Tag: hacked

Google Alerts Trick to Monitor Website Health [fr]

[en] Un petit truc pour être alertée immédiatement si mon site recommence à servir à Google des pages truffées de mots-clés pharmaceutiques: une Alerte Google qui cherche ces mots-clés uniquement sur mon site. Fûté, non?

As you can guess, I’m now a little paranoid about getting hacked and having my blog pages stuffed with pharma keywords for the benefit of search engines. I’m keeping a close eye on my site now, but logging into Google Webmaster Central each day to “Fetch as Googlebot” gets old quickly.

So I had a bright idea I’m pretty proud of and want to share with you.

I simply set up a Google Alert for spammy pharma keywords on my site, like this:

site:climbtothestars.org keyword1 OR keyword2 OR keyword3

Given I don’t blog about those meds (or any pharma-related stuff, actually), any alert that shows up will be a sign that Googlebot has been served spammy content from my site, which should not happen as it is now supposed to be clean. And if it does, I will know about it immediately (you can easily set alert frequency for your alert in Google Alerts).

On Being Hacked [en]

[fr] Hackée, et voilà, moi qui savais justement pas quoi faire de mon beau dimanche après-midi ensoleillé...

I’m currently battling with a hacked WordPress installation. You won’t see anything if you view source, but Google unfortunately sees a whole lot of spam right at the top of each of my pages.

Result of being hacked on CTTS

Here’s some information in the hope somebody may have a bright idea to help me root out the hack.

  • I’m running 3.0.3 and would like to find the source of the problem before upgrading to 3.04 (bad idea?)
  • I’ve tried disabling all plugins, and the problem is still there when I do that.
  • I’m using the vanilla default Twenty-Ten theme
  • I’ve looked in the theme header (header.php) for anything obvious, and also in wp-content, wp-plugins, etc. for anything that looked out of place to my eyes
  • I’ve run greps for base64 (anything here look suspicious?), spammy keywords, and other things I could think of
  • It does not seem to be this pharma hack (have failed at finding any signs of it following the instructions there — wp_option keys, backdoor files…)
  • I have searched my database for spammy keywords (also backwards) and haven’t found any aside in spam comments caught in Akismet

I will update this post as I find out more. Thanks for your suggestions.

Update: at least a partial solution… running find . -iname *.php -print0 |xargs -0 grep base64 allowed us to identify a problem in l10n.php, which was promptly replaced by a new version (evil version available on request). One of my pages as viewed by Googlebot now looks like this. So, the site is cleaner, but are there any backdoors left?

Google Webmaster Central is definitely a place to visit regularly — I would have spotted this way sooner if I had, rather than wondering what was wrong with my robots.txt file when I stopped being able to “direct Google” my posts. View more scary screenshots.