Our webpage shows a bunch of links when viewed as Google Cache Pages.
When we see the view source of the webpage it does not do the same
thing. I am wondering if there is a virus or some sort of applicaiton
that is doing this.
We had this problem on another website and we overwrote the default
page on the web site and it Cache is fixed on one site.
We are really hurting on this problem as our site is pushed back to
bottom on search engines day by day.
dave_programmer wrote:
> Our webpage shows a bunch of links when viewed as Google Cache Pages.
> When we see the view source of the webpage it does not do the same
> thing. I am wondering if there is a virus or some sort of applicaiton
> that is doing this.
> We had this problem on another website and we overwrote the default
> page on the web site and it Cache is fixed on one site.
> We are really hurting on this problem as our site is pushed back to
> bottom on search engines day by day.
Probably a cloaking hack that only displays those links to Google when
they come by to view it. Try switching your useragent to Googlebot in
firefox and see what it looks like.
> Our webpage shows a bunch of links when viewed as Google Cache Pages.
> When we see the view source of the webpage it does not do the same
> thing. I am wondering if there is a virus or some sort of applicaiton
> that is doing this.
> We had this problem on another website and we overwrote the default
> page on the web site and it Cache is fixed on one site.
> We are really hurting on this problem as our site is pushed back to
> bottom on search engines day by day.
> Probably a cloaking hack that only displays those links to Google when
> they come by to view it. Try switching your useragent to Googlebot in
> firefox and see what it looks like.
> > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > When we see the view source of the webpage it does not do the same
> > thing. I am wondering if there is a virus or some sort of applicaiton
> > that is doing this.
> > We had this problem on another website and we overwrote the default
> > page on the web site and it Cache is fixed on one site.
> > We are really hurting on this problem as our site is pushed back to
> > bottom on search engines day by day.
First thing I'd do is get the host involved immediately as there is a
hole in your security somewhere, and if there are multiple sites on
the server they also may be in jeopardy. They may also be able to
pinpoint the incursion through their own experience.
On your end I'd look at the files and folders on the site through
FTP. Look for new folders or files that you didn't put there. Look
for change dates that don't jive with when you last accessed the
file(s). If it's an apache server look particularly at the .htacess
file and see if there is anything in there that you didn't put there.
After you've cleaned up the hack, and have it secured with the host,
I'd file a reconsideration request detailing the saga, as your
rankings may have been hurt due to the activity on the site.
> Whats the solution for the problem. Its showing up for useragents.
> Where is the code located.
> Thanks,
> Ephraim
> On Mar 12, 10:19 am, JLH wrote:
> > Probably a cloaking hack that only displays those links to Google when
> > they come by to view it. Try switching your useragent to Googlebot in
> > firefox and see what it looks like.
> > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > When we see the view source of the webpage it does not do the same
> > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > that is doing this.
> > > We had this problem on another website and we overwrote the default
> > > page on the web site and it Cache is fixed on one site.
> > > We are really hurting on this problem as our site is pushed back to
> > > bottom on search engines day by day.
> First thing I'd do is get the host involved immediately as there is a
> hole in your security somewhere, and if there are multiple sites on
> the server they also may be in jeopardy. They may also be able to
> pinpoint the incursion through their own experience.
> On your end I'd look at the files and folders on the site through
> FTP. Look for new folders or files that you didn't put there. Look
> for change dates that don't jive with when you last accessed the
> file(s). If it's an apache server look particularly at the .htacess
> file and see if there is anything in there that you didn't put there.
> After you've cleaned up the hack, and have it secured with the host,
> I'd file a reconsideration request detailing the saga, as your
> rankings may have been hurt due to the activity on the site.
> On Mar 12, 12:36 pm, dave_programmer wrote:
> > First of all, Thanks JLH. You are awesome.
> > I still have the problem.
> > Whats the solution for the problem. Its showing up for useragents.
> > Where is the code located.
> > Thanks,
> > Ephraim
> > On Mar 12, 10:19 am, JLH wrote:
> > > Probably a cloaking hack that only displays those links to Google when
> > > they come by to view it. Try switching your useragent to Googlebot in
> > > firefox and see what it looks like.
> > > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > > When we see the view source of the webpage it does not do the same
> > > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > > that is doing this.
> > > > We had this problem on another website and we overwrote the default
> > > > page on the web site and it Cache is fixed on one site.
> > > > We are really hurting on this problem as our site is pushed back to
> > > > bottom on search engines day by day.
JLH beat me to the punch. Thanks for the quick, thorough response,
John! I'm sorry to hear about your site--but I agree with his
diagnosis. I still wish we had a URL to look at to confirm our
suspicions, though.
To fix the problem, I'd look for any scripts (asp, aspx, etc.) that
you didn't write, delete them, and update any CMS you are running,
since CMS's are the most frequent targets of hacks. Usually security
holes are used to upload scripts that create and hide the text.
Keep us updated on your efforts to fix your site!
-MEB
> I should have mentioned this earlier. We are using the IIS .6.0 on
> Windows 2003 Std. Server.
> Is there anyway i can findout if the data is coming from a particular
> page on the server. That would make things easier.
> thanks,
> On Mar 12, 10:44 am, JLH wrote:
> > Tough to say, all hacks are different.
> > First thing I'd do is get the host involved immediately as there is a
> > hole in your security somewhere, and if there are multiple sites on
> > the server they also may be in jeopardy. They may also be able to
> > pinpoint the incursion through their own experience.
> > On your end I'd look at the files and folders on the site through
> > FTP. Look for new folders or files that you didn't put there. Look
> > for change dates that don't jive with when you last accessed the
> > file(s). If it's an apache server look particularly at the .htacess
> > file and see if there is anything in there that you didn't put there.
> > After you've cleaned up the hack, and have it secured with the host,
> > I'd file a reconsideration request detailing the saga, as your
> > rankings may have been hurt due to the activity on the site.
> > On Mar 12, 12:36 pm, dave_programmer wrote:
> > > First of all, Thanks JLH. You are awesome.
> > > I still have the problem.
> > > Whats the solution for the problem. Its showing up for useragents.
> > > Where is the code located.
> > > Thanks,
> > > Ephraim
> > > On Mar 12, 10:19 am, JLH wrote:
> > > > Probably a cloaking hack that only displays those links to Google when
> > > > they come by to view it. Try switching your useragent to Googlebot in
> > > > firefox and see what it looks like.
> > > > On Mar 12, 11:41 am, dave_programmer wrote:
> > > > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > > > When we see the view source of the webpage it does not do the same
> > > > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > > > that is doing this.
> > > > > We had this problem on another website and we overwrote the default
> > > > > page on the web site and it Cache is fixed on one site.
> > > > > We are really hurting on this problem as our site is pushed back to
> > > > > bottom on search engines day by day.
Ahh, IIS. Ick, I've got one of those too. Frontpage extensions is a
weakness, your default page, (possibly default.asp) may have an
include file added to it that does the cloaking. I've never really
thought about an IIS hack, but one way would be to include an include
statement in the default.asp file which calls another .asp file that
looks at the server variables and checks the HTTP_USER_AGENT variable,
including some links only for certain useragents.
If you can download the entire site to local machine and start doing
text searches for HTTP_USER_AGENT or even Googlebot that may locate
the cloaking script, maybe even search for the URLs that the spammy
links. They may have broken up the urls and HTTP_USER_AGENT up into
smaller variables that are later concatenate them to make the complete
string, so this method may not find the files, but it's worth a shot.
If you do find a file, go through it with a fine tooth comb and make
sure it's not calling any other files, then search the server contents
for any other files referencing that. Hackers can embed this stuff
pretty deep and missing one part can really mess up the site.
Even after you figure out where the hack is, the next most important
part is figuring out how it got there in the first place so it doesn't
happen again.
> I should have mentioned this earlier. We are using the IIS .6.0 on
> Windows 2003 Std. Server.
> Is there anyway i can findout if the data is coming from a particular
> page on the server. That would make things easier.
> thanks,
> On Mar 12, 10:44 am, JLH wrote:
> > Tough to say, all hacks are different.
