Strange results from Google search on my site


#1

My colleagues discovered that if you do a Google search on our website ykfp or ykfp.org with terms Klickitat or news, the Google search results are headlined with deals on Cialis and other no prescription deals although the links are valid to our site. Some colleagues are getting alarmed, telling me the site must to be taken off line immediately. I think this is a little drastic. I can’t find anything hacked in our site files, and other search engines don’t pick up this problem. Seems like a Google problem, not my site. What do I do?


#2

If you have checked the other search engines then there must be something with google’s algorithm. I would tell your colleagues that google is by no means perfect and that you have tested other search engines without issue. Let them know that it is doubtful this blip on google would detract from anyone’s experience searching for information actually pertaining to your website.


#3

Google displays different things for different people, for example when I Google Klickitat from Bellingham, I don’t see ykfp anywhere within the first three pages. My guess would be that if you don’t have Cialis deals anywhere on your site it may be taking your listing from the Open Directory Project or DMOZ and putting it there. To prevent that you’ll want to put a [URL=http://www.google.com/support/webmasters/bin/answer.py?hl=en&answer=35264#2]NOODP tag on your pages[/URL]. Which may help, granted that is just a guess it is also possible that something was able to fool Google Bot, to fix that I might change the page titles, even if just a little, and see if that helps. Otherwise you might be able to try to get it fixed from within Google Webmaster Tools.
As for, ignoring the fact that your page information is wrong on Google, I would say that is a bad idea as Google has 80% of the search volume of the web and it’s not something that you want to ignore, as you want people to find your site.

Good Luck.


#4

Actually I found that one of your HTML documents has been altered as pharma spam:

http://www.ykfp.org/klickitat/Hatch_AP.htm

If you are using Firefox, hit Ctrl-U to view the source of the frameset document to see the TITLE and NOFRAMES elements.

I’m not sure if others have been altered. Using Google you can find this by searching for “link:http://www.ykfp.org/ Tramadol” and you get web pages that link to yours. You might need to see the “Cached” version; then search the page for your domain. It appears that pages are altered and then linked to in spam comments in unmonitored web applications on other sites.


#5

On the other hand, I’ve long been wondering “where can I find good deals on Cialis online?” There just isn’t enough information on this on the web. Now, finally, I’ve found it. Thank you Google and YKFP for your service to the internet community![hr]
Atropos7 - I don’t see the hacked lines in the example you found. In which frame did you find it?

I did see lots of damage in http://www.ykfp.org/ The title is changed and the NoFrames Body is filled up with crap.

I’m going to change my password, then ftp local copies of these pages back to the host.


#6

It seems there is a difference between www.ykfp.org pages and ykfp.org pages. For example, http://ykfp.org/par.html loads the correct page. http://www.ykfp.org/par.html loads http://search.my3gb.com/?q=tramadol&said=p_i_r_ykf instead. Starts to load my background, but goes to the other site.

Screen caps of this at http://ykfp.org/screencaps/ in a few more seconds.


#7

http://ykfp.org/par.html and http://www.ykfp.org/par.html both show the same thing to me, a page with the title yakima basin aquatic sciences etc


#8

Yes, it seems to be working now at both www.ykfp and ykfp. But in the video screen capture this morning that I made you can see the problem I was having. maybe changing the password on my site’s ftp helped. Maybe Google has been working on it.
[hr]

I’ve been reading up on the NOODP tag. Do the bad bots also obey that tag?


#9

[quote=“MajorGeek, post:5, topic:54947”]
Atropos7 - I don’t see the hacked lines in the example you found. In which frame did you find it?

I did see lots of damage in http://www.ykfp.org/ The title is changed and the NoFrames Body is filled up with crap.[/quote]

Interestingly enough I noticed the page was restored shortly after I posted here. I would not be surprised if the spammers try to cover their tracks by restoring pages after Google indexes them.

Hope that works. I’m thinking of writing a script to run /w cron that would hash files periodically and let me know if the hashes change. Have your checked your computer for malware? I’d hate to think a keylogger sniffed your credentials.


#10

When using Google webmaster tools to retrieve one of our urls, we still see hacked titles and links, although the htm file on the site remains undamaged.

