Comments on: Check your search box for XSS exploits http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/ neat fun stuff Sat, 21 Nov 2009 05:33:38 -0800 http://wordpress.org/?v=2.8.5 hourly 1 By: mark http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-130393 mark Mon, 21 Jul 2008 05:54:13 +0000 http://www.mattcutts.com/blog/?p=964#comment-130393 matt I don't mind if you post this or not, cos what has happened to my site is probably not uncommon but still well beyond my knowledge of 'why?' or 'what next?'. For many months now my once very popular site has been falling (plumetting) in the Google rankings. Now I am completely off Google's radar (though the other serach engines still rank me well?). From the outset my hunch was foul play but not being a web nerd I asked others to help find out why and spent a lot of fruitless time and effort with SEO-types and more knowledgeable friends in the biz to help solve the mystery. Content, keywords, tags have been addressed as possible culprits or oversights but I figured there was something more basic and critical wrong. I have always kept track of the results through the Webmaster tools but never found anything really incriminating to explain the apparent black-balling. That is, until today when I went back again to the dashboard (stats-Index stats-cache) and found Google's last cache of my site: http://209.85.165.104/search?q=cache:www.callananphoto.com&hl=en yikes! who or why would people do that? And how? I find no indication of all those porn links in my index.html so I have no idea how to remove them. So I at least have solved the mystery of 'why' Google dropped me like a hot potato but beyond changing passwords I am at a loss to know how to clean up the ugly mess and get back to where I was a year ago. While my site was wallowing in the doldrums I redesigned a new front page with much more content and links, so when this existing problem is sorted out I can re-enter the Google arena with a vengeance. Bloody hackers! I hope you can help thanks mark matt
I don’t mind if you post this or not, cos what has happened to my site is probably not uncommon but still well beyond my knowledge of ‘why?’ or ‘what next?’. For many months now my once very popular site has been falling (plumetting) in the Google rankings. Now I am completely off Google’s radar (though the other serach engines still rank me well?). From the outset my hunch was foul play but not being a web nerd I asked others to help find out why and spent a lot of fruitless time and effort with SEO-types and more knowledgeable friends in the biz to help solve the mystery. Content, keywords, tags have been addressed as possible culprits or oversights but I figured there was something more basic and critical wrong. I have always kept track of the results through the Webmaster tools but never found anything really incriminating to explain the apparent black-balling. That is, until today when I went back again to the dashboard (stats-Index stats-cache) and found Google’s last cache of my site:
http://209.85.165.104/search?q=cache:www.callananphoto.com&hl=en

yikes! who or why would people do that? And how? I find no indication of all those porn links in my index.html so I have no idea how to remove them.

So I at least have solved the mystery of ‘why’ Google dropped me like a hot potato but beyond changing passwords I am at a loss to know how to clean up the ugly mess and get back to where I was a year ago.

While my site was wallowing in the doldrums I redesigned a new front page with much more content and links, so when this existing problem is sorted out I can re-enter the Google arena with a vengeance.
Bloody hackers!

I hope you can help

thanks
mark

]]> By: Paul http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-129734 Paul Wed, 02 Jul 2008 18:16:34 +0000 http://www.mattcutts.com/blog/?p=964#comment-129734 Matt, My site is currently suffering from a June 9th XSS "porn" attack. Google Analytics still shows our "search results" page down 90% in Google traffic since the attack. We have since patched the XSS hole, added META NOINDEX tags to all "empty" search result pages, submitted all the remaining "porn" URL Removals in WebMaster Tools, and submitted a Reconsideration Request on June 19th. Questions: - Is the Google penalty due to the "porn" in Google's index? or was it the XSS, which gave our site the appearance of a massive number of "Sneaky Javascript Redirects" ? - How long should I expect to wait? (I have seen some webmasters say their page's traffic has never come back after a Google penalty, yet others say it should be restored after 30 days or so. Is there anyone out there who can tell me whether their XSS hacked page's traffic did come back and how long it took? I'm trying to passify my angry boss! ) Thanks Matt & all, Matt,

My site is currently suffering from a June 9th XSS “porn” attack. Google Analytics still shows our “search results” page down 90% in Google traffic since the attack. We have since patched the XSS hole, added META NOINDEX tags to all “empty” search result pages, submitted all the remaining “porn” URL Removals in WebMaster Tools, and submitted a Reconsideration Request on June 19th.

