Weird Text showing on Google search

Moltuae said:
Also it seems to be something on the site that is detecting whether the visitor is human or a search engine bot. If you masquerade as GoogleBot (I use User Agent Switcher) the spammy links are present. Without it they disappear.
Click to expand...

And it only seems to show when they have links to some sub-pages under the main page. I checked google.com.br and got the same results as .uk and .fr. But for some reason the US google does not display that way.
 
Folks - thanks for your continued interest in this. To update: I have now installed a fresh, clean copy of Wordpress in a new folder and pointed it to the same DB and tables. This instance, of course, was completely free from plug-ins. I am getting the same results, leading me to think that a restore of the DB might be a route worth trying. Luckily, we take daily back-ups, so this isn't a big deal - except, of course, that I have no idea when this started!
 
Mick said:
Folks - thanks for your continued interest in this. To update: I have now installed a fresh, clean copy of Wordpress in a new folder and pointed it to the same DB and tables. This instance, of course, was completely free from plug-ins. I am getting the same results, leading me to think that a restore of the DB might be a route worth trying. Luckily, we take daily back-ups, so this isn't a big deal - except, of course, that I have no idea when this started!
Click to expand...

did anyone take a look at htaccess? I mean if the site is loading differently for google bot isnt that most likely something in htaccess?

Edit: also when you say same results you mean when you set your browser agent as google to check it right? cause google is going to take days to update the info in the search results.
 
As far as htaccess goes, it is true that the file on the original site has been modified - the WP plug-in Bullet Proof Security does this when its installed. But the new version is the 'straight-out-of-the-box' version that comes with a clean install of WP. *

To view: Yes - I'm using the same technique that @Moltuae refers to - just going straight to the new URL. I also changed the settings within WP to tell it the new location (Settings > General > WordPress Address), so I'm fairly happy that I'm seeing the new install rather than the old one.

* Edit: That is - the one it generates on installation.
 
Last edited:
Mick said:
As far as htaccess goes, it is true that the file on the original site has been modified - the WP plug-in Bullet Proof Security does this when its installed. But the new version is the 'straight-out-of-the-box' version that comes with a clean install of WP. *

To view: Yes - I'm using the same technique that @Moltuae refers to - just going straight to the new URL. I also changed the settings within WP to tell it the new location (Settings > General > WordPress Address), so I'm fairly happy that I'm seeing the new install rather than the old one.

* Edit: That is - the one it generates on installation.
Click to expand...

Well I mean its either in something like htaccess, in the php file itself, or i guess its possible an entire segment of code could be hidden in wordpress sql database, did you try searching the database for that text?

Edit: I don't know, i suppose I could find it for you if you send me a backup of the site or give me access to the control panel. I'm kind of surprised the webhost can't track it down.

Edit2: might be encoded so perhaps searching for the text won't work.
 
Last edited:
Thanks both. Yes - I've tried scanning the DB for the offending text without luck, so either it isn't there, or it is encoded. I'm leaning towards the latter idea. just on the basis of what I've tried so far. I have actually also tried clicking on all the fake links in a sand-boxed browser and they all take me to FOREX sites, mostly in Arabic.
 
Mick said:
Thanks both. Yes - I've tried scanning the DB for the offending text without luck, so either it isn't there, or it is encoded. I'm leaning towards the latter idea. just on the basis of what I've tried so far. I have actually also tried clicking on all the fake links in a sand-boxed browser and they all take me to FOREX sites, mostly in Arabic.
Click to expand...

I posted a question in Viruses about how a scam email was getting code and @phaZed pointed me in the direction of FOPO. So obfuscated code goes beyond Java. You'd have to diff the entire website against backups to find the hacks to plug the holes.
 
Markverhyden said:
I posted a question in Viruses about how a scam email was getting code and @phaZed pointed me in the direction of FOPO. So obfuscated code goes beyond Java. You'd have to diff the entire website against backups to find the hacks to plug the holes.
Click to expand...
Oh, joy! well - I do at least have back-ups, so it's not out of the question. Do you happen to know any good tools for this? I guess I could write my own DIFF statement at a push, but I have to admit, MySQL tinkering isn't my favourite hobby.
 
