Example email to a hacked site

Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites. The most common reaction we hear from webmasters is “The problem is with the Google search. There is nothing wrong with our website.” That’s a real quote from an email one site owner recently sent us. Sadly, it turns out that the site is almost always really hacked.

The single best piece of advice I can give to prevent website hacking is “keep your web server software up-to-date and fully patched.” That prevention is much better than the hassle of cleaning up a hack. Here’s an example email I just sent to a site owner with the identifying details removed:

Hi xxxxxxx, I’m the head of Google’s webspam team. Unfortunately, example.com really has been hacked by people trying to sell pills. I’m attaching an image to show the page that we’re seeing.

We don’t have the resources to give full 1:1 help to every hacked website (thousands of websites get hacked every day–we’d spend all day trying to help websites clean up instead of doing our regular work), so you’ll have to consult with the tech person for your website. However, we do provide advice and resources to help clean up hacked websites, for example
http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634
https://sites.google.com/site/webmasterhelpforum/en/faq-malware-and-hacked-sites
http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html
http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html
http://googlewebmastercentral.blogspot.com/2009/02/best-practices-against-hacking.html

We also provide additional assistance for hacked sites in our webmaster support forum at https://groups.google.com/a/googleproductforums.com/forum/#!forum/webmasters . I hope that helps.

Regards,
Matt Cutts

P.S. If you visit a page like http://www.example.com/deep-url-path/ and don’t see the pill links, that means the hackers are being extra-sneaky and only showing the spammy pill links to Google. We provide a free tool for that situation as well. It’s called “Fetch as Googlebot” and it lets you send Google to your website and will show you exactly what we see. I would recommend this blog post http://googlewebmastercentral.blogspot.com/2009/11/generic-cialis-on-my-website-i-think-my.html describing how to use that tool, because your situation looks quite similar.

Anyway, just a reminder for site owners to keep their web server software up-to-date, because hacked sites are a real pain. Most Google searchers and even website owners don’t think about hacked sites much, but on our side have to spend a fair amount of effort writing classifiers to catch this illegal activity, helping the victims of hacked sites, adapting when the hackers change their techniques, etc.

33 Responses to Example email to a hacked site (Leave a comment)

  1. Cheers Matt, think I’ll have an update tonight!

  2. On a similar topic Matt, how about when you check your logs and see a spike in traffic coming in from far away sites or questionable urls? Many times I’ve checked a sites source code and found nothing to identify questionable activity, which makes me question it even more.

  3. Matt,

    You provide these services as well :). Anyhow, we as site owners and service providers do provide this suggestion to our clients to “keep their web server software up-to-date and fully patched.”
    Usually people on WP don’t update their sites and plug-ins. We found supercache plug-in causing an issue with few of our sites as they were compromised recently with malicious script being downloaded. Upon our manual checks we found most of those malicious scripts found in this plug-in. Not sure why!
    But we prefer to keep plug-ins and sites up to date.

  4. Thanks for the update Matt.

    Really, this issue is a pain in any ones clean online marketing campaign.

  5. I hope I will never receive an email from you Matt, purely because it can’t be good news.

    Fun aside, I think the biggest culprit is WordPress. It is powering a lot of sites, way too many these days. Plugins seem to be the weakest link in the chain.

    Oh and there is other thing that looks like it is being hacked day in and day out, it is called Google Places. Any idea when your colleagues are going to patch it up?

    I hope you will not delete my comment. 🙂

  6. Matt,

    I really appreciate that you took some time out to write this post. But sometimes despite keeping the software updated to the latest version a site can get hacked and it is very frustrating for the SEOs and website owners who work hard to get genuine visibility in search.

    There is a procedure to revive the presence of the site once it is removed from the index by sending the reconsideration request. But I request you to come up with some procedure by which we can inform Google when the site is hacked and we are working on removing the malware from the site.

    This way we can save the site from getting removed from the index and this will mean less no. of reconsideration requests for Google too.