[code]URL: http://www.ykfp.org/klickitat/news.htm

Date: Thursday, April 14, 2011 11:00:01 AM PDT

Googlebot Type: Web

HTTP/1.1 200 OK
Date: Thu, 14 Apr 2011 18:00:01 GMT
Server: Apache
X-Powered-By: PHP/5.2.15
ETag: "899c68-2b9-4a0e4af302bc0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Last-Modified: Thu, 14 Apr 2011 17:59:19 GMT
Content-Encoding: gzip
Content-Length: 2847
Keep-Alive: timeout=2, max=100
Connection: Keep-Alive
Content-Type: text/html

<title>Cialis Online Without Prescription</title>
cialis at discount prices
cialis benifets

costco prescription cialis
edta and cialis interactions
prescription cialis usa
cheap cialis tablet
free cialis pills
cialis potens
cialis c20
exercising after taking cialis
cialis tadalafil cheapest online
cialis sales uk
cialis mechanism of action
  • when will cialis become generic

homemade cialis

cialis the weekender
cialis blue cross
cialis s curit sociale
chemical structure cialis
cialis denavir yasmin retin-a
bbs inkjet printer cialis
services sp cialis s r adaptation
viagra and cialis and
cialis proffesional

took 2 cialis
levitra cialis new viagra
cialis saudi arabia
cialis superior in diabetes
fda american generic cialis
ubat kuat cialis
glaucoma cialis
buy cialis pharmacy online
  • aerobic endurance cialis

daily cialis price
cialis accessory

cialis generic lowest price viagra
cialis gel tab
fre cialis trial
tadalafil cialis from india
cialis generique achat
cialis new zealand sample
cialis perscription drug stores

  • search results buy cialis online

cheap generic cialis mastercard worldwide delivery
levitra contra cialis
transdermal cialis
tolerance cialis
cardura and cialis
ramipril and cialis
cialis causes hemmeroids

how to use cialis
cialis generic tabs
cialis free sample no prescription

cialis trial offer
how ddoes cialis work
cheapest generic cialis free overnight shipping
buy cialis tadalafil at horizon drugs
diabetes and cialis

women using cialis
cialis and benazepril
cheapest cialis pharmacy comparison
pill splitter cialis

cialis generic overnight state united
cialis pill identifyer
cialis user comments

cialis feel new again
headaches heartburn ciali

cialis women libido
life cialis phone

does generic cialis work
makers of cialis
cialis leg pain help
compare cialis generic cialis
cialis pill color

is cialis methodone
cialis dream online
cialis structure
what is b cialis b
cialis lawsuit high blood pressure

cialis sue

cialis uk order cialis online cialis
cialis taken by women in europe
lethal dose cialis
paypal cialis po box
high blood pressure and cialis
difference between cialis and tadalafil
generic cialis does it work

legal cialis
cialis pills without a prescription
how much is cialis
cialis and alpha blockers
free sample viagra cialis levitra
cialis viagr packs
banned comercials cialis
vicodin viagra cialis
sales cialis
regais cialis
cialis levitra price

buy cialis with paypal
cheap cialis delivery free url
buy cialis daily online
buy generic cialis without prescription
cialis no prescription non generic
cialis and online prescription
generic generic cialis pills online

buy cialis in south africa online
cost of cialis at walmart
dose low viagra cialis drug
cialis soft tab description
buy cialis online viagra
marketing cialis
r20 cialis
cialis tijuana
cialis half tablet
geneic cheapest cialis
cialis tadalafil 80 mg
cialis and diabetes
cialis tadalafil canada
cialis overnight online pharmacy
erectile dysfunction cialis
cialis and zoloft interactions
cialis effects information
cialis quick tab
  • http cialis

cialis professional online
cialis cheap no prescription
cialis price walgreens
combine levitra cialis
cialis no prescription canada
cialis and hair loss
cialis dysfunction pill

cheapest cialis generic
cialis cialus
how much does cialis cost
sp cialis audit fournisseur
fake generic cialis
cialis and spinal cord injuries

cialis premature ejaculations
cheapest price for cialis
cialis bph clinical trial
ejaculation with cialis
price comparison viagra cialis
cialis functionality
generic cialis wiki
cialis tadalafil icos
cialis at boots
over night cialis
rxmedic cialis

nebenwirkungen cialis
cialis uk prescription
plavix cialis taken together

taladafil cialis
cialis fast shipment

buy cialis online in canada

cialis medicina
viagra cialis samples
cialis wmv
cialis buy cheap online

find lowest price for cialis
using trimix with cialis
viagra cialis side effects
cialis dosage and uses
cialis us online pharmacist
prezzo cialis 20
online pharmacy cialis pills
cialis lasting longer
cialis generic versus brand name
where to buy cheap cialis
cialis propafenone