Questions:

– Is the Google penalty due to the “porn” in Google’s index? or was it the XSS, which gave our site the appearance of a massive number of “Sneaky Javascript Redirects” ?

- How long should I expect to wait? (I have seen some webmasters say their page’s traffic has never come back after a Google penalty, yet others say it should be restored after 30 days or so. Is there anyone out there who can tell me whether their XSS hacked page’s traffic did come back and how long it took? I’m trying to passify my angry boss! )

Thanks Matt & all,

]]> By: Robert http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-129375 Robert Fri, 27 Jun 2008 09:33:34 +0000 http://www.mattcutts.com/blog/?p=964#comment-129375 Matt, could you please tell me the reason for removing my last post? There was nothing wrong with it. greetz Robert Matt,

could you please tell me the reason for removing my last post? There was nothing wrong with it.

greetz
Robert

]]> By: Ian M http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-129278 Ian M Wed, 25 Jun 2008 09:12:48 +0000 http://www.mattcutts.com/blog/?p=964#comment-129278 Heh, Firefox 3 is already there, with "Reported Attack Site!" if you actually try to visit those sites. Heh, Firefox 3 is already there, with “Reported Attack Site!” if you actually try to visit those sites.

]]> By: Donncha O Caoimh http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128972 Donncha O Caoimh Thu, 19 Jun 2008 20:22:34 +0000 http://www.mattcutts.com/blog/?p=964#comment-128972 Matt - did you see my post on the subject about a week ago? It was on the WP Dashboard and thankfully was picked up by numerous other sites who spread the word about the redirect hack. Unfortunately people don't change their passwords often enough, and many certainly aren't diligent enough about upgrading in the first place. I'm about halfway through coding a plugin to detect the current crop of methods the spammer use to hide their links and add viruses to WordPress sites. Hopefully I'll release a first version tomorrow, or early next week. http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/ Matt – did you see my post on the subject about a week ago? It was on the WP Dashboard and thankfully was picked up by numerous other sites who spread the word about the redirect hack. Unfortunately people don’t change their passwords often enough, and many certainly aren’t diligent enough about upgrading in the first place.

I’m about halfway through coding a plugin to detect the current crop of methods the spammer use to hide their links and add viruses to WordPress sites. Hopefully I’ll release a first version tomorrow, or early next week.

http://ocaoimh.ie/2008/06/08/did-your-wordpress-site-get-hacked/

]]> By: Asia http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128828 Asia Wed, 18 Jun 2008 00:24:54 +0000 http://www.mattcutts.com/blog/?p=964#comment-128828 Well that was fun! I had a site hacked into - made some quick fixes - removed the bad file. Now going to resubmit to Google... All access to my server have different users/passcodes per site. So one site will have 20 user/passwords - to avoid any problems with server hacking. The problem is, that it's tougher for me to determine a site hack, if the server wasn't compromised. Thanks for reminding me to check my files Matt... But FYI - I am on Google Webmaster Tools and Googlebot has had no problem with spidering my website. Did I miss something? It's reporting the medical and porn in the content - but no warnings to be seen. Well that was fun!

I had a site hacked into – made some quick fixes – removed the bad file. Now going to resubmit to Google…

All access to my server have different users/passcodes per site. So one site will have 20 user/passwords – to avoid any problems with server hacking. The problem is, that it’s tougher for me to determine a site hack, if the server wasn’t compromised.