  7. One of our sites had got hacked last year and I have written in detail about our experience regarding reconsideration request and the site on my guest post on

    http://www.alrayeswebsolutions.com/blog/seo/solution-to-the-link-spam-injection-hacking-attack-and-reconsideration-requests-to-google/

  8. It would be great to see one of your favorite reconsiderations requests. That way, we will know exactly what to submit.

  9. The other good tell-tell sign for a hack usually comes in for the form of traffic beyond your wildest dreams. The good news is that Google has already given us plenty of tools to look for “hacking”, mainly in the form of Google Analytics.

    A while back, we saw an amazing spike in traffic…but after careful inspection it turned out that it was a “hack.” The culprit….out-of-date WordPress and not using some of the better WordPress plugins (firewall, cache, etc).

    At the end of the day….Google was just wants to serve up good and relevant content. It cannot send traffic to your site when it knows that your content is suspicious. This is a great services to webmasters and site owners….

    Thanks to Matt and the entire SPAM team at Google for their hard work.

  10. Hi Matt, can you recommend a plugin that automatically updates WordPress? This way we won’t have to worry about these things.

  11. Having the latest and greatest WordPress version is important. Too many times we let the old versions hang on until its too late and our site gets hacked. I keep a spreadsheet now and check once a month to make sure WordPress and all the related plugins are up-to-date.

  12. Hi Matt

    This (as you mention) is a full time job. As an SEO consultant I get a half dozen emails asking about hacked sites as I deal exclusively in Gaming and Forex/Options and these are high targets for hacks.

    Its almost to the point that reputation management companies should recognize this as a profit centre and add it to their arsenal of services.

    Gary Beal
    GaryTheScubaGuy

  13. Interesting that most of the comments here have mentioned WordPress. I’m a developer who uses WordPress most of the time. One of the issues I face is selling website maintenance, backup services, etc after the clients site has gone live.

    Its a very difficult sell as the client is pleased with their new site and talk of the possibility of sites getting hacked is viewed as being pessimistic, over cautious and somewhat unnecessary.

    They’ll feel like that right up until their site falls victim.

    Also Yousaf, what would be the right number of WordPress websites if there are “too many” at the moment?

  14. Why don’t address the concerns everyone is having over the dramatic change in results due to Panda?

  15. Also Yousaf, what would be the right number of WordPress websites if there are “too many” at the moment?

    I’m not Yousaf, but I’d say “0”. That thing is one of the biggest blights ever unleashed upon the Internet, and the fact that Matt had to post this explains exactly why.

  16. Hello Matt,

    Ah there seems to be a lot of sites being hacked fairly aggressively of late, but I have found that if you do the right thing and reach out and contact them it can almost be more trouble than it is worth.

    I’ve spent more time with them arguing with me that they can’t see anything wrong with their website than them listening to the advice they need to resolve the issue. The other problem is that the Google crawler in GWT doesn’t seem to pick up most of the issues until months down the track. Is there any plans to have a public URL that we can quickly submit a site for your malware bot to scan. Make it easier for people to quickly report problem websites can help everyone get hacked sites flagged and hopefully cleaned up earlier.

    The other issue is that I think (not provided) may mask some of the strange keywords that a hacked site usually shows up as warning signs when you get a spike in traffic..

    David

  17. Dang, we gotta get a hacked site just to get a signed letter from Matt. sigh. Personally, I would love any correspondence by M.C.

    On another note: Interesting week? Wouldn’t you say? I’d imaging Reinclusion Requests, your tweets, and Fetch As Googlebot are now at ludicrous capacity!

  18. Keeping web scripts updated and patched is the best course of action, as a web hosting provider we see this quiet often with with some customers using scripts that are several years out of date so clearly never patched since they were installed.

  19. I used this tool “Fetch as Googlebot” for my blog and I came across two errors. I figured out one error and trying to correct the other. This is a very helpful tool for checking spammy pill links.