viagra ro cialis which is better
cialis dysfunction erectile levitra viagra
cialis viagra cialis levitra
side effects of viagra cialis
cialis for less
cialis prevent heart disease
cialis daily after surgery
generic cialis made in india
cialis effecacy
buy cialis canada
tadalafi cialis
cialis tv adds
buy cialis huge discounts online
cialis stamina
cheap cialis pharmacy online
cialis online online user href url
cialis pescription
cialis and levitra viagra online brand
cialis next day shipping
viagra and cialis side effects
next day cialis presription
pillola cialis
classifed ads for cialis

cialis 36 hour commercial
what is cialis professional
viagra levitra cialis which is best
cialis hives
safe cialis dosage

vision loss cialis

20mg generic cialis pills
generic cialis and us online pharmacy

generic cialis australia
cocaine and cialis
how much cialis is safe
edex with cialis
does cialis make you bigger
cialis how much in thailand
componentes del cialis

tadalafil cialis india
cialis introducing
cialis and sustanon
cialis availability in uk
augmentin cialis
kroger pharmacy price cialis
cialis and eli lilly
viagra find search 76k cialis pages
what is better cialis or viaga

ou acheter le cialis
cialis no prescription cheap
generic daily cialis
on line prescriptions generic cialis pills

cialis soft gel pills

generic cialis pills western open
36 hour cialis gooding
cialis benefits
cialis canadian epharmacy
comparison of viagra and cialis
cialis user testimonals
cialis frequency of priapism
cialis causes muscle ache because
can cialis cut in half
cialis holland order
viagra nebo cialis
cialis case study
who makes cialis
non generic cialis from canada
1 tadalafil cialis
nascar cialis
search results cialis online
ordering information of cialis from canada
cialis and romance
sex and cialis

men taking cialis and ambien
cialis not for sale
compare viagra cialis and levitra
bogus cialis
compare prices for cialis
  • cialys mechanics

buy softtabs cialis

Your Browser does not display Frames.

[/code]

#11

Taking ideas from http://faux.oit.gatech.edu/projects/backlinks/article/verifying_cloaks/ and http://redleg-redleg.blogspot.com/2011/02/pharmacy-hack.html, I did a find -mtime -20 -name .* to look for .htaccess files that had been changed in the last 20 days. Found that the root website directory .htaccess had been changed 4/10/2011. Looked suspicious.

Options +ExecCGI
AddHandler php5-cgi .php
Action php-cgi /cgi-bin/php-wrapper.fcgi
Action php5-cgi /cgi-bin/php-wrapper.fcgi
RewriteEngine On
RewriteRule image.php - [L]
RewriteCond %{REQUEST_METHOD} (GET|POST)
RewriteCond %{SERVER_PORT} 80
RewriteCond %{REQUEST_URI} !(login|auth|register|secure|admin|config.|style.|mod
_php.|image.) [NC]
RewriteCond %{HTTP:servers} !(true)
RewriteRule .*.(pl|php|html|phtml|htm) /images/image.php [L,NC]

Backup .htaccess files from more than a year ago have only the first 4 lines in them. Maybe I should delete all the Rewrite statements. Would DH add them? What I did do is look at /images/image.php. It was dated 4/10/2011 and it was filled up with base64_decode crap. I renamed it, taking off the php extension. There are also a couple jpg files in this directory dated 4/10/2011 that can’t be viewed. I deleted umenu2.jpg and mailto1.jpg.

Renaming image.php downed the whole site, until I took out that last line in the .htaccess file that called it. Since I have a backup of the .htaccess file, and I don’t have any one touch installs now, I deleted all the rewrite lines. Haven’t found any problems yet.


#12

[quote=“MajorGeek, post:11, topic:54947”]
lines in them. Maybe I should delete all the Rewrite statements. Would DH add them?[/quote]

Yes, delete all the lines except for the first 4.

No, DreamHost would not add them. Your site was compromised. You are most likely running a web application that has a security vulnerability that has been exploited. The lines added to your .htaccess file hijack requests for your pages to software installed by the attacker.


#13

I’m being told that I should also change the passwords on all my FTP only users. While password changing is always a good idea, I don’t see how these accounts would be involved in this current problem.


#14

Because its not impossible for an attacker to do the same thing if your own computer got infected, you logged into those accounts, and the malware sniffed the credentials. It’s likely they managed to upload PHP source code hidden in an image file, and then browsed to that file. But that doesn’t mean that is all they did.


#15

MajorGeek,

I know your post is from a few months ago. But if you check your domain settings and turn on the extra security, this will stop or slow them down from seeing inside your directory on the server since I think your on the shared hosting also.