Thanks for reminding me to check my files Matt…

But FYI – I am on Google Webmaster Tools and Googlebot has had no problem with spidering my website. Did I miss something? It’s reporting the medical and porn in the content – but no warnings to be seen.

]]> By: 4braham http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128779 4braham Tue, 17 Jun 2008 16:00:41 +0000 http://www.mattcutts.com/blog/?p=964#comment-128779 Setting up Google Alerts for "site:example.com porn" is a useful method of early notification if a XSS vulnerability is discovered on your site. Setting up Google Alerts for “site:example.com porn” is a useful method of early notification if a XSS vulnerability is discovered on your site.

]]> By: Jem http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128777 Jem Tue, 17 Jun 2008 15:36:34 +0000 http://www.mattcutts.com/blog/?p=964#comment-128777 I'm not in the habit of link-dropping because I feel it always feels incredibly spammy, but I wrote a quick guide in August last year of things the average user can do to test their own (PHP) site security: http://www.jemjabella.co.uk/become-a-php-security-master-part-1 I think people need to get out of the "it won't happen to me" mentality and realise that they need to be vigilant. Check your site for easily detected exploits, do a bit of Googling on scripts and plugins for known exploits before you install and ALWAYS back-up your data. I’m not in the habit of link-dropping because I feel it always feels incredibly spammy, but I wrote a quick guide in August last year of things the average user can do to test their own (PHP) site security:
http://www.jemjabella.co.uk/become-a-php-security-master-part-1

I think people need to get out of the “it won’t happen to me” mentality and realise that they need to be vigilant. Check your site for easily detected exploits, do a bit of Googling on scripts and plugins for known exploits before you install and ALWAYS back-up your data.

]]> By: Robert http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128775 Robert Tue, 17 Jun 2008 14:38:13 +0000 http://www.mattcutts.com/blog/?p=964#comment-128775 aaron wall, Google still don't like to index search results and sites wouldn't be penalized for "cross site scripting issues with third parties forcing searches and embedding spammy links in them", if those sites would exclude their search results by default. Then the spammy links wouldn't be count at all and the sites will not be penalized. On the other hand I couln't understand why Google still indexes search results like: http://www.google.de/search?hl=de&q=site%3Asearch.ebay.de&btnG=Suche&meta= That's only one example for indexed search results, which could be automatically removed from the index simply, if Google wants. greetz Robert aaron wall,
Google still don’t like to index search results and sites wouldn’t be penalized for “cross site scripting issues with third parties forcing searches and embedding spammy links in them”, if those sites would exclude their search results by default. Then the spammy links wouldn’t be count at all and the sites will not be penalized.

On the other hand I couln’t understand why Google still indexes search results like:
http://www.google.de/search?hl=de&q=site%3Asearch.ebay.de&btnG=Suche&meta=

That’s only one example for indexed search results, which could be automatically removed from the index simply, if Google wants.

greetz
Robert

]]> By: Morgan http://www.mattcutts.com/blog/check-your-search-box-for-xss-exploits/#comment-128774 Morgan Tue, 17 Jun 2008 14:30:42 +0000 http://www.mattcutts.com/blog/?p=964#comment-128774 We actually got hit by the same exploit, same URL, etc. We cleaned it up and it's disappeared from our Google results, so that was nice. What I'm curious about it how do the results get into Google? I understand the exploit, but I don't understand how they get indexed that way. Does is-t-h-e.com create a bunch of links to those URLs, and then Google follow and index those links? Not that I'm some genius, but it would seem relatively trivial to detect links using XSS or other strangeness and disregard them. We actually got hit by the same exploit, same URL, etc. We cleaned it up and it’s disappeared from our Google results, so that was nice.

What I’m curious about it how do the results get into Google? I understand the exploit, but I don’t understand how they get indexed that way. Does is-t-h-e.com create a bunch of links to those URLs, and then Google follow and index those links?

Not that I’m some genius, but it would seem relatively trivial to detect links using XSS or other strangeness and disregard them.

]]>