Fake Links indexing in google
-
Hello everyone,
I have an interesting situation occurring here, and hoping maybe someone here has seen something of this nature or be able to offer some sort of advice.
So, we recently installed a wordpress to a subdomain for our business and have been blogging through it. We added the google webmaster tools meta tag and I've noticed an increase in 404 links. I brought this up to or server admin, and he verified that there were a lot of ip's pinging our server looking for these links that don't exist. We've combed through our server files and nothing seems to be compromised. Today, we noticed that when you do site:ourdomain.com into google the subdomain with wordpress shows hundreds of these fake links, that when you visit them, return a 404 page.
Just curious if anyone has seen anything like this, what it may be, how we can stop it, could it negatively impact us in anyway? Should we even worry about it? Here's the link to the google results.
https://www.google.com/search?q=site%3Amshowells.com&oq=site%3A&aqs=chrome.0.69i59j69i57j69i58.1905j0j1&sourceid=chrome&es_sm=91&ie=UTF-8 (odd links show up on pages 2-3+)
-
Thank you everyone for your responses! The link you sent of the cached pages LynnP was also helpful. As soon as my co-worker who administers the server gets in I'm going to mention to him that we check the subfolders for anything fishy. I know for a fact he looked for subfolders that were suspicious but I'm not sure he may have thought to check the existing folders for sneaky things. Most passwords have been changed... but I will double check.
Again, thanks everyone for your help, very useful!
-
My 2 cents: This does look like a wp hack - been having a nightmare with a recent Pharma hack like JV mentions and honestly I still cannot figure out how exactly they got into the site but suspect through an outdated plugin.
A couple of things to keep in mind are to check your htaccess file for weird lines and have a look for non standard wp files in various folders (things like cache.php or ms-writer.php if I recall right). These files were not showing recent change dates however so it was not as simple as just ftping in and seeing which files had been recently changed (still no idea how they pulled that off). It can also be that all these pages are being spun out of a handful of php files (or the database!) so not 100% the case that you would actually see the subfolders (although in some cases you might). Also seen dev versions of wp on the same server that have not been kept so up to date be used to get into the main production version (pretty sure they were indexed through links sent via gmail emails, thanks google!).
You can check the google cache for any of these pages to see what they looked like and when they were last cached for example: http://webcache.googleusercontent.com/search?q=cache:Y0U-2Yyk3y4J:news.mshowells.com/CI/Ugg-Hazelwood-1437.shtml+
Most of them show late August cache dates so that should help narrow the timeframe. Interesting to note that all pages have a bunch of links at the bottom, some to your site some to other (probably infected) sites. All of the links are now 404s so maybe the hack got taken down by the originator (no idea why just a thought since its a bit odd that all of the links on the external sites also seem to be 404ing now). Needless to say, change all wpadmin, ftp etc passwords to be safe!
-
Hmm...never seen this exactly before - but a few years back we discovered for a client that their reality tv series show (Deadliest Catch) member site had been severely infected by Canadian Pharma phony sites....
Seems the hacker had 'broken' in via a MS update that was not done on their hosting platform site - and it took the tv company almost 4 months to disavow, rebuild and then index and begin to rank again as I remember....i.e. this was NOT a WP issue but a hosting server hack...
But with 20+ pages of Uggs and Nude Men rolling Christians (love that one, eh!) infections, you need to get that totally fixed asap so I'd start with querying the hosting vendor logs...
How comes to mind...if you can not determine where the hack came from - you could kill the subdomain after saving all your articles - recreate it say as "info.mshowells.com" or "advice.mshowells.com" or "counsel.mshowells.com" and reload in the same artices....have had to do that too for another client....
-
Yeah, only 2 of us, server admin guy. We're talking right now and the site is on a brand new VPS that has never been compromised, no strange folder structure, brand new install of Wordpress.. you can see lots of server errors in the error log on the server but the files NEVER existed, and neither of us removed the files. I, personally, do not even have access to the VPS. Only he does, and he is well aware what he's doing and most definitely would have noticed an odd set of folders and would have remembered deleting them. Almost as soon as we made the wordpress install live is when the 404 crawl errors showed up in google, and on the server. We both have seen many instances of wordpress sites being compromised and know what to look for and how to clean it up. This is why this is baffling. Because we're not exactly sure how or in what way they would benefit from this. My server admin thinks these hackers are somehow tricking google somehow... we just both have never seen this and not sure what to expect... very bizarre!
-
That's pretty strange. There isn't another web person there who might have cleaned things up without telling you? Or maybe your server company?
I don't see how these URLs could be indexed if they never existed, so at some point, someone created those pages and they were around long enough to get indexed. Are there any weird spikes in crawl rates or search queries since the launch of the subdomain?