Mick said:
Oh, joy! well - I do at least have back-ups, so it's not out of the question. Do you happen to know any good tools for this? I guess I could write my own DIFF statement at a push, but I have to admit, MySQL tinkering isn't my favourite hobby.
Click to expand...

Sorry, can't help you there. All I've ever done is simple web pages, flles, etc. Maybe stop by the WP forums?
 
This happened several months ago to a website that we were called on to repair.

Your referenced site has been hacked and compromised and there are most likely rogue .php and .js files with injected code. The attacker most likely dropped all kinds of back doors on the server as well, so even if you find and fix most of the hacked code, there will most likely be some rogue .php file there that will allow them to hack the site again right after it's fixed.

An event bigger problem is you don't know how they got to the site. Could it have been a previous contractor? If you want to be sure that it's fixed and secure your best bet is to change the hosting password, all FTP passwords, then wipe out the DB and all files from the host. Rebuild with a new WP install, new Keys and Salts, and a new DB name with DB administrator password. Then with a fresh site you can restore design and page content. I would also make sure that all of the core WP files are up to date, as well as all themes and plugins, and disable all plugins that aren't absolutely necessary.
 
Thanks. I think the problem with that is this bit: "with a fresh site you can restore design and page content." That is, effectively, restoring the existing DB tables which (I think) contain malicious code. Unless you meant re-do them from scratch?

This seems quite a clever hack. For example, I got rid of all htaccess files (temporarily) by simply renaming them so that they weren't called, but it had no effect on what I saw when viewing as a googlebot, nor as a 'human'- and these were not cached pages. Not what I'd hoped for!
 
Mick said:
Thanks. I think the problem with that is this bit: "with a fresh site you can restore design and page content." That is, effectively, restoring the existing DB tables which (I think) contain malicious code. Unless you meant re-do them from scratch?
Click to expand...

Yes, restore the content but you definitely can't do a bulk import of the entire previous table and you don't have to go from scratch, either.

What I would do is go through the posts table and, once I am sure there's no malicious coding in the post content, import it. For the design you can restore the template from default files, and then piece in the design elements from the hacked version, again - sanitizing each file to make sure there is no base64_decode calls or other fishy garbage in the PHP files as you bring them in. For any database table you import you'll need to do a manual review. I would not import anything in the users table, plugins table, etc. You should be fine with just reviewing the posts/design related tables.

In essence, start with the default files and DB then manually review everything you import that isn't part of the defaults.

If you don't know what to look for, start by looking for anything that looks like an encoded blob, or a .js file being called, especially one referenced from a domain outside of the main website.
 
One thought I had was to take some php and js code from the site and run it through obfuscators. Then snag parts of the results and search the site to try to identify subject files. I do know that, in the case of js, the obfuscated code has certain common properties.
 
Thanks again, both. I am now pretty sure that the problem lies within the DB. If I install a bunch of clean default WP tables with a different prefix, and then point my old WP install to them, the problem goes away. So, I'm going to proceed pretty much along the lines suggested by @myPCTechs and see how we get on from there.
 
Mick said:
Thanks again, both. I am now pretty sure that the problem lies within the DB. If I install a bunch of clean default WP tables with a different prefix, and then point my old WP install to them, the problem goes away. So, I'm going to proceed pretty much along the lines suggested by @myPCTechs and see how we get on from there.
Click to expand...
What a mess! At least we've all learned a thing or two from it.
 
You must log in or register to reply here.

Similar threads

K
What voice assistant for Windows 10 can do web searches like mobile devices?
Replies
3
Views
2K
Karlin High
K
Giles
SEO: not even on the map
2
Replies
23
Views
3K
ComputerRepairTech
ComputerRepairTech
Velvis
Google Search question
Replies
6
Views
1K
maclaptech
maclaptech
timeshifter
Office 365 contact search not working correctly
Replies
2
Views
610
nlinecomputers
nlinecomputers
ChrisTech
Previous site showing in Google search results
Replies
5
Views
987
tf76
tf76
Back
Top