch of resumes and asking potential employers and business partners to check the site out. I've identified and deleted the files I didn't put there, I've changed all my admin passwords, and installed a WordPress plugin that is supposed to help prevent future attacks... how long do I have to worry that people who use firefox won't want to view my site? When I'm telling people I want to do web and hosting-related work for them, the big red warning screen sure isn't helping me generate employment.
If anyone can tell me how long I can expect to see the warning there after submitting a request for a review, I'd really appreciate it.
Again, I ask:
How long does it take for your site to be reviewed once you've cleaned it up and asked for a review? This is costing me the ability to generate an income. I don't think Google and Firefox should have the power to deter visitors to a specific site if there's not a more direct way of removing such limitations once the problem has been fixed. Not only did my site get hacked, but now the self-appointed anti-malware coalition is making sure my site gets no traffic. THANKS GOOGLE!!! Way to protect!
I am in the same boat. My successful ecommerce site was hacked a few weeks back and we noticed the issue and took care of it immediately. Including removing the vulnerabilites so that it can't happen again. However in that short period of time we were flagged by Google and now have the warning page anytime someone comes to us from Firefox. Our site is completely safe, we took care of the issue in an extremely timely manner, and still have not had our review from Google as we requested. We are losing a significant amount of money every day because of this.
It just seems odd to me that Google flags us so quickly, but then takes forever to review the site and remove the flag. ARGH!!!
Hi Nathan,
Thank you for the post, i have had some similar problem with my website and it was flagged in Google results "this site may harm your computer". I removed all the malware from my website immediately, in next two three days the flag was removed. Thank you for the fast removal of the flag.
The flag was removed but now i lost all the ranking i am getting nearly ZERO organic traffic from Google.
Is this possible because of the hack. How can i get back my rankings...
Nathan,
Sorry i forgot to mention my web address:
http://www.himalayacrafts.com
i never read such good post on this topic. it's really helpful for me
Himalaya Crafts said...
Hi Nathan,
Thank you for the post, i have had some similar problem with my website and it was flagged in Google results "this site may harm your computer". I removed all the malware from my website immediately, in next two three days the flag was removed. Thank you for the fast removal of the flag.
The flag was removed but now i lost all the ranking i am getting nearly ZERO organic traffic from Google.
Is this possible because of the hack. How can i get back my rankings.
I have exactly the same problem.
My site has been flagged as "this site may harm your computer" due to an ugly javascript code of a counter stat website and gets now almost none traffic from google. Isn't there a solution to this or at least a point that will decrease the time for the recovery?
I have my blog At Mussiqa.blogspot.com
for on year it was mine in May 2008
all the blog content was deleted and the blog now is empty with no indication for the owner ,all the content are not there and now it's owned by some body else with no contents at all.
in the same day 17/5/2008 I write to Google about this with no answers yet
my question is so simple why Google
didn't request mail verification
before deleting one year of efforts without ask the blog publisher and in the same day they give the blog name to others.
Until now I wait the answer.
very bad
my old page rank 5 blogg:
lolita.blogg.se have been deleted and is now used by ejaktiv.blogg.se
as a doorway with deceptive redirects to sites in blogg.se network:
blogg.se and nybloggat.se
lolita.blogg.se have moved and should be redirected to http://www.lolitas.se
what to do?
In last February I faced several hacking attempts on my site. Index page was not shown that time. after checking the server I found that a "index.htm" file was uploaded and few javascript codes were added in all the Index.php file in every folder. It redirected to some .ru sites that time. after changing the password and the fixing the errors the problem has gone but everyday I check whether my site is ok or not.
A good lesson for everybody.
www.fantazo.com
My blog, which I work sooooooo hard for, was hacked during the last PR update and guess what.... I lost my PR and lost the traffic I used to get.
I really hope that Google gives me back my lost serp rankings and online reputation.
I will be following up with you guys in here because I truly want to find out how long it takes (provided you work double time) to get back what I or anyone genuine deserves.
This will help (hopefully) other bloggers throughout the family and help us better understand how things should be and even could be.
Also, I forgot to mention that my blog was not flagged as an infected one!
Luckily, thanks to the extensive Google Analytics stats I noticed the issue the day after it happened.
My steps so far:
Since then I have individually taken care of all the folders and files by checking them one by one, hours after hours. Took me over 46 hours altogether and it sure was a daunting task!
After cleaning the issues at my end I requested through Webmaster Central to remove the indexed pages that the spammers left behind.
Also, I have fixed the issues regarding robots.txt as instructed in the webcentral.
Then I imposed a very tight security measure through Htaccess. My Htaccess is now around 6KB in size with all the rules in them lol.
I have also dedicated a significant amount of time in reading my raw access logs and error logs so that I miss nada.
Lastly, as I lost all my pagerank and sites that directly copies my post/scrapes them seem to rank over me in the serp I am considering changes to my domain and do a 301 redirect. Will it help anyway?
As you can see.... I am in the verge of hitting a complete confusion and am really hoping that all these issues disappear sooner than later so that all my hard work pays off for me as I am a full time mobile themes developer and blogger. :(
So I ask thee... since those "bad pages were indexed even if for a day" will it still matter after the removal does happen? Will it be a good idea to do a 301 redirect and start with new domain altogether.
Anyone, everyone? What would you have done additionally? Did I miss anything? Should I take my blog offline?? :(
I can only echo the frustration of those who've posted above me...my site was hacked...I've fixed the probelm within 24 hours...why does it take weeks for google to restore my status and remove the warnings?
I'm losing money daily!!! Please help mitigate my damages...don't delay. It's unfair when you're a small business trying to operate an ethical business.
Tammy
www.tlddesigns.com
Hi everyone,
Since some time has passed since we published this post, we're closing the comments to help us focus on the work ahead. If you still have a question or comment you'd like to discuss, free to visit and/or post your topic in our Webmaster Help Forum.
Thanks and take care,
The Webmaster Central Team
Post a Comment