I've seen this kind of hack before. The hacker just drops some folders full of HTML files into the roots. That's why all those links have a two characters sub directory. That was the folder the HTML files were in before someone likely just saw those folders in the root and deleted them. Maybe they didn't realize what they were doing and thought they were just doing the house cleaning?
Doing a "site:mshowells.com/ci/" or "site:mshowells.com/sp/" can show you what I'm talking about.
-
Well, the interesting thing is the links are only showing up on the subdomain news.mshowells.com - which has only existed on the server for maybe 2 - 3 months? Also, when we first noticed them, we checked the server and wordpress and there were no files and nothing was out of order or anything fishy. Everything was and is just fine. We haven't done any cleanup of any sort. And Wordpress & plugins have been kept up to date.
That's why it's weird because at no point were there hacked files or content or anything... so it's a little confusing...
-
Looks like a hack. A hacker somehow got in at some point, dropped a bunch of Ugg Boot affiliate marketing pages and left. Not sure why they are 404ing unless someone already discovered these when they happened and cleaned them up. That could've happened months and months ago.
The 404s shouldn't effect your SEO, but the hack has potential to if it hasn't been cleaned up properly. Do you see a spike in search queries if you look back over the last year or two? That may indicate when the hack occurred and was cleaned up. It's important to know how the hack was cleaned up, so you can ensure that the vulnerabilities have been resolved. If they haven't been, your site is still open to additional attacks, and spam like that can hurt your SEO.
For Wordpress, it's important to keep not only Wordpress itself up to date, but also your plugins (and only use well established plugins, and do a little research on them to make sure people aren't screaming about hacking issues). Hackers search for vulnerabilities in all sorts of places.
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Trying to find all internal links to a specific page (without index)
Hi guys -- Still waiting on Moz to index a page of mine. We launched a new site over two months ago. In the meantime, I really just need a list of internal links to a specific page because I want to change its URL. Does anybody know how to find that list (of internal links to 1 of my pages) without the Moz index? I appreciate the help!
Technical SEO | | marchexmarketingmcc1 -
Are links still considered reciprocal if the link from one website is rel="nofollow" and the other isnt ?
Im working on a site that has some press coverage due in the next couple of days from quite a big site in the niche. The press outlet has requested that we link back to the content they post about us, they said the link can be rel="nofollow" if we'd prefer. Id really like to get the full benefit of the link back to our website, obviously if i did a straight link back to the 3rd party press site the links would be reciprocal and cancel each other out in terms of "link juice", but i was wandering if we make our link back to the 3rd party rel="nofollow" will we still get the full benefit of their link to us in terms of link juice ? ie. having the link back to them, but nofollow wouldn't been seen as a reciprocal link. ? (Obviously either way there is still benefit of having the link even if it reciprocal as it will send traffic to our site, but just no "link juice") Note - Ive used the phrase"Link Juice" for lack of a better term, any ideas on how else to refer to this ?
Technical SEO | | Sam-P1 -
Removed Subdomain Sites Still in Google Index
Hey guys, I've got kind of a strange situation going on and I can't seem to find it addressed anywhere. I have a site that at one point had several development sites set up at subdomains. Those sites have since launched on their own domains, but the subdomain sites are still showing up in the Google index. However, if you look at the cached version of pages on these non-existent subdomains, it lists the NEW url, not the dev one in the little blurb that says "This is Google's cached version of www.correcturl.com." Clearly Google recognizes that the content resides at the new location, so how come the old pages are still in the index? Attempting to visit one of them gives a "Server Not Found" error, so they are definitely gone. This is happening to a couple of sites, one that was launched over a year ago so it doesn't appear to be a "wait and see" solution. Any suggestions would be a huge help. Thanks!!
Technical SEO | | SarahLK0 -
We have 302 redirect links on our forum that point to individual posts. Should we add a rel="nofollow" to these links?
Moz is showing us that we have a HUGE amount of 302 redirects. These are coming from our community forum. Forum URL: https://www.foodbloggerpro.com/community/ Example thread URL: https://www.foodbloggerpro.com/community/viewthread/322/ Example URL that points to a specific reply: https://www.foodbloggerpro.com/community/viewreply/1582/ The above link 302 redirects to this URL: https://www.foodbloggerpro.com/community/viewthread/322/#1582 My two questions would be: Do you think we should we add rel=nofollow to the specific reply URLs? If possible, should we make those redirects 301 vs. 302? Screencast attached. nofollow_302.mp4
Technical SEO | | Bjork1 -
Confused on footer links (Which are best practices for footer links on other websites?)
