Tracking Down Rogue Spam Links
-
In Feb, 2015 www.mommyupgrade.com site received the following notification in GWT:
http://www.mommyupgrade.com/: Suspected hackingFeb 4, 2015
Google has detected that some of your pages may contain hidden text or cloaking, techniques that are outside our Webmaster Guidelines.
Specifically, we detected that your site may have been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
Sample URLs:At that time, the site was checked by the host and site owner and any suspicious links removed. We thought the problem was resolved until a MOZ crawl on March 22 which highlighted a number of hack links again.This is the link format: http://www.mommyupgrade.com/?p=online-slots
All are related to gambling, casinos and slots.
To find the links, we downloaded the MOZ crawl report and found that all the links were referred from this page: http://www.mommyupgrade.com/how-to-make-rainbow-lollipop-cookies/
Searching that post shows no sign of links to the rogue pages.
I would really appreciate some advice on how to find the source of these links and delete them from this site once and for all. Also, please explain how it is possible for a post or page to refer to another page without that link showing up in the code? (Is this some black hat technique that I need to know about in order to protect my sites?)
Also... at the moment Google Webmaster Tools are not reporting any security issues for this site.
Any help appreciated.
-
You're welcome. I'm always amazed at the diversity of people that read and comment here. A lot of talented eyes are considering the questions for sure. Cheers!
-
@Ryan, that link is very useful and once we have the site clean we can use it regularly to check that no new issues presnt themselves.
@Richard, thank you for this information. It helps a lot.
Great community support. I wish I had asked this question days ago.Thank you MOZ.
-
There are some base 64 encoded URLs on the page. They show in the source code like below. That would be my guess as to what is creating the links, which are obfuscated for users. These types of attacks are usually called in your functions.php file or within a hacked plugin, or could actually be inserted into the css as well.
background:url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAGgAAABoCAYAAAAdHLWhAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACGRJREFUeNrsnb9rVEsUxyfrQ7AO+AOzAaPGqJhCTKFNSsXCvyBapRDhaZNCbR7pXvE6wcoqRFRiIqQIRlSIRRpBMMEkb/1RKGpUonZqRH3nu+9eifHu3jlzztydDXNgWAi5e89nPndu9s7OnLT8+PHDxAg3SrELoqAYUVAUFCMKihEFRUExtOMPzTd79uzZeno5RK2HWje1Tmplaq3JryxRe0GtQm2G2n1q0x0dHcuhdUwoLC0aD6oE00Uvx6gdpdbLPHyK2gS1cYJbCEBMUCwiQQSzmV5OUOujtk+Yyyy1YWpDBLfYADFBsjgLIqDD9HIqudo0Y5zaRQKbLFBOsCxOggion14GqO3y1Gf/UvuHwC4VICdoFrYgAvqTXv5a8cfSV+CP8CCBXfAoJ3gWlqCnT5/iavu7AKCVYGe3b9+uPpKahaXEADqc3ApEQO/evTPj4+O2v45zDSTn1pTDZkHOyF0QTixWgp48ebKZRtoparsw4lzb27dvzcjICPc4nPMUctCQI2FB7mAQ9AGbxUoQvekJasc05Hz+/Dl9T07DuU9oCHJlQSB3BUksllxBlUqli96wTyrn+vXr5suXLys7itv6kItEjoQlDTCARSjJmqVkccXB