WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Google Search Quality Team say my site was compromised (24 posts)

  1. mandeville49
    Member
    Posted 6 years ago #

    Recently contacted by Google and told my site has been compromised and they posted a notice warning users not to enter. Checked the code and could find nothing wrong. No advertising on site, no re-directs. Decided to remove blog from our site to pacify Google in case they though it reflected on our main website and blacklisted it.

    I do not want this slur attached to our bona fide business. How can I cancel my WordPress blog from the internet and remove all postings?

  2. DianeV
    Member
    Posted 6 years ago #

    Well, if your blog was at wordpress.com, then you can cancel your account there.

    If your blog was on your website, then you'll need to delete the WordPress files from your web hosting account.

    That said, we can't tell what comprising had been done to the blog. What files did you check?

  3. mandeville49
    Member
    Posted 6 years ago #

    We deleted the files from our hosting server after searching through every file we could open with notepad. We could not find any spurious code. It took hours! Bit annoying we cannot remove the search references on Google though - people finding our blog pages get this malware warning page from Google.

    Must admit, that not being used to this sort of thing we panicked a bit and only thought about contacting WordPress later after removing our WordPress blog. I realise you cannot help now, although we have a backup of the site I don't want to get on the wrong side of Google by putting it up on the server again. Fact remains, someone hacked into our WordPress site and compromised it.

  4. whooami
    Member
    Posted 6 years ago #

    Fact remains, someone hacked into our WordPress site and compromised it.

    Fact remains, you arent the first, and wont be the last. You dont indicate what version you were running, etc..

    The blog is gone. Google webmaster tools allows you to submit urls for deletion from their index.

    Done deal.

    --

    I dont mean to sound hasty, but it sounds like water under a very big bridge.

  5. RosieMBanks
    Member
    Posted 6 years ago #

    I do not want this slur attached to our bona fide business. How can I cancel my WordPress blog from the internet and remove all postings?

    Why are you giving up so fast? Plenty of decent, good quality businesses get hacked and then delisted from Google. You aren't the first and you won't be the last, so don't feel like your reputation has been besmirched forever.

    Once you figure out the problem and notify Google, they're pretty good about putting you back into their listings.

    What version were you running? The 2.5.1 upgrade had some important fixes.

    You might find these links interesting, as they will give you some ideas of what to look for.

    Security Issue, Multiple Sites

    Has Your Blog Been Hacked Recently?

    We deleted the files from our hosting server after searching through every file we could open with notepad. We could not find any spurious code. It took hours!

    You need some kind of grep tool.

  6. mandeville49
    Member
    Posted 6 years ago #

    Hello Rosie,

    Appreciate the reply. Our problem is, we are a publishing company - not an IT company and it seems you need a high-level of technical expertise (and a lot of time) to sort out these security issues on WordPress sites. I'm sure sure we can handle it. We were running 2.5.1.

    Just out of interest, there is another element to this. We ran a blog criticising Google's latest gambit of linking with the UK and US libraries to scan all their books and make the contents freely available on-line. We think this compromises the copyright of authors so we used our blog to make this point. A few days after we ran it, Google effectively closed us down via their Quality Search Team advising us our site had been compromised. Could be a coincidence??

    Assuming the site was genuinely compromised and Google is not playing Big Brother - if we put the site back up again, we could not even log onto the admin area because Google has blocked the site. So, if we did put it back up, how could we log onto it and how is it possible for not-very-technical-people to find out if there is spurious or invisible code added to the programs?

  7. RosieMBanks
    Member
    Posted 6 years ago #

    So, if we did put it back up, how could we log onto it and how is it possible for not-very-technical-people to find out if there is spurious or invisible code added to the programs?

    You must be somewhat technical, because you had upgraded to 2.5.1, right?

    Actually, I'm kind of wondering if you really were running 2.5.1. Certainly many people were running 2.3 when hacked by the people who insert "running WordPress 2.5" into the source code, so you may have thought you were running 2.5.

    And how did you back up your site? Did you back up the wp-config file? The wp-content folder? Most importantly, did you make a database backup, too?

    You won't be able to put the site back up unless you did at least the last item; you can reconstruct it without the first two, but it will be much harder.

    These are the WordPress backup instructions: "Backing Up Your Database."

    Did you follow them to back up your database?

