Joomla hacking problem reported - a warning message
Written by Search Engine Genie
@ 1:26 PM
permanent link on
Monday, May 26, 2008
| Post a Comment |
A poster in webworkshop forum posted this
"I have uncovered some malicious activity on my website which seems to be based around a Joomla/server vulnerability. I am still analysing the extent of the problem but here is what I have found so far. After performing a backlink check on my website I noticed a lot of links coming into the website with an anchor text of "F". Many of these websites seem to be genuine businesses (whether they actually are or not is still being debated), however the link itself was hidden in a mass of hidden links only visible by disabling CSS. When I say a mass of links I am taking 100s. After further investigation I found the cause of the problem, a script file called phpgw.php. Somehow the server has been hacked and the file called phpgw.php had been placed in a folder called "images/stories". From what I can see this script pulls in the template file for the website and modifies the code to contain the spam links. The story continues....I pulled up the access logs for the website and there was only one reference to the phpgw file from the IP address 212.62.97.20, a Saudi Arabian company who seem to be known for content spamming and malicious linking, see the following URL: http://www.projecthoneypot.org/i_b387d0cd6f471d4ce6e0535228689b7d Whether this is a server issue or a Joomla issue is still un clarified (I assume it's a bit of both) but I warn Joomla users to disable CSS, check for spammy links, and check the server for the phpgw.php file. I'm still looking into the situation so I'll update you all if I find out anything else. "
This looks like an issue that needs immediate attention since link injection is not only bad for your site but very bad for SEO. If Google crawls your site and find links to spammy websites it will ban your site temporarily or in rare cases permanently out of their index. We had a client face the same problem where his site was hacked and he got the following email from Google
The mail from Google was actually longer which is cut short here. Matt cutts webspam head also posted an entry in his blog on how to help hacked sites https://www.mattcutts.com/blog/helping-hacked-sites/
You can see from matt's post that Google is not happy with hacked website with malicious and spam links. I warn everyone who use vulnerable content management systems like Drupal, Wordpress, Joomla etc to patch all possible vulnerabilities.
If you are using wordpress i recommend downloading the latest version https://wordpress.org/download/ and installing on your server
For Drupal too latest version works.
For joomla if you find installing the latest version all over a bit difficult i recommend just patching all the loopholes using their security extensions here http://extensions.joomla.org/index.php?option=com_mtree&task=listcats&cat_id=1802&Itemid=35
Have a safe site Google and every search engines love sites that are user friendly and safe for browsing.
"I have uncovered some malicious activity on my website which seems to be based around a Joomla/server vulnerability. I am still analysing the extent of the problem but here is what I have found so far. After performing a backlink check on my website I noticed a lot of links coming into the website with an anchor text of "F". Many of these websites seem to be genuine businesses (whether they actually are or not is still being debated), however the link itself was hidden in a mass of hidden links only visible by disabling CSS. When I say a mass of links I am taking 100s. After further investigation I found the cause of the problem, a script file called phpgw.php. Somehow the server has been hacked and the file called phpgw.php had been placed in a folder called "images/stories". From what I can see this script pulls in the template file for the website and modifies the code to contain the spam links. The story continues....I pulled up the access logs for the website and there was only one reference to the phpgw file from the IP address 212.62.97.20, a Saudi Arabian company who seem to be known for content spamming and malicious linking, see the following URL: http://www.projecthoneypot.org/i_b387d0cd6f471d4ce6e0535228689b7d Whether this is a server issue or a Joomla issue is still un clarified (I assume it's a bit of both) but I warn Joomla users to disable CSS, check for spammy links, and check the server for the phpgw.php file. I'm still looking into the situation so I'll update you all if I find out anything else. "
This looks like an issue that needs immediate attention since link injection is not only bad for your site but very bad for SEO. If Google crawls your site and find links to spammy websites it will ban your site temporarily or in rare cases permanently out of their index. We had a client face the same problem where his site was hacked and he got the following email from Google
"
Dear site owner or webmaster of ***********,
While we were
indexing your webpages, we detected that some of your pages were using
techniques that are outside our quality guidelines, which can be found here:
https://www.google.com/webmasters/guidelines.html. This appears to be because
your site has been modified by a third party. Typically, the offending party
gains access to an insecure directory that has open permissions. Many times,
they will upload files or modify existing ones, which then show up as spam in
our index.
The following is some example hidden text we found at
****************
*
*
*
In order to preserve the quality of our search engine, we have
temporarily removed some of your webpages from our search results.
The mail from Google was actually longer which is cut short here. Matt cutts webspam head also posted an entry in his blog on how to help hacked sites https://www.mattcutts.com/blog/helping-hacked-sites/
You can see from matt's post that Google is not happy with hacked website with malicious and spam links. I warn everyone who use vulnerable content management systems like Drupal, Wordpress, Joomla etc to patch all possible vulnerabilities.
If you are using wordpress i recommend downloading the latest version https://wordpress.org/download/ and installing on your server
For Drupal too latest version works.
For joomla if you find installing the latest version all over a bit difficult i recommend just patching all the loopholes using their security extensions here http://extensions.joomla.org/index.php?option=com_mtree&task=listcats&cat_id=1802&Itemid=35
Have a safe site Google and every search engines love sites that are user friendly and safe for browsing.
1 Comments:
It would be nice if there was an automatic notification to our linked Gmail account whenever a message appears in the Google Webmaster Tools message center. Most webmasters would probably notice email more quickly, especially if they have a Gmail preview widget on an iGoogle personalized homepage.
Post a Comment
Links to this post:
Create a Link
<< SEO Blog Home