+D6JnNHR0V/kOApCDseEo8eZZWWABUwCSdYsdQUtLCyspzc6KpEzNjb2mxxHQWhHkZOLHCnL6gAT2ASSrFjyRtAhh/moaszPz5sbN25kyjlw4IDrIOhNcnIJZ5ZaOYMNjGD1xVLKuSX0uFwdc3Nz5vbt25lyjh8/bnbs2CG5f/c43t56JH9HkTNyz5IEVjD7YMkT1M09Ka6mO3fuZL4fANvb283Hjx8lgrodBXVLBCFn5J4lCQFmsGuz5N3iOpn3eSs5wugs+LifYSMJfaCZU94IKmuNnHK5bD58+CAZOWkrO46gssK5qwxgURpJZekIarUdOXfv3q0rR2HksHJSPC5zJNWThL6wHEmtUkFWMT09nfnznTt3assJJlJJYOT0CTfyBC3ZvMmZM2fMhg0bfvv548ePq88KHmaFizyuZoANjKsDfYE+0cgpT9ALm7N8/frVnD59OlNSvdufY7wo+DjWbQx9gL5An2jklCeoYnMWTCKmklpbW31LqhR8nLUcsKdy0klhaU55gmZsk04lDQwMmLa2Np+SZgo+zkoOmMHOkGOVU56g+5zkkdirV6/MyZMnfUq6X/BxVnLADHaGHKuc8gTho8gU54zfvn0zb9688SVpKsnJ6cMml4UjB8xg12apK2jv3r1YJTnBhcmTlDVHZxkTSU7scGWpl7NAjjWLzXMQFhDMakoqlZwev2aTXCThxJKVs1CONUvJ4srDuB52gcobScwYTnJxDgmLohwWi+2lPOR69SpJGk9y0IghyUhUkMNiKVleeVhffNH8v0qyaEk458UkB3FIWBTksFlYCxcfPXokWuy3bt06s2nTJjM1NVVzDitjKuQsAakvXOSyYEqnt7dXIseJhb30l8BEy2UhCU/c+C7fAmiQgLwt/eWwbNy40SwtLUnkOLE4LZ5Prj7vC859jJxmY3HefkJgXrdsEFBh209CZhFt4CIwL5uetD4QrAUWlS2QBKeybVD6nKMkKiiWFs1iSgTntPHWdfrGs6ggWFpitauwI9ZJiIJiREFRUIwoKEYUFAXFiIKioBhRUIwoaM2EasXFZNcye4Kxq6sruMnSUFhUJksJRmWKnuAWAhATFItIEMF4+ZKL4BYbICZIFmdBBOT1a2ICmyxQTrAsToIIqJCFFgR2qQA5QbOwBRFQoVUKCeyCRznBs7AEzc/PN6RK4e7du9VHUrOwlBhAKhUXFxcXzbVr12x/vVqlMDm3phw2C3JG7oJwYrESNDc3p1Jx8fXr12Z4eNipSiFy0JAjYUHuYJBWXOSwFFZxMZXT7BUXFSTpVlycnZ3t+v79ex8149qwd/Py5cu/7FJzeJ8+5CJ6OBGwpAEGsIBJ0CfWLN4rLuJqu3LlypqruAgmwUjSqbj48OFDUZVCAFy9elW14iJycpEjZVkdYAKbQJIVi7eKizMzM9VPPllyDh486DoIGlZxMStnsIERrL5YvFRcpCvD3Lx5M1NOf3+/oWeBpqu4iJyRe5YksIK5KSou4mqanMyeegJgR0eHef/+fdNVXETOyD1LEgLMYA+64iJ9MrGSI4yGVVy0kYQ+0MxJreJi3sjZtm1bdQths1dcBANYlEZSMRUXcdXcunWrrhyFkcPKSfG4zJFUTxL6wnIkFVNx8d69e9njt7NTW04wkUoCI6dPuKFScfH8+fOZxfwqlUp1asTDrHCRx9UMsIFxdaAv0CcaOalUXFxeXjbnzp3LlIQKuBMTE5r9EkTFRTBlVZxHH6Av0CcaOalUXPz06dNPSVkVF5UlNbziYi05YE/loE80clKruJhKGhwcrFbD9SipoRUXa8kBM9gZcqxyUq24iMSeP39eLQ3pUVLDKi7WkwNmsDPkWOXkpeLiy5cvfUlqWMXFPDlgLrzi4v79+50rLtaTJKm4mOTEDleWejkL5FizeK24WEvSWqi4KJSjV3GRLIsqLtYbSdzHjiQX55CwKMphsRRScVFBUjAVFxXk6FdcJNviiosCSdUqhUkO4pCwKMhhs7AWLj548EBccXHr1q3VL7j27NljOxVyloDUFy5yWfAv0I4cOSKR48TCXvpLYOKKi6heiO/yLYAGCcjb0l8Oy5YtW6pVIiUVF11YnBbPJ1ef9wXnPkZOs7E4bz8hMK9bNgiosO0nIbOINnARmJdNT1ofCNYCi8oWSIJT2TYofc5REhUUi2pBP4Jz2njrOn3jWVQQLLHiYuAR6yREQTGioCgoRhQUIwqKgmKox38CDACL7v6JnTZ+vgAAAABJRU5ErkJggg==)
-
You can also run a search like this to get at these pages: https://encrypted.google.com/search?hl=en&q=site%3Amommyupgrade.com inurl%3A%3F%3Dp
The root cause is a hack of your Wordpress installation, most likely a plugin. Here's a good discussion around how this takes place: https://wordpress.org/support/topic/someone-has-hacked-the-site-and-inserted-a-link
Recently a vulnerability was found in the Yoast plugin (see: http://thehackernews.com/2015/03/wordpress-seo-by-yoast-plugin.html ), so you'll certainly want to upgrade that and preferably set your updates to automatic.
Good luck!
Got a burning SEO question?
Subscribe to Moz Pro to gain full access to Q&A, answer questions, and ask your own.
Browse Questions