> > First thing I'd do is get the host involved immediately as there is a
> > hole in your security somewhere, and if there are multiple sites on
> > the server they also may be in jeopardy. They may also be able to
> > pinpoint the incursion through their own experience.
> > On your end I'd look at the files and folders on the site through
> > FTP. Look for new folders or files that you didn't put there. Look
> > for change dates that don't jive with when you last accessed the
> > file(s). If it's an apache server look particularly at the .htacess
> > file and see if there is anything in there that you didn't put there.
> > After you've cleaned up the hack, and have it secured with the host,
> > I'd file a reconsideration request detailing the saga, as your
> > rankings may have been hurt due to the activity on the site.
> > On Mar 12, 12:36 pm, dave_programmer wrote:
> > > First of all, Thanks JLH. You are awesome.
> > > I still have the problem.
> > > Whats the solution for the problem. Its showing up for useragents.
> > > Where is the code located.
> > > Thanks,
> > > Ephraim
> > > On Mar 12, 10:19 am, JLH wrote:
> > > > Probably a cloaking hack that only displays those links to Google when
> > > > they come by to view it. Try switching your useragent to Googlebot in
> > > > firefox and see what it looks like.
> > > > On Mar 12, 11:41 am, dave_programmer wrote:
> > > > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > > > When we see the view source of the webpage it does not do the same
> > > > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > > > that is doing this.
> > > > > We had this problem on another website and we overwrote the default
> > > > > page on the web site and it Cache is fixed on one site.
> > > > > We are really hurting on this problem as our site is pushed back to
> > > > > bottom on search engines day by day.
You guys are awesome. Thanks for the prompt replies.
Our pages have the code in some user controls (.ascx) . One of the
files had this script in the page. I deleted/cleaned the page and
pasted in to the production environment. We have Front Page Server
Extensions and Web DAV.
I will need to watch these files till we get the new crawl happens to
confirm everything is kewl. We also had been dropped from 3rd rank to
probably 300 or something which is a major loss for our business. Can
u tell us if we can do reinclusion into google cache/search and get
back our customers whom we lost in the past month.
> JLH beat me to the punch. Thanks for the quick, thorough response,
> John! I'm sorry to hear about your site--but I agree with his
> diagnosis. I still wish we had a URL to look at to confirm our
> suspicions, though.
> To fix the problem, I'd look for any scripts (asp, aspx, etc.) that
> you didn't write, delete them, and update any CMS you are running,
> since CMS's are the most frequent targets of hacks. Usually security
> holes are used to upload scripts that create and hide the text.
> Keep us updated on your efforts to fix your site!
> -MEB
> On Mar 12, 10:50 am, dave_programmer wrote:
> > I should have mentioned this earlier. We are using the IIS .6.0 on
> > Windows 2003 Std. Server.
> > Is there anyway i can findout if the data is coming from a particular
> > page on the server. That would make things easier.
> > thanks,
> > On Mar 12, 10:44 am, JLH wrote:
> > > Tough to say, all hacks are different.
> > > First thing I'd do is get the host involved immediately as there is a
> > > hole in your security somewhere, and if there are multiple sites on
> > > the server they also may be in jeopardy. They may also be able to
> > > pinpoint the incursion through their own experience.
> > > On your end I'd look at the files and folders on the site through
> > > FTP. Look for new folders or files that you didn't put there. Look
> > > for change dates that don't jive with when you last accessed the
> > > file(s). If it's an apache server look particularly at the .htacess
> > > file and see if there is anything in there that you didn't put there.
> > > After you've cleaned up the hack, and have it secured with the host,
> > > I'd file a reconsideration request detailing the saga, as your
> > > rankings may have been hurt due to the activity on the site.
> > > On Mar 12, 12:36 pm, dave_programmer wrote:
> > > > First of all, Thanks JLH. You are awesome.
> > > > I still have the problem.
> > > > Whats the solution for the problem. Its showing up for useragents.
> > > > Where is the code located.
> > > > Thanks,
> > > > Ephraim
> > > > On Mar 12, 10:19 am, JLH wrote:
> > > > > Probably a cloaking hack that only displays those links to Google when
> > > > > they come by to view it. Try switching your useragent to Googlebot in
> > > > > firefox and see what it looks like.