    If so, here are the WordPress instructions to restore your database: "Restoring Your Database."

    You should also read the two links I referenced in the above threads. If they are too technical for you, then I would just recreate the WordPress site from scratch, however you did it the first time.

    NOTE: If you use an automatic installer, make sure they are installing the latest version, found here. A lot of automatic installers are behind on versions, leaving you vulnerable.

    And frankly, if you can't (and you don't have anybody on your team who can) upgrade WordPress whenever a new version comes out, you probably shouldn't use WordPress. It's free, sure, but that zero price tag comes with the obligation to maintain your site properly. If you can't do it, you need to pay someone to do it for you.

  8. mandeville49
    Member
    Posted 6 years ago #

    And frankly, if you can't (and you don't have anybody on your team who can) upgrade WordPress whenever a new version comes out, you probably shouldn't use WordPress. It's free, sure, but that zero price tag comes with the obligation to maintain your site properly. If you can't do it, you need to pay someone to do it for you.

    Fair comment. Perhaps WordPress is not for us. Thanks for your input.

  9. adam-s
    Member
    Posted 6 years ago #

    I had similar happen on one of our newer blogs. Google actually flagged it right after we added it to webmasters tools.

    I checked the site and nothing was wrong so I requested that it be re-checked with an explanation. A couple hours later they said we were clean and within 24 hours the message filtered out of the index.

    The whole thing was some automated mistake of some sort. I would be careful about exposing EXEs for download or using forceful javascript for advertising/etc. Other than that it could just be a mistake.

    If you're a legit business it doesn't cost much to have someone that knows what they are doing tend to upgrades and bug fixes for you. Other than that you could try WordPress.com.

  10. mandeville49
    Member
    Posted 6 years ago #

    Thanks for your comment. Actually, we used the blog mainly for support articles/tips/advice for new writers with no advertising etc. Apparantly, people are missing our blog so maybe we will try again and go the paid route. It could have been a mistake by Google – I guess we'll never know now:)

    Kind of you to reply, appreciate it.

  11. adam-s
    Member
    Posted 6 years ago #

    No problem. Glad to see you give it another shot.

  12. DianeV
    Member
    Posted 6 years ago #

    I was curious about this:

    if we put the site back up again, we could not even log onto the admin area because Google has blocked the site

    The admin area of your blog? You don't need Google to get to that, so I'm confused as to what you're referring to.

  13. mandeville49
    Member
    Posted 6 years ago #

    Hi Dianne, thanks for your interest. OK, I uploaded WP (http:www.burn-a-book.com/wordpress2/) again.

    If you search for it on Google (Writers Cramp, burn-a-book) you see the Google warning.

    I upgraded to WP 2.5.1

    Before the upgrade the database was all there and all the postings were complete. After the upgrade all the postings are missing and I cannot log on to the admin area. My password is not recognised. When I use the "Lost password" email link and go to wp-login.php?action=rp&key=DJ*NaZPNzb9z I get the message: Sorry, that key is not valid.

    So, some advice would be appreciated. I can upload the original again (the one Google claimed was compromised) if you would like to see that. Or, perhaps you could help me get version 2.5.1 running properly with all the archives and posts showing?

    Really glad of your help,

    James

  14. mandeville49
    Member
    Posted 6 years ago #

    Dianne - PLEASE NOTE:

    After entering my WP site, I got a warning from Trend Micro warning me it had stopped a network virus:

    MS02-039_SQL_SERVER_RESOLUTION_EXPLOIT

    Vulnerability Identifier: CAN-2002-0649,CAN-2002-0650
    Discovery Date: Jul 24, 2002
    Risk: Critical
    Related Malware: SQLSLAMMER.A
    Affected Software:
    Microsoft Desktop Engine 2000
    Microsoft SQL Server 2000

    Description:

    This exploit attacks the unchecked buffer vulnerability that exists in the SQL Server Resolution Service.

    SQL Server Resolution Service operates on UDP port 1434. It has been introduced in SQL Server 2000 to host multiple instances of SQL servers. When an SQL client attempts to connect to a certain server instance, it queries the resolution service, which in turn reports what port the requested instance is using.

    By sending a malformed request to the Resolution service, the SQL server may fail resulting to a denial of service (DoS) or run any codes that an attacker prefers. The malformed request consists of a very long Instance Name of the SQL server, which the SQLSERV.EXE file fails to validate.

