Menu

Topic-icon Virus Injection when GoogleBot accesses website - Also using GoogleFetch or Curl

  • it.systems.ltd
  • it.systems.ltd's Avatar Topic Author
  • Offline
  • Fresh Boarder
  • Fresh Boarder
More
2 years 4 weeks ago #3694 by it.systems.ltd
Hello,

Malware Links are ONLY being injected into the pages of the website when it is accessed by GoogleBot.
So, Google is showing the website as "This Site May Be Hacked" underneath the link to the site.

When the page is displayed from the browser and I view the source the Malware Links are NOT showing.

I purchased Security Check Pro to find out where the infected files are located on my website; but when I run the scans it shows that all is OK. Is there something that I am doing wrong? Please advise.

Also...Under System Info it shows the following (but I'm not sure how to fix the problems):

Prevent access to .ht files
1 problem(s) found :

More Info
◦ Prevent Unauthorized Directory Browsing
1 problem(s) found :

More Info
◦ Protect against file injection attacks
1 problem(s) found :

More Info
◦ Protect against attacks using the /proc/self/environ method
1 problem(s) found :

More Info
◦ X-Frame Options
1 problem(s) found :

More Info
◦ Prevents 'mime' based attacks
1 problem(s) found :

More Info
◦ Use default banned user-agents list
1 problem(s) found :

More Info
◦ Disable server signature
1 problem(s) found :

More Info
◦ Disallow PHP Easter Eggs
1 problem(s) found :

More Info
◦ Disallow Access to Sensible Files
1 problem(s) found :


Below is a sample of what is being seen by GoogleBot; I used the curl command to view this:

<a href=http://okouchikobo.net/inyr/kutipan-pidato-ahok-di-pulau-seribu.html>wz</a>, <a href=http://tosport.nl/qel0qo/proposal-pgri-guru-2016.html>zk</a>, <a href=http://sandrahalllaw.com/hi5on/domenica-6-novembre-salmo.html>lz</a>, <a href=http://royalwoods.ru/ljgflk9/debat-dina-diskusi-bahasa-sunda.html>xb</a>, <a href=http://xn--42-plcq9c.xn--p1ai/qvw3l21/campusen-sn-orientations-2016.html>k6</a>, <a href=http://gymbam.co.uk/cpr70e2/lirik-lagu-ingin-jumpa-ost-anugr.html>bu</a>, <a href=http://heyduk.net/jlveup/new-pallapa-antara-cin.html>jt</a>, <a href=http://revitol-skin-tag-removal.com/jccxpb/el-peluche-de-ozuna.html>qi</a>, <a href=http://monsterstudiophones.com/neoz/nivi-estephan-nua-playboy.html>jd</a>, <a href=http://hamza.work/bgtciatj/miraculous-as-aventuras-de-ladybug-tp-1-ep-7-completo-dublado-super-animes.html>nw</a>

Thank you!!!

Please Log in or Create an account to join the conversation.

More
2 years 4 weeks ago #3696 by Jose
Hi Michael,

Thank you very much for your confidence in my extensions!

This seems to be a Blackhat SEO attack; by default the malware scanner only looks for known patterns in files modified a week ago. To change this behavior, go to global Configuration --> malware scanner and set Timeline to 10000 and also enable the deep scan. This will scaan the entire filesystem looking also for suspicious patterns.

Also...Under System Info it shows the following (but I'm not sure how to fix the problems):

All those settings are related to the .htaccess protection feature. Just enable desired settings into this option and click on the "Apply" button. settings will be addded to current .htaccess.

Regards,
Jose

Please Log in or Create an account to join the conversation.

Time to create page: 0.061 seconds
Powered by Kunena Forum

Login or Sign In