Getting hacked is something that is happening more and more. No one is immune. I’ve been hacked. But knowing what to do after the hack is critical. Make sure you go through our Security information which will really open your eyes to what is going on online.
First, an update on who is getting hacked: eCommerce sites are getting hit in record numbers. Why? You thought it was just blogs. That’s true, it used to be mainly blogs. I guess hackers figured out that hacking into blogs wasn’t very profitable. However, hacking into eCommerce sites and hijacking the sales, now, that’s real money.
I would recommend reading this article on filing a Reinclusion Request with Google as it will give you some techniques to employ, including setting up a Google Alerts account to be notified if a hack attempt is successful.
The late Tedster, a moderator at Webmaster World, had a great summary. Let me share it with you and inject additional information which will help you better understand the process and what EXACTLY to do in order to fix it and prevent it.
There are, unfortunately, all kinds of devious server hacks making the rounds these days. They usually depend on two factors: sites that use a common CMS (such as WordPress) and site owners who do not update their software to keep security solid (this is where having a server admin is highly recommended).
But the average site owner may not have the resources or understanding to investigate thoroughly. All they know is that their Google traffic went away, or their sales have greatly slowed down or stopped completely.
But if you can discover that you’ve been hacked , the fix is straightforward:
- Change the password
- Identify the problem
- Fix the security problem on the server
- Restore a clean version of the site (you should always have “offline” backups)
- Request reconsideration through Google
- Install RK Hunter on your server and set it as a cron job so it runs and scans your server every morning for problems
Malware
One thing that hackers do is find sites to help distribute malware. This one should be easy to detect, because Google will post a warning notice in the SERPs “This site may harm your computer.”
So, what should you look for? iFrames. One common footprint for a malware hack is an iframe that doesn’t belong in your code – especially one with a lot of hex coding. They are the code of choice by hackers as it lets them do all sorts of nasty things. This is commonly referred to as an “iFrame injection”. You need to remove this code – all of it. If you aren’t good with code, it is time you learned or hired someone good. Once the code is removed, you need to do a reinclusion request with Google and also with StopBadWare.
Defacement Hacks
These are really “old school” – they’re more like online graffiti than anything else. The hacker usually just wants to brag that they got you, and they put up a message on your pages for all to see. Well, that’s easily detected because you just go to your pages and there it is!
But as I said, this is old school and many hackers are looking for something with some financial value these days, which is why they are going after eCommerce sites more aggressively instead of the easier targets of Blogs.
Robots.txt Hacks
This one is either done for sheer malicious delight, or perhaps for competitive disruption. How often do you check your robots.txt file? If someone replaced the first line and disallowed all indexing, how fast could you catch that?
In addition to visually inspecting your robots.txt file on a regular basis (and especially if your urls start disappearing from the Google index) you can also set up a Webmaster Tools account and check it regularly. Google will report to you when urls get blocked by robots.txt.
Parasite Hosting
This one is sneakier and depends on the value of backlinks, either for PageRank or for the traffic itself. The hacker places links on your pages (they may be hidden through various means) and you may not be inspecting your content close enough to see those links.
The tool you need is a link checker, such as Xenu LinkSleuth, that can give you a report on all your external links. Anything really bogus is going to jump out at you from that list. Running a link checker on a regular basis has many other benefits as well, such as keeping those accidental 404s out of your site.
Cloaked Hacks
Now we’re really getting devious. Over the past few years, hacks have been showing up that cloak their parasite content so that only googlebot sees it. If you visit with a regular browser (user agent) you only see what you expected to see.
Your main tool here is a user-agent spoofer of your own, such as the User Agent Switcher extension for Firefox. Just fire it up with a googlebot user agent string and see if your page content changes.
Complex Cloaking – Using IP and Cookies
This is getting deep – and it’s also not so common, but it is out there “in the wild.” The hacker places complex scripting on your site so that not only do they cloak for googlebot by user agent, they also cloak by IP address. In some cases the script also places a cookie so you get only one chance to see what they’re doing.
And your tools here are 1) learning how to browse your site with coolies turned off and 2) studying you server logs for what your server replies to googlebot with.
Cloaked Redirects – .htaccess hacks
Google’s John Mueller (JohnMu) made an excellent blog post about this:
|
I urge you to read JohnMu’s entire article. He’s offering a lot of help here.
DNS Troubles
Some of the sneakiest hackers have used various kinds of DNS tricks. While rare, this is still possible.
If your traffic totally dries up, you would hit the panic button pretty quickly – so these hackers have been more clever than that. With DNS tricks they might siphon off only 20% of your traffic. One thing you would see was a traffic drop with no corresponding drop in rankings.
There’s been some good effort here on the part of the DNS servers to get more secure from this type of thing, but it’s still worth mentioning as a potential. The moral is to check your DNS settings and fix any warnings you get. It might seem like a foregin language to you if you never waded into these waters before, but it’s worth figuring it out – especially if your traffic is evaporating. However, it’s something that I wouldn’t suspect until I ruled out all the rest of the hacks I listed above.
It might be an employee, too
Sorry to say, it’s not always an external hacker. Sometimes a person you trusted with server access gets greedy and places parasite links to earn some cash on the side. We’ve had such reports here, and it even happened at Google a few years back.
Don’t get crazy about this possibility, but if you do find junk on your server and there’s no real sign of an external hack – then consider who you might have given server access to. This is one solid reason always to changes passwords (strong ones) when anyone leaves the company, or when your contract is over with anyone who had access. Even great companies sometimes hire a bad apple.