    The Slammer worm, SQLSLAMMER.A, already exploited this vulnerability.

    So perhaps Google were right and my site was compromised. Just to warn you!

  15. mandeville49
    Member
    Posted 6 years ago #

    Using the automatic upgrade plugin I have repeated the upgrade to 2.5.1. successfully and can now sign in on the admin panel. http://www.burn-a-book.com/wordpress2/ is now back online. I still have serious concerns about the previous breach of the site and Google's blocking of the site as unsafe. Before attempting to have the site relisted by Google I would appreciate someone looking at it and telling me what more I can do to ensure the site is safe for people to view.

    (Maybe it would help if I removed the last post critising Google???)

  16. geofftswin
    Member
    Posted 6 years ago #

    Looking at your last but one message, it looks more like a vulnerability in MS SQL Server 2000 - is your database fully patched?

  17. mandeville49
    Member
    Posted 6 years ago #

    Not quite sure what this means (sorry;)but when I upgraded to 2.5.1. the database was cleaned and rebuilt. Will that do it?

  18. RosieMBanks
    Member
    Posted 6 years ago #

    Mandeville,Google can't possibly be picking on your post out of all the other anti-Googleness on the web. Relax on that score.

    You can read about the Slammer Worm here. Note this sentence:

    If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.

    I think you need to talk to your host about this problem, as it sounds like your host caused the problem.

    And any time your site is hacked or exploited, you should notify your host, because it needs to take steps to protect other sites on your shared server.

    And good for you for not giving up!

  19. mandeville49
    Member
    Posted 6 years ago #

    Rosie,
    Thanks for your interest. Following your advice, I have notified my host and provided them with a copy of the Trend Micro report. Interesting to hear what they say.

    OK, ok - I looked up your link to "anti-Googleness" :) quite amusing, we didn't go that far - easy to get paranoid when this sort of thing happens to you for the first time.

    As far as not giving up - well, that is largely due to the kind help and support of people like you and the others who have given up valuable time to read my posts and offer help.

    Have a great day,
    James

  20. mandeville49
    Member
    Posted 6 years ago #

    Update:

    My hosting co. say this is nothing to do with my MYSQL database which runs on a Linux Server - the warnings received from Trend referred to Microsoft Desk Engine.

    I have applied to Google to have the site unblocked :) We will just have to see what happens!!

  21. DianeV
    Member
    Posted 6 years ago #

    So? What happened?

    I see that Google is listing your pages.

    Also, I get no warnings in visiting your site from Kasperky Anti-Virus, which is a pretty strong antivirus program (see May 2007 tests).

  22. mandeville49
    Member
    Posted 6 years ago #

    Hello DianeV,

    Thanks for the interest.

    Well from my side a lot is happening, from Google's side zero.

    For a start, I decided to learn something about WordPress and read ALL the documentation this time before I started again with WordPress. I read up a bit on coding and managed to intall a menu bar with help from Thomas Natter (Drikatruu Jelly template designer).

    I deleted my old installation and installed 2.5.1 with the automatic upgrade plugin this time! I deleted MYSQL and started with a new database because I found the old one had been hacked into as well as the wp-admin folder. My web hosting company deny this is possible, but none-the-less it happened.

    I decided to republish my previous posts, so I'm please with that because I use the BLOG as an info page for new writers. They can access these new pages now from my website fine.

    So, some progress, except Google are still blocking specific old posts - although on WebMaster tools it does say that they can take several weeks to process a review request. This is annoying, but only affects people who find these pages through Google search. On other portals you get the missing 404 error (because I deleted most of them). I have just requested that Google remove all the old BLOG pages that now return error 404. This may help to clean things up.

    Technorati and Pingoat are now accepting my pings, they didn't when Google first blacked the site.

    That's where I'm at with all this.

  23. mandeville49
    Member
    Posted 6 years ago #

    Update
    Google removed the site warning today!

    Now I just have to wait for the search engines to find my BLOG again :)

    So, this is over - finally. Thanks to everyone for your good help.

    Really has been appreciated.

    James

  24. DianeV
    Member
    Posted 6 years ago #

    Glad everything's been resolved!

Topic Closed

This topic has been closed to new replies.

About this Topic