Possible Hack/Strange Search Engine Behavior

  • user_f23

    (@user_f23)


    14 years, 7 months ago

    Early this morning, an IP resolving to my own hosting service sent a series of post requests to kses.php in a 2005-era theme directory. Though I have deleted the theme, I noticed that my site then immediately received a few GETs with odd search strings attached, and, shortly thereafter, googlebot commenced an extensive scan of my site with the same type of randomized GET strings. They are all of the form of “GET /?CJuh[about twenty-five random characters.”

    My site seems to have disappeared from google. I’ve also just noticed that yahoo’s search bot is doing the same thing. I’m using 2.8.4, and my searching hasn’t revealed this particular issue as a security problem, and perhaps it is a coincidence.

    Any advice you have would be appreciated.

Viewing 6 replies - 1 through 6 (of 6 total)
  • alism

    (@alism)

    14 years, 7 months ago

    What’s the site?

    Have you got any plugins? Sitemaps/search related or similar that might’ve run via cron that subsequently triggered a GoogleBot visit?

    If your site has disappeared from Google, it might be worth signing up for a Google Webmaster Tools account to see if it sheds any light.

    I might be wrong on this one, but aren’t hacks normally from POSTs rather than GETs?

    Thread Starter user_f23

    (@user_f23)

    14 years, 7 months ago

    I mentioned that the unusual activity started after a series of POSTs to kses.php. I deleted the file, but I don’t understand the relationship between whatever happened there and what’s going on with the search engines, though I assume they are related.

    I don’t have any plugins, but I should try to investigate what google can tell me. What’s odd is that the yahoo bot has recently started making the same type of unusual GET requests.

    alism

    (@alism)

    14 years, 7 months ago

    (so you did… sorry – it’s late here!)

    Perhaps you can post some full entries from the relevant parts of your log file?

    Thread Starter user_f23

    (@user_f23)

    14 years, 7 months ago

    I discovered that an ancillary blog of mine, hosted on the same site, had been hacked with some type of SQL-injection bug. This had poisoned my google results from what google’s webmaster tools told me. The unusual search strings and “kses.php” attack, however, seem to have been unrelated.

    I don’t know if posting a portion of the log would give any more specific information than what I described. Googlebot, coming from a reverse-DNS certified google ip address, has constantly hit my site with requests of the form GET /?CJuh[AZaz] for about two days now. The strings in brackets extend for about 16 to 32 characters. Yahoo has also started similar behavior. I assume that my site is linked in such a way somewhere, but I can’t discover where.

    Thread Starter user_f23

    (@user_f23)

    14 years, 7 months ago

    Furthermore, I discovered that my 2.8.4 blog was in fact hacked via the “kses.php” exploit I mentioned earlier. It inserted a wide variety of spam links into the footers and meta tags of pages. I believe I have gotten it cleared up, but I couldn’t find anything about this particular security issue when searching these forums.

    alism

    (@alism)

    14 years, 7 months ago

    If it is linked to from elsewhere, Yahoo’s Site Explorer might give you a further clue as to the origin.

    Then once you’ve triple-double checked that you’ve cleaned up the poison links up and fixed the flaw, file a reinclusion request with Google if you’ve not already done so.

    Best of luck.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Possible Hack/Strange Search Engine Behavior’ is closed to new replies.