Hello folks, We are eCommerce web design and Development Company and we give do follow links of our website to every projects which we have done with specific keywords. So now the concern is we are seeing huge amount of back-links are being generated from single root domain for particular keyword in webmaster tools. So what should be the best way to practice this? Should we give no follow attribute to it or can use our company logo with link? LtMjHER.png
Technical SEO | | CommercePundit0 -
How to optimize for different google seach center (google.de, google.ch) ?
We all use Deutsch language and (.com) domains for the sites. I ranked well in google.com ,but not so well in google.de , google.ch , my competitors ranked much better in google.de,google.ch. I checked most of their outbound-links, but get few information. Links from (.DE) domains or links from sites located in German help the rank for special google seach center ? (google.de, google.ch) . Or some other factors i missed? please help.
Technical SEO | | sunvary0 -
Duplicate pages in Google index despite canonical tag and URL Parameter in GWMT
Good morning Moz... This is a weird one. It seems to be a "bug" with Google, honest... We migrated our site www.three-clearance.co.uk to a Drupal platform over the new year. The old site used URL-based tracking for heat map purposes, so for instance www.three-clearance.co.uk/apple-phones.html ..could be reached via www.three-clearance.co.uk/apple-phones.html?ref=menu or www.three-clearance.co.uk/apple-phones.html?ref=sidebar and so on. GWMT was told of the ref parameter and the canonical meta tag used to indicate our preference. As expected we encountered no duplicate content issues and everything was good. This is the chain of events: Site migrated to new platform following best practice, as far as I can attest to. Only known issue was that the verification for both google analytics (meta tag) and GWMT (HTML file) didn't transfer as expected so between relaunch on the 22nd Dec and the fix on 2nd Jan we have no GA data, and presumably there was a period where GWMT became unverified. URL structure and URIs were maintained 100% (which may be a problem, now) Yesterday I discovered 200-ish 'duplicate meta titles' and 'duplicate meta descriptions' in GWMT. Uh oh, thought I. Expand the report out and the duplicates are in fact ?ref= versions of the same root URL. Double uh oh, thought I. Run, not walk, to google and do some Fu: http://is.gd/yJ3U24 (9 versions of the same page, in the index, the only variation being the ?ref= URI) Checked BING and it has indexed each root URL once, as it should. Situation now: Site no longer uses ?ref= parameter, although of course there still exists some external backlinks that use it. This was intentional and happened when we migrated. I 'reset' the URL parameter in GWMT yesterday, given that there's no "delete" option. The "URLs monitored" count went from 900 to 0, but today is at over 1,000 (another wtf moment) I also resubmitted the XML sitemap and fetched 5 'hub' pages as Google, including the homepage and HTML site-map page. The ?ref= URls in the index have the disadvantage of actually working, given that we transferred the URL structure and of course the webserver just ignores the nonsense arguments and serves the page. So I assume Google assumes the pages still exist, and won't drop them from the index but will instead apply a dupe content penalty. Or maybe call us a spam farm. Who knows. Options that occurred to me (other than maybe making our canonical tags bold or locating a Google bug submission form 😄 ) include A) robots.txt-ing .?ref=. but to me this says "you can't see these pages", not "these pages don't exist", so isn't correct B) Hand-removing the URLs from the index through a page removal request per indexed URL C) Apply 301 to each indexed URL (hello BING dirty sitemap penalty) D) Post on SEOMoz because I genuinely can't understand this. Even if the gap in verification caused GWMT to forget that we had set ?ref= as a URL parameter, the parameter was no longer in use because the verification only went missing when we relaunched the site without this tracking. Google is seemingly 100% ignoring our canonical tags as well as the GWMT URL setting - I have no idea why and can't think of the best way to correct the situation. Do you? 🙂 Edited To Add: As of this morning the "edit/reset" buttons have disappeared from GWMT URL Parameters page, along with the option to add a new one. There's no messages explaining why and of course the Google help page doesn't mention disappearing buttons (it doesn't even explain what 'reset' does, or why there's no 'remove' option).
Technical SEO | | Tinhat0 -
Will Google Continue to Index the Page with NoIndex Tag Upon Google +1 Button Impression or Click?
The FAQs for Google +1 button suggests as follows: "+1 is a public action, so you should add the button only to public, crawlable pages on your site. Once you add the button, Google may crawl or recrawl the page, and store the page title and other content, in response to a +1 button impression or click." If my page has NoIndex tag, while at the same time inserted with Google +1 button on the page, will Google recognise the NoIndex Tag on the page (and will not index the page) despite the +1 button's impression or clicks send signals to Google spiders?
Technical SEO | | globalsources.com0
