Competitor spamming me?

W

Weeds

SEO Faggot
Dec 31, 2012
83
1
0
198.143.157.115
I usually don't pay attention to webmasters for this site, but I just took a glance at the indexation since I updated the design and navigation. Hoping to see some positive indexing results, I was met with some unexpected keyword occurrences.

Check me out:

Louboutin - 1132 occurrences
Shoes - 933 occurrences
Christian - 931 occurrences
PID - 475 occurrences

The terms are coming from a pid extension placed behind pages, for example:
Homepage.com/?PID=Christian-louboutin-replica-sale-965.html

What the fuck.

How do I find out who did this?
Should I simply due index all of these urls extensions?
 


This is just one domain, a money site of mine.
To clarify, there are ~1000 urls that are indexed on my site that have a pid extension.
It is my homepage that they have been targeting, instead of my site showing a 404, it shows my homepage with a different spammy extension each time.

I checked ahrefs to find backlinks pointing to these urls, but none have shown up yet.

How would they get these nonexistent urls indexed on my site?
I have Wordpress installed, and there is no evidence of hacking in this way, at least I can't find any changes.

I'm running it on a digital ocean server, using nginx instead of apache.
 
Weeds said:
I usually don't pay attention to webmasters for this site, but I just took a glance at the indexation since I updated the design and navigation. Hoping to see some positive indexing results, I was met with some unexpected keyword occurrences.

Check me out:

Louboutin - 1132 occurrences
Shoes - 933 occurrences
Christian - 931 occurrences
PID - 475 occurrences

The terms are coming from a pid extension placed behind pages, for example:
Homepage.com/?PID=Christian-louboutin-replica-sale-965.html

What the fuck.

How do I find out who did this?
Should I simply due index all of these urls extensions?
Click to expand...


So, this is in your logs, right?


I checked ahrefs to find backlinks pointing to these urls, but none have shown up yet.
Click to expand...


They're not really urls, are they? Just variables?

What happens if you type that string into your browser?
 
404 any request with a PID query string param, unless you use them?
 
So, this is in your logs, right?
Click to expand...
Nope, these are the amount of times that keywords are occurring on my site, as noticed through google's webmaster tools.

They're not really urls, are they? Just variables?

What happens if you type that string into your browser?
Click to expand...
These are urls, indexed by google.
If these are typed in a browser, it will return my homepage!
What's worse, I just found out they have a rel=canonical, so G is seriously confused.

404 any request with a PID query string param, unless you use them?
Click to expand...
I don't use them, no, but I just learned that my pages aren't 404'ing
HACKED! dammit man.
 
they wont 404 because typically a webserver will treat anything before a ? as the resource and anything after as a query string, so in this case the resource is the same, and it's passing the query string as normal (correct behaviour).

404 it via htaccess, or if you'd prefer wordpress to handle it, do it via php.
 
I'm not exactly sure how it was hacked, but I am assuming that it was at the server.

I'm using an unmanaged server at digital ocean, so no help there.
Also, I'm running nginx, so I can't exactly modify an .htaccess.

No pages are 404'ing at all, so I assume I need to look into my server block...
 
running current WP version?
 
Yep, I just updated.

Checking the server, it seems to be okay.
But then again I have no idea what to put in to disregard these files.

Currently, this is in my server
location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ .php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php;

Really, I don't want ANY of these redirected to home or anything other than 'not found'
I have a feeling I can expect a wave of xrumer indexing soon...
 
have your checked your wordpress tables to make sure those page id's dont exist?
 
Weeds said:
Got into PMA, no evidence of those pages in the tables.

Any idea of how to redirect those specific pages?
Click to expand...


htaccess rewrite rules... (sry, not my thing, or I'd give you specifics.)

I'm still not convinced this is as bad as you think it is. I understand the concern. Sounds like you're getting mind-fucked more than anything else.
 
Weeds said:
Yep, I just updated.

Checking the server, it seems to be okay.
But then again I have no idea what to put in to disregard these files.

Currently, this is in my server
location / {
try_files $uri $uri/ /index.php?$args;
}

location ~ .php$ {
try_files $uri =404;
include fastcgi_params;
fastcgi_pass php;

Really, I don't want ANY of these redirected to home or anything other than 'not found'
I have a feeling I can expect a wave of xrumer indexing soon...
Click to expand...


Wordpress install, and running your own server?

Edit: nm. If you're really hacked, best to install a backup and update everything. Forensics after the fact are a fucking nightmare.
 
I suspect that someone had uploaded a malicious image or some shit (I know fuck about hacking), that was allowing them to create pages and redirect based of referrer or user agents. This is a nginx exploit, so anyone running it, check yo servers yo.

I found a great resource on the subject here:Redirects to malicious sites -- Aw Snap

Also, if you want to see what your site looks like through a particular referrer or user agent, Redleg's File Viewer aka Website Malware Scanner

The hacker had it setup so that when a googlebot would come through, they could read the page they injected, otherwise to everyone else it was just the homepage.

I had a backup server that was for testing this site. I just swapped everything over and let it run as the main site. Kind of lucky on that.

No evidence of a hack now, so I guess next step is disallowing a robots.txt full of all of those pages they created. I suppose this may actually be a worthy time of the link disavow tool as well.
 
You must log in or register to reply here.
Top Bottom
Back