  20. Keeping software up-to-date is the best advice you can give. I’ve seen several websites get hacked, not nearly as many as you, and in EVERY case, the website was not up-to-date.

  21. MUltiworded adam tried working on the monstrosity that is MT before you diss WP. WP gets targeted partially because it’s so popular.

  22. I bet those who are hacked are most likely on shared hosting. All of my dreamhost sites at one point were hacked. I spent days trying to clean them up and in the end just moved hosts and started from fresh installs.

  23. Matt: Big favor, it looks like my old username here is panzermike. Can you lease let me change it to my real name and allow me to post as that?

  24. Frederick Gimino

    That is great that you help inform people about the damages that hackers cause to their sites. What about their kids though? What about the mortgage payments they cannot make? How does one say “I am not evil…I am making the web a better place” and believe it? Truth of the matter is Sergei is lining his pockets with cold hard cash while what is left of Middle America is dying. It is great that the Wal-Marts of the world now get to pay PPC fees for better rankings. It is a shame that a father has tell his son that he cannot buy him baseball uniform because Google decided to “level” the playing field and put up a parking lot. It really hurts that after several years of trying to play by the rules as best as one can and then the rules change; hurts to find yourself an outsider looking in. It especially hurts when someone uses feed burner to point 10,000 heavily optimized anchor text links through Feedburner (a Google property) at your site and you get whacked.

    So, Matt what would the e-mail look like that one would send their kid as the bill collectors and taxman come to take all of their belongings? It is great that you “help” keep the web a safer place for people. However, people often forget that every story has two sides. It truly hurts (I know from personal experience) to deal with the loss of income that an attack can bring on a site owner.

    And, by no means do I believe I am perfect. I made my share of mistakes. However, I believe we are all guilty at one time or another of using a keyword instead of an alternate word that has similar meaning. However, in all fairness the words web spam never came to mind. I thought (like millions of others) that we were within Google guidelines. In fact, I thought that Feedburner for webmasters was supposed to be a benefit not a tool for black hats to attack your site with 10,000 back links. Was I supposed to monitor Feed burner?

    In addition, how does one stop others in the world from hurting them? I cannot stop sites like updowner from linking to me 1,000 times. I can ask nicely and hope they stop. As far as hackers go, I am sure they will not stop hacking, cracking, and freaking. Does that mean a site should be panelized indefinitely until the cyber police come to stop them?

    Matt I honestly believe you and the web spam engineers have good intentions in your hearts. Unfortunately, you know what they say about good intentions. Moreover, I know my site does not spam. My site is not spam. I even took a 50,000-page html site and whittled it down to a several hundred-page Joomla site. I write unique and insightful content that others try to plagiarize. Most importantly, I do it free. I do not charge anyone to visit my site. I go out of my way to try to make the site better over time. In fact, I had just hired people to help me to provide even more free content.

    Therefore, I am happy to hear that the fight against web spam is going well, however, it would be nice if their where a better way to mitigate the collateral damage. Good luck with eliminating hacked sites Matt. I wish you the best.

  25. In 95% of the server security incidents we investigate, a web application is the source of entry. When we dig into the problem we find two major items:

    – Poor passwords.
    – Unpatched web applications.

    It is also important to note that You do not have to be a target. Most of these attacks are done by bot nets. If you use popular tools, bots can find them and try to exploit them.

    So do as Matt says and update those apps.

  26. In webmaster tools->Health->Malware I’ve seen a message which tells me that there was a suspected injected code in a post as follows..
    st=”en0no3napno3rxstxpno3rxnl
    “;Date&&(a=[“a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~%8?%
    6&"] and sooo on..
    But when I checked the post the only thing I was able to notice was the Google Adsense code..I had no clue where exactly the problem was.. 🙁 for now I've removed the adsense code until I pinpoint the exact problem. Any idea? Thanks

  27. Guess what… most of the spam comes from… & this is what the penguin update resulted in http://www.youtube.com/watch?v=0St9B1kmJ2g

  28. Frederick Gimino

    Matt upon further analysis I see your point. However, it is easy as a webmaster to knee jerk defensively when your life blood is on the line. I admit i am guilty of this. As human beings we all share the same fight or flight responses to perceived threats. It is hard wired into us.

