Page cracked


#1

Over one month ago I noticed that my index page in search engines cache has various spam text and links inserted which spammer probably uses in order to improve search engine rankings or similar. Not sure how they managed to do this, but moment I noticed it I changed my passwords and re-uploaded my complete site back. I waited for several days and to my surprise all search engines were still showing cracked version. I contacted support over month ago and got only useless suggestions like change your password and restore database. Later suggestion could make sense if content was from database, but that cracked text and links doesn’t appear to be in database.
Interesting thing is that cracked page appears to be at least two months old. Dreamhost support claims that DNS is resolving correctly, so there must be something else that redirects search engine bots to cracked page. This cracked page is not hosted on my server.

This is how page looks in various search engine caches:
http://216.239.59.104/search?sourceid=navclient-ff&ie=UTF-8&q=cache:http://www.avatarsdb.com/

http://74.6.239.67/search/cache?ei=UTF-8&p=avatarsdb&fr=sfp&u=www.avatarsdb.com/&w=avatarsdb&d=XCMvavReRY3x&icp=1&.intl=us

http://cc.msnscache.com/cache.aspx?q=avatarsdb&d=73921014670536&mkt=en-GB&setlang=en-GB&w=1a51184,4c4cabf4

I would really appreciate any advice or suggestions if anyone had similar experience.

Thanks in advance


#2

There could be something in your .htaccess file that shouldn’t be there, sending search engines in one direction, but letting humans see what they expect to see.

Or even PHP code within the page itself that checks for certain user agents or referrers and bases the page output on that.

Even once you narrow that down, you still need to figure out how it happened. The first step is usually making sure all scripts, plug-ins, etc… are up to date.


:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


#3

Hi Seiler and thanks for your response. Yes, those were my first suspects. I checked .htaccess and script, but I couldn’t find anything suspicious.


#4

So are you sure that the search engine updated its cache since the page was fixed? If the page is correct on the server and there is no robots.txt telling the search engine to not reindex the page, have you tried asking the search engine why they still have the old page?


#5

Don’t forget to check include files as well.

There’s probably a browser plug-in or something available that would make it easy to spoof your user agent and view your site as the search engines would. That might not work if they’re going by IP addresses, but I’d guess they’d be checking the user agent.


:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


#6

Yes, search engines updated their cache with cracked page and are doing it every time. I can’t use browser plugins since spammer probably uses IP address to detect bots. For example, this cache is not affected:
http://209.85.173.104/search?q=cache:0cslgsIFSuUJ:www.avatarsdb.com/+avatarsdb.com&hl=en&ct=clnk&cd=1&gl=us&client=safari


#7

have you tried grepping through every file in your account for a text string that is in the cracked page?


#8

I searched all files and database for strings appearing on page and everything appears to be clean.


#9

I’d also make sure you’re not missing any code that could be including the content from another site. Some might choose to do it that way so they can update or change the content they inject into your site, without having to access your site again.


:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH


#10

what about one of the ips or ip ranges? If you can’t find any reference to anything suspect in any file or db entry then maybe the search engines are not really reindexing. how are you verifying that they are? are you adding new changes to the website and seeing them show up in the search engines cached pages?


#11

If you are using premade software is there a way to set up a new copy of code with the same db entries, or to upgrade the code to a new version?


#12

Yeah, adding a change to check for updates would be a good idea – even if it’s just a comment in the HTML. As long as the code’s not overwriting the whole page, that should work.

I’d probably also search files/DB for curl, since that would likely be used if it’s fetching anything from another site.


:stuck_out_tongue: Maximum savings promo code: MaxSavingsAtDH