Explore more categories
-
Moz Tools
Chat with the community about the Moz tools.
-
SEO Tactics
Discuss the SEO process with fellow marketers
-
Community
Discuss industry events, jobs, and news!
-
Digital Marketing
Chat about tactics outside of SEO
-
Research & Trends
Dive into research and trends in the search industry.
-
Support
Connect on product support and feature requests.
Related Questions
-
Blogging , do I create a huge blog which links to all my sites
Blogging , do I create a huge blog which links to all my sites or do i create a blog on each site, or do i guest blog to each site from other peoples blogs 😞 which is best ?
Content Development | | SocialAssist1 -
How do I fix a broken link to a product category page in wordpress?
We are building a new site currently at http://67.222.109.48/~cheapnan/ I started doing some SEO after the developer I hired failed to do it even though it was in the agreement. I did our old site so I should be able to do this but I am new to wordpress. Now when i go to the products tab at the top of the page the first 2 have broken links, I checked the rest and there are 3 total that I need to fix. I am unsure how to access the navigation so I can fix the links. Please tell me where to look.
Content Development | | cheaptubes0 -
Are press releases that could end up being published with duplicate content links point back to you bad for your site ?
With all the changes to the seo landscape in the resent years im a little unsure as to how a press release work looks in the eyes of Google (and others). For instance, you write up a 500 word press release and it gets featured on the following sites : Forbes Techcrunch BBC CNN NY Times etc ... If each of these cover your story but only rewrite 50% of the article (not saying these sites wouldn't re write the entire artcile, but for this purpose lets presume only 50% is rewritten) could it be negative to your backlink profile, ? Im thinking not, as these sites will have high authority, but what if once your press release is published on these sites 10 other smaller sites re publish the stories with almost no re writing, either straight from the press release or straight from the article in the mainstream news sites. (For clarification this Press release would be done in the fashion of a article suggestion to relevant journalists, rather than a blanket press release, via PR Newswire, mass mail out etc. Although i guess the effect with duplicate content backlinks is the same.) You now have c. 50 articles online all with very similar content with links pointing back at you, would this have a negative effect or would each link just not carry as much value as it normally would. By now we all understand publishing duplicate content on our own sites is a terrible idea, but dose have links pointing back to your self from duplicate (or similar) content hosted on other sites (some being highly authoritative) effect your site 's seo ?
Content Development | | Sam-P1 -
We used to sell links ...
