A poster in webworkshop<\/span> forum posted this<\/p>\n “I have uncovered some malicious activity on my website which seems to be based around a Joomla<\/span>\/server vulnerability. I am still analysing the extent of the problem but here is what I have found so far. After performing a backlink<\/span> check on my website I noticed a lot of links coming into the website with an anchor text of “F”. Many of these websites seem to be genuine businesses (whether they actually are or not is still being debated), however the link itself was hidden in a mass of hidden links only visible by disabling CSS<\/span>. When I say a mass of links I am taking 100s. After further investigation I found the cause of the problem, a script file called phpgw<\/span>.php<\/span>. Somehow the server has been hacked and the file called phpgw<\/span>.php<\/span> had been placed in a folder called “images\/stories”. From what I can see this script pulls in the template file for the website and modifies the code to contain the spam links. The story continues….I pulled up the access logs for the website and there was only one reference to the phpgw<\/span> file from the IP<\/span> address 212.62.97.20, a Saudi Arabian company who seem to be known for content spamming and malicious linking, see the following URL: http:\/\/www.projecthoneypot.org\/i_b387d0cd6f471d4ce6e0535228689b7d Whether this is a server issue or a Joomla<\/span> issue is still un<\/span> clarified (I assume it’s a bit of both) but I warn Joomla<\/span> users to disable CSS<\/span>, check for spammy<\/span> links, and check the server for the phpgw<\/span>.php<\/span> file. I’m still looking into the situation so I’ll update you all if I find out anything else. “<\/p>\n This looks like an issue that needs immediate attention since link injection is not only bad for your site but very bad for SEO<\/span>. If Google crawls your site and find links to spammy<\/span> websites it will ban your site temporarily or in rare cases permanently out of their index. We had a client face the same problem where his site was hacked and he got the following email from Google<\/p>\n “ * The mail from Google was actually longer which is cut short here. Matt cutts<\/span> webspam<\/span> head also posted an entry in his blog on how to help hacked sites http:\/\/www.mattcutts.com\/blog\/helping-hacked-sites\/<\/a><\/p>\n You can see from matt’s<\/span> post that Google is not happy with hacked website with malicious and spam links. I warn everyone who use vulnerable content management systems like Drupal<\/span>, WordPress<\/span>, Joomla<\/span> etc to patch all possible vulnerabilities.<\/p>\n If you are using wordpress<\/span> i recommend downloading the latest version http:\/\/wordpress.org\/download\/<\/a> and installing on your server<\/p>\n
Dear site owner or webmaster of ***********,
While we were
indexing your webpages<\/span>, we detected that some of your pages were using
techniques that are outside our quality guidelines, which can be found here:
http:\/\/www.google.com\/webmasters\/guidelines.html. This appears to be because
your site has been modified by a third party. Typically, the offending party
gains access to an insecure directory that has open permissions. Many times,
they will upload files or modify existing ones, which then show up as spam in
our index.
The following is some example hidden text we found at
****************<\/p>\n
*
*
In order to preserve the quality of our search engine, we have
temporarily removed some of your webpages<\/span> from our search results.<\/p><\/blockquote>\n