Google hijackers from crackers; check your HTACCESS

Category Google, Industry | 55 comments »

When’s the last time you looked inside your website’s HTACCESS file? It really should become a part of your monthly (ack, weekly? daily?) audit routines. There could be gremlins at play you see…

Ok, here’s the gig, one day a mate comes along as asks me, “You mind Googling Twitter?” and I told him to mind his manners as I didn’t go for that kind of thing. Anyway, obliging him, the mighty Google was consulted and from what I could see, the oracle of the ‘Plex was behaving as normal.

Upon pressing for details as to what exactly he is seeing he sends me this;

As you can see the top results are for an Anti-virus website… NOT for Twitter

Being the curious type, I inquired with a few other folks to see what they were seeing. Sure enough, we were all seeing the proper set of results. Fair enough, it sounds like the hull has been compromised and he’s taking on water.

As we backtracked it seems there was a search result that had a peculiar behavior earlier that day. Upon clicking the top result in Google his AV software had done the jig, (although it may have been the Trojan mimicking to gain access).  I went over to the website in question – and nothing.

I then searched the website in Google and clicked on the listing – voila! Sure enough you we’re redirected and a pop-up prompted to do a ‘security scan’ cough cough. This behavior ONLY happened when accessing the site via Google.

 

The HTACCESS Gremlins

What could this be one wondered. Certainly the mighty Goog’ has not fallen pray to wrong doers have they? After all they say they’ve done it before;

 

Naw, that couldn’t be it.

Initial suspicions leaned towards the site being hacked, but the site administrator was as confused as a link baiter on truth serum, no hacks could be found. To be on the safe side, a few of those in the know, information retrievers, were consulted and one specializing in rarefied AIR (adversarial information retrieval) had the answer. Check the HTACCESS file; which was an enlightening journey.

You see kind reader, they had gone in and were redirecting ONLY the traffic from Google which then prompted and had caused the computer to be infected. Then, on subsequent searches they were intercepting it and sending back their own (modified) Google results. The sneaky little buggars.

 

Make it a part of your site audits

You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.

In the modern world of SEO, close ties with the security and system administrators is key. Everyone needs to be aware of the potential for such attacks and be vigilant. A lot of time and money (into search campaigns) could easily be washed away and replaced with a reputation management problem.

What to watch for - This type of attack is often found when you are using a CMS or WordPress type installation that requires the htaccess to be writable (such as SEF URL creation). To guard against it, be sure to chmod your hataccess so the at it’s not writable until you need to publish something new – then make it writable, create pages and then set it back again.

 

…. Something to consider…

 

Popularity: 71% [?]

How to check if a website has been serving up malware

Category Link Building, Tools/Resources | 7 comments »

A new resource in the link builders toolbox

In SEO links are the golden commodity that make or break a campaign. Not only are inbound links critical in ranking, but who you LINK TO can also be a serious consideration. Google has said many times that you really can’t be hurt by who links to you, but you can be damaged for linking to bad neighbourhoods.

One area that can certainly get a website flagged is by serving up malware or other nastiness. Most often this is done by hackers/crackers that have accessed the site and installed malicious scripting on the server. But how does one know if a potential link target has had issues in the past?

Enter the Google diagnostic tool

There is a handy little too at Google for checking the recent history on domains which is well worth using when link building (link exchanges, link drops) as well as checking websites you may be linking out to within your content or blog posts. It is a simple query; http://google.com/safebrowsing/diagnostic?site=site-reference.com  (replace the end part with the domain you’re investigating)

What does an infected website look like? Here’s one example; http://google.com/safebrowsing/diagnostic?site=news.com.au

 

It can happen to anyone

And yes, I mean anyone… look at a search for Google.com – or eBay - and Joomla (as recent as yesterday) – you get the idea. While these sites seem to be good at catching it, there have been attempts.

How reliable is the application? It’s hard to say at this point as it’s only reporting problems that Google has seen; they don’t seem to be testing entire websites. What is important is that you remember that malicious actions can have an affect on your site’s presence in search engines. Be vigilant.

This only takes a few moments and can be invaluable to the search optimizer. Add this little toy to your toolbox and take the time to check out those sites you’re considering linking to from now on…. Better safe than sorry. I’d also suggest checking your own site every month as well to ensure you haven’t been compromised. All in all.. and groovy new tool in the box.

L8TR

(thanks to Jim Stewart for the tip )

Popularity: 77% [?]