    However, once the adrenaline wears off and logical thinking returns one must reflect and think things through. I recently did that and realized that cognitive dissonance (the sour grapes effect) plays a large role in why people respond as they did to your e-mail regarding hacked sites.

    I am sure on some level these people must realize that the possibility they were hacked exists. Just as the Multi-World theory in quantum physics states that all outcomes exist simultaneously one must realize that in some universe their website could theoretically be hacked.

    Although not always easy to do admitting you made a mistake is the only way to fix it. I recently experienced it as I became intimately acquainted with the “penguin”. Naivete is no excuse for mistakes. I now see the importance of your work in a new light. I agree assisting and “micro managing” webmasters 1:1 is not feasible. I can not even begin to understand how your re inclusion request team manages to work as fast as they do.

    My point is although human nature dictates a knee jerk reaction at times recognizing that you made a mistake ultimately leads to correcting it. Without that “Ah-Ha” moment when you realize that something is awry and you realize it is actually something you have done or failed to do correction of the issue is not possible.

    I wish you the best in your pursuit of a cleaner web. I actually wanted to apologize for my last post as i feel it was bitter. I am undergoing so life changing events right now. However, I do not want to be that guy; The one that says it is all Google’s fault. Mistakes happen we live and we learn. Thanks for all the great tools you give us webmasters to try to analyze and repair these issues.

  29. This is a good example and thank you! Showing us how to be more wise in giving trust to others is definite important. I’ve encountered a hack site a client and it would give you a big trouble. As webmasters you need to secure your computer free of viruses. You need to secure your website ftp and admins with secure passwords. Go to a reliable hosting provider that provide high measure of security and helps when this things happen.

  30. We expect more updates!

  31. The problem of hacked sites is such a horrible one to deal with, not least because it can easily happen without being aware that it exists.

    An insiduous one I’ve had to deal with this weak on some of our forums is where the datastore is injection with a redirect that only affects traffic from Google and other search engines. So you can use the forum fine, so can other users, and you only discover the problem if you try and visit your site via Google – which I presume many will not.

    Another issue is having very good anti-virus installed on your PC (especially if Windows). A couple of years ago I found users reporting malware warnings via their anti-virus, but mine reported nothing. After a few tests I found that Avast! works especially fast at identifying exploits, and AVG can be very good too, though certain popular brands can take days to identify there is a problem in the first place. By which time, your users have been infected while you are ignorant.

    I really appreciate that time that Google has taken to address this issue, as certainly site hacking is something that needs to be addressed. But ultimately it is the site owner who is the first line of defense, so hopefully with increased awareness comes the ability to spot such issues faster, and therefore deal with them appropriately.

  32. Matthew Anderson

    Hi Matt

    I see you have deleted my comment talking about the penguin update and how it was going to affect my business. You did not feel the need to address me but did obviously feel the need for the comments removal.

    It has been many months now since the penguin update and I would like to let you know what has happened with us since. Firstly we made changes to our site, but as the penguin update appears to be periodic this has made no change. We have gone from 3,000 monthly enquiries to 120. I have laid of all my staff, and I have had to move house as I can no longer afford the mortgage. I am close to splitting with my partner and 5 children due to our financial situation and of course there are problems in my ex employees lifes also whom have been affected by this as much as me.

    What I would really like to know is this:

    When will penguin be activated and run again? I am hoping we will regain some business once this happens which will rejuvenate my company and family life. Even just a rough idea would be very helpfull

  33. I have just begun to use this “Fetch as Googlebot” tool for a couple of wordpress sites I look after and it has already made life easier. It has helped me get a better understanding of spam.

css.php