We used to sell text links on our site WebDesign.org , I told about that via Twitter in public, Google penalized us and here’s the history of the issue in more detail. I write it here to ask if you guys know how to sort out this issue coz I’m not exactly sure at this point. Before I tackle the issue itself, here's some background. OUTBOUND LINKS ISSUE Jun 22, 2013 We received an Unnatural outbound links penalty (Manual spam action message in our Google Webmaster Tools account) from Google July 1, 2013 We nofollowed all homepage links and submitted a reconsideration request July 10, 2013 Google replied that we still violate their quality guidelines July 15, 2013 We removed links to low quality and irrelevant sites (such as Chinese stores, etc) and submitted another reconsideration request July 22, 2013 Manual Spam Action revoked INBOUND LINKS ISSUE November 8, 2013 We got a message from Google about Unnatural links to your site - impacts links (Message in our Google Webmaster Tools account) November 27, 2013 We Submitted a Disavow file with Deadly Risky links (found via generating a LinkDetox report) and submitted a reconsideration request December 15, 2013 Manual Action revoked (main keyword ranking got from 41 to 4) February 6, 014 And here's the actual issue: OUTBOUND LINKS ISSUE (Again) I told via Twitter in public that our site sells links. Matt Cutts noticed that and we got another Unnatural outbound links penalty (Manual action). Main keyword ranking decreased from 9 to 65. We removed all outbound links on the homepage and submitted a reconsideration request. April 15, 2014 Google replied that we still violate their quality guidelines. We nofollowd all outbound links with JavaScript (wrong move because Google did not take it as nofollowed) and submitted another reconsideration request. April 19, 2014 Google rejected our reconsideration request and said that we still violate their quality guidelines. April 23, 2014 We nofollowed properly this time (with PHP) and submitted another reconsideration request. May 4, 2014 Google replies that we still violate their quality guidelines. So, at this point I’m kinda lost in terms of what to do next because we've nofollowed all our outbound links (both paid and natural ones). What would you recommend?
Content Development | | VinceWicks0 -
If you were guest blogging would you prefer a link or revenue share
I am looking at ideas at the moment, we have been getting a large number of guest bloggers wanting to write for our site but i have to say we are turning down around 90% of the articles as they are low quality. So i am just wondering, to attract high quality articles, should we carry on offering a link in the articles or offer them revenue share by asking for their google adsense code and putting it somewhere on the page. If we did offer this, how would we impliment this, we work on a joomla website and have read about rev share but not sure how we do this correctly. Would like to know people's thoughts on this
Content Development | | ClaireH-1848861 -
Spam reviews
We would like to see any tips or experience with filtering out spam reviews. We operate a website where consumers can post their reviews on / experience with certain companies. We do receive a fair share of fake reviews (the "to good be true reviews" about certain companies and also sometimes negative review about their competitors).We filter these as good as we can. For some companies, we receive a large number of reviews which individually seem to be ok (text-wise but also when checking IP addresses and e-mail addresses), but if you read all these reviews in sequence then there is something off, i.e. they seem to lack the linguistic variance that is normally present in consumer written reviews. We feel someone is trying to manipulate here but this someone is covering his tracks. Do you have experience in this regard or can you provide us with additional data points to look at?
Content Development | | NewBuilder0 -
4XX (Client Error) Double URL Link Problem
Hi, I have a wordpres site and have 140 4XX (Client Error) errors such as: http://www.campervanhire.com/advertise/http:%2F%2Fwww.campervanhire.com%2Fadvertise%2F http://www.campervanhire.com/australia/camper-van-hire-australia/http:%2F%2Fwww.campervanhire.com%2Faustralia%2Fcamper-van-hire-australia%2F The bulk are all the same problem, different urls but all duplicated with %2F at the end. Not sure how they were generated or how fix this?
Content Development | | 360360
Any info would be great! Thanks in advance, Malcolm0 -
Setting up a blog for client, should I build external links to the blog
I have a new client in the holiday industry and want to setup a wordpress blog, we will be writing the first few blogs and linking back to the relevant site page. But I am wondering how I should promote the blog so that the links are more powerful back to his own site. Blogging is not my forte and doesn't come naturally so I really need some good advice to how I can start offering this service to my clients. Thanks
Content Development | | iprosoftware0