> > > > > On Mar 12, 11:41 am, dave_programmer wrote:
> > > > > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > > > > When we see the view source of the webpage it does not do the same
> > > > > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > > > > that is doing this.
> > > > > > We had this problem on another website and we overwrote the default
> > > > > > page on the web site and it Cache is fixed on one site.
> > > > > > We are really hurting on this problem as our site is pushed back to
> > > > > > bottom on search engines day by day.
Thanks for the inputs, They were really helpful. In fact i was able to
figure out the file that had links and delete the unwanted links.
Going forward...
We are building a secure wall around our site. We are tightening up
security, firewalls, users, tracking user activity and we also are
hiring a company who is going to monitor our HTTP Activity. So we
should be good. It would had been nice if we figured out how these
people came in the first place.
> Ahh, IIS. Ick, I've got one of those too. Frontpage extensions is a
> weakness, your default page, (possibly default.asp) may have an
> include file added to it that does the cloaking. I've never really
> thought about an IIS hack, but one way would be to include an include
> statement in the default.asp file which calls another .asp file that
> looks at the server variables and checks the HTTP_USER_AGENT variable,
> including some links only for certain useragents.
> If you can download the entire site to local machine and start doing
> text searches for HTTP_USER_AGENT or even Googlebot that may locate
> the cloaking script, maybe even search for the URLs that the spammy
> links. They may have broken up the urls and HTTP_USER_AGENT up into
> smaller variables that are later concatenate them to make the complete
> string, so this method may not find the files, but it's worth a shot.
> If you do find a file, go through it with a fine tooth comb and make
> sure it's not calling any other files, then search the server contents
> for any other files referencing that. Hackers can embed this stuff
> pretty deep and missing one part can really mess up the site.
> Even after you figure out where the hack is, the next most important
> part is figuring out how it got there in the first place so it doesn't
> happen again.
> On Mar 12, 12:50 pm, dave_programmer wrote:
> > I should have mentioned this earlier. We are using the IIS .6.0 on
> > Windows 2003 Std. Server.
> > Is there anyway i can findout if the data is coming from a particular
> > page on the server. That would make things easier.
> > thanks,
> > On Mar 12, 10:44 am, JLH wrote:
> > > Tough to say, all hacks are different.
> > > First thing I'd do is get the host involved immediately as there is a
> > > hole in your security somewhere, and if there are multiple sites on
> > > the server they also may be in jeopardy. They may also be able to
> > > pinpoint the incursion through their own experience.
> > > On your end I'd look at the files and folders on the site through
> > > FTP. Look for new folders or files that you didn't put there. Look
> > > for change dates that don't jive with when you last accessed the
> > > file(s). If it's an apache server look particularly at the .htacess
> > > file and see if there is anything in there that you didn't put there.
> > > After you've cleaned up the hack, and have it secured with the host,
> > > I'd file a reconsideration request detailing the saga, as your
> > > rankings may have been hurt due to the activity on the site.
> > > On Mar 12, 12:36 pm, dave_programmer wrote:
> > > > First of all, Thanks JLH. You are awesome.
> > > > I still have the problem.
> > > > Whats the solution for the problem. Its showing up for useragents.
> > > > Where is the code located.
> > > > Thanks,
> > > > Ephraim
> > > > On Mar 12, 10:19 am, JLH wrote:
> > > > > Probably a cloaking hack that only displays those links to Google when
> > > > > they come by to view it. Try switching your useragent to Googlebot in
> > > > > firefox and see what it looks like.
> > > > > On Mar 12, 11:41 am, dave_programmer wrote:
> > > > > > Our webpage shows a bunch of links when viewed as Google Cache Pages.
> > > > > > When we see the view source of the webpage it does not do the same
> > > > > > thing. I am wondering if there is a virus or some sort of applicaiton
> > > > > > that is doing this.
> > > > > > We had this problem on another website and we overwrote the default
> > > > > > page on the web site and it Cache is fixed on one site.
> > > > > > We are really hurting on this problem as our site is pushed back to
> > > > > > bottom on search engines day by day.
