en_google_search_00

Google usually displays this message when a website has been hacked or compromised. Meaning that someone has intentionally modified its content to add: SPAM, content from others sites, to steal information or to install Malware.

Through this video, Google explains  what it means that a website has been hacked or compromised: https://www.youtube.com/watch?v=mbJvL61DOZg

In this tutorial, you will learn how to use the Google Search Console Tool in order to:

  1. Identify and Delete Malware’s content in your site.
  2. Set the ownership of the site through Google Search Console.
  3. Get the Search Traffic and links of the site. 
  4.  Review of the site’s links.
  5.  Block malicious links previously found.
  6. Request a site review.

Requirements:

Have experience on:

  • .htaccess
  • PHP language
  • Codeigniter

To preserve the site’s identity in which I gained the experience on removing malware’s content I’ll use the helloselene.com site as an example.

Step 1: Identify and Delete Malware’s content in  your site

Nowadays the most common Malware  attacks are:

  • Code injection through scripts placed in the server’s files.
  • Redirection to other websites ( when the .htaccess file has been modified).
  • Iframes injection, usually inserted into the index.php file to show content (mostly inappropriate )  from another site.

Let’s start by opening the .htaccess file from the root directory of our site.

en_google_search_01

The RewriteRule sentence tells us that any search engine as google|yahoo|msn|aol|bing is redirected to a doorway script. This file could be placed or not within our site’s files. Also our site not only could be redirected to a file  but also to another site, for example:

RewriteRule ^(.*)$http://www.addedbytes.com/$1 [L]

“L” tells Apache not to process any more rules if this one is used.

Doorway script

The script’s name is different in each site and it’s created from the union of “real” words. It offers different content for the search engines as well as the human visitors. Any request to this script will return a 404 error (this is the way in which it keeps hidden from us).

untitled-1

Once we have identified the malicious scripts ( mainly hosted in the public folder or the hosting’s temporary folder). We’re going to  amend the  .htaccess file as follow:

First, we enable the rewrite module to add a condition that will remove the index.php sentence from the website URL.

RewriteEngine on

Then we indicate that any requested file from our site will be shown except for index.php, CSS, JS, images, robots.txt or docs files.

RewriteCond $1 !^(index.php|css|js|img|robots.txt|docs) 

RewriteRule ^(.*)$ /index.php?$1 [L]

You can use as many conditions and rules as you need but for the purposes of this tutorial, we are setting just this one.

Important: If you are transferring the .htaccess file to the server using FTP, be sure it is transferred using the ASCII mode, rather than BINARY.

Let’s take a look at the index.php file

en_google_search_03-bicubic

As we can see in the image above there is an injected iframe Which hosts an Inappropriate site. Remove it and look for the same line of code in the rest of the site’s files to ensure that hasn’t been injected in any other file.

Step 2: Set the ownership of the site through Google Search Console

Go to Google Search Console’s home page and  enter the site’s URL:

https://www.google.com/webmasters/tools/home?hl=en

en_google_search_01

Google will ask us to prove the ownership to do so we have these options:

Recommended method:

Google provide us an HTML file that we upload to the root folder of our site. 

en_google_search_02Important:  To stay verified, don’t remove the HTML file, even after verification succeeds.

Alternate methods:

HTML Tag: Add a meta tag to your site’s home page.

Domain name provider: Sign in to your DNS provider account and add to the domain’s configuration the token provided by Google.

Google Analytics: Use your Google Analytics account to prove the ownership.

Google Tag Manager: Use your Google Tag Manager account to prove the ownership.

en_google_search_03

Step 3: Get the Search Traffic and links of the site

Now that we’ve proved the ownership, we can access the Google Search Console’s dashboard by clicking on the site’s URL. In the left side menu look for Search Traffic > Links to your site.  

en_google_search_04

1.- Total links.

2.- Who links the most:  Click on the more button. Now that we’ve proved the ownership, we can access the Google Search Console’s dashboard by clicking on the site’s URL. In the left side menu look for Search Traffic > Links to your site.  to see the full lists.

  • This table: All the domains with links to the pages of our site.
  • More sample links: All the links within our site.
  • Latest links: All the links on our site including its creation date.

3.- All the pages of our site that have been indexed from others sites:  the full list of these pages as well as the sample links and last added.

4.- How your data is linked: Refers to the anchor text of your site.

en_google_search_05.png

We can download the lists above as CVS  or as a Google’s docs.

Step 4:  Review of the  site’s links

We’ve got the full list of links and domains. Let’s review them to identify the malicious ones.

total_links

Total links: According to the site’s links, does this amount match? in this example, it doesn’t.

Who links the most: I don’t recognize the sites that are listed in here. In fact, if I try to browse to one of them I get a 404 error.

en_google_search_09-1

I’m using the mxtoolbox tool to verify if one of the listed sites is included on the Google’s blacklist taking the stylshack.com site as an example.

http://mxtoolbox.com/

When the inspection has completed we’ll know if is listed or not.  And there you have it, it’s listed!

en_google_search_13

Anchor Texts: As the result of the indexed links most of the anchor’s texts contains sexual and obscene phrases.  

en_google_search_08.1.png

Step 5:  Block malicious links previously found

To do so we can do it from the Cpanel or  we can take advantage of our .htaccess file

CPanel

The hosting  provider of this site  it’s Hostgator but I’m  pretty sure that your hosting provider will have a similar option within the  Security section:

en_google_search_14

IP Address Deny Manager

We enter the IP or domain’s name to block it.

en_google_search_15

To get the IP of a site we can use ipinfo.info checker tool:

http://ipinfo.info/html/ip_checker.php

.htaccess file

Add the follow sentence after  the RewriteRule:

deny from IP site’s address here

Example:

deny from  74.220.219.120  #stylshack.com

We’re denying the access to the stylshack.com site. You can block as many sites as you need.

Step 6: Request a site review

Once we’ve deleted the malicious content and links, next step it’s to request a site review. Go back to the Google Search Console’s home page and look for Security Issues on the left side menu and click on it.en_google_search_16

A modal will show up in which we’re going to specify for the Google’s team the actions that we’ve taken to delete the malware. Google will let us know when the review has finished in the messages section. In my experience, this will take a couple days.

In order to prevent future vulnerabilities:

  1. Change all the site’s  passwords:  FTP, CPanel, Email, etc.
  2. Ensure that the software or plugins are being continuously updated.
  3. Don’t share your access credentials.
  4. If you would like to know more about the Google’s toolkit visit the link bellow:

https://www.google.com/webmasters/support/#browse-documentation

Did you like the tutorial? I would like to know your opinion , please let me know in the comments section.

 

Advertisements