Jump to content

Hacked content detected


piccolina

Recommended Posts

I received this email below...is it spam or do I have an issue? Any help is greatly appreciated..

This is some of the message...

Hacked content detected on http://www.piccolina.com.au/

To: Webmaster of http://www.piccolina.com.au/,

Google has detected that your site has been hacked by a third party who created malicious content on some of your pages. This critical issue utilizes your site’s reputation to show potential visitors unexpected or harmful content on your site or in search results. It also lowers the quality of results for Google Search users. Therefore, we have applied a manual action to your site that will warn users of hacked content when your site appears in search results. To remove this warning, clean up the hacked content, and file a reconsideration request. After we determine that your site no longer has hacked content, we will remove this manual action.

Following are one or more example URLs where we found pages that have been compromised. Review them to gain a better sense of where this hacked content appears. The list is not exhaustive.

http://www.piccolina.com.au/ext1/hair36.php?/16quot-1-jet-black-body-wave-nail-tip-human-hair-extensions-100-strands-10gstrand-p-1267.html

http://www.piccolina.com.au/ext1/hair44.php?/easipart-hd-xl-18-by-easihair.html

http://www.piccolina.com.au/ext1/hair46.php?/celebrity-wigs-c-8_15.html

Here’s how to fix this problem:

1

Check Security Issues for details of the hack

Use the example(s) provided in the Security Issues report of Search Console to get an initial sample of hacked pages.

2

Look for other compromised pages or files on your site

Be sure to check your entire site, including the homepage, for any unfamiliar content that could have been added. The malicious code might be placed in HTML, JavaScript, or other files on your site. It can also be hidden in places you might overlook, such as server configuration files (e.g. .htaccess file) or other dynamic scripting pages (e.g. PHP, JSP). It’s important to be thorough in your investigation.

3

Use the Fetch as Google tool to isolate the malicious content

Because some pages can appear one way to a user and another way to Google crawlers, you can use the Fetch as Google tool to reveal some kinds of hacking. Enter URLs from your site in the tool to see the pages as Google sees them. If the page has hidden hacked content, the tool can reveal that content.

4

Remove all malicious content

You can also contact your hosting provider and ask them for assistance. If you’re having trouble identifying and removing all the conten

 

Link to comment
Share on other sites

Hi

1) Have you verified that the email was actually sent by Google or somebody else - simple to do if you check the email headers

2) Have you checked the site details within your Google Webmaster Tools (Search Console) account

3) Have you spoken to your hosting company and asked them for help ?

Regardless of the above a simple search in Google itself will show you that you site is being reported as hacked https://www.google.co.uk/?gws_rd=ssl#q=www.piccolina.com.au

Ian

Link to comment
Share on other sites

We haven't seen you on the forums for awhile. You may have missed a critical security update.

Here is what you must do to remove the hack:

In admin, Manage Hooks, Code Snippets tab, delete any weirdly-named snippet.

In the site's folders, delete all snippets in /includes/extra/. (The legitimate ones will be rebuilt from the database. That's why it is important to delete the database record first.)

 

Link to comment
Share on other sites

Hi

1) Have you verified that the email was actually sent by Google or somebody else - simple to do if you check the email headers

2) Have you checked the site details within your Google Webmaster Tools (Search Console) account

3) Have you spoken to your hosting company and asked them for help ?

Regardless of the above a simple search in Google itself will show you that you site is being reported as hacked https://www.google.co.uk/?gws_rd=ssl#q=www.piccolina.com.au

Ian

Thank you Ian for your response...I have installed the patch and think all is now normal, and I'll check the webmaster tools as you suggested.

Geoff

We haven't seen you on the forums for awhile. You may have missed a critical security update.

Here is what you must do to remove the hack:

In admin, Manage Hooks, Code Snippets tab, delete any weirdly-named snippet.

In the site's folders, delete all snippets in /includes/extra/. (The legitimate ones will be rebuilt from the database. That's why it is important to delete the database record first.)

 

Thank you Brian....all done as suggested and I've installed the patch. Thank you again for your help...

Geoff

Link to comment
Share on other sites

You need to ensure that you have followed all the instructions to patch and remove any snippets added. Google is still showing you as probably hacked - if you believe you have fixed it and removed all issues (I have seen a site today on a third party hosting company that as well as having the snippet issues also had other rogue files added / amended) then use GWT to do a fetch as Google from the homepage of your store as that requests Google to recrawl your site from scratch

Ian 

Link to comment
Share on other sites

Thank you Ian

  • I've removed 1 code snippet.
  • Deleted all snippets in /includes / extra
  •  "use GWT to do a fetch as Google".....I've done this.
  • And submitted a reconsideration with Google.

But the site is still currently showing as "site may be hacked" in google searches. 

I use a budget host in Aust whose customer service is next to non existent.....perhaps I need to reconsider this. 

The likelihood is the hack came through the Cubecart vulnerability or through the hosting?

Geoff

Link to comment
Share on other sites

As long as your site is now 100% clean then Google will eventually get around to your site, check it again and remove the warning message but this isnt instant and can take many days.

This particular hack would have come through the critical exploit that was discovered and fixed back in early September and in this case having a budget host would not necessarily have made any difference UNLESS you had been hosted with us as we patched every single vulnerable CubeCart site hosted with us (many hundreds) in less than one hour of the patch being made available (see our blog post at https://www.havenswift-hosting.co.uk/critical-security-issue-in-v5-and-v6/) !!

However if you are in any way serious about your CubeCart website, being on a budget host (or even many of the big well known hosts that are still cheap) can never be a good idea.  You have said yourself that customer service is next to non existent although I dont believe any other host anywhere would have proactively patched this as we did. However cheap hosts almost always provide any number or all of the following : poor customer service, no knowledge or interest in CubeCart, overloaded and therefore slow servers, little security for your CubeCart application (we have many different layers although no security can stop all types of hack caused by issues like this) and I could go on and on.

Using a cheap / budget host is like opening a bricks and mortar shop in a backstreet of a run down neighbourhood, not spending any money on the fixtures and fittings to make the shop look great or on maintenance so the roof leaks and then leaving the windows and doors unlocked or with an old rickity lock that pops open at the first sign.  Oh and also then not having a telephone installed and so not having any way of contacting the police, security or any workmen to come and help you fix the mess when the roof caves in.

If you are looking to make some money from your business it is a big false economy to spend next to nothing on cheap budget hosting

I will get off my own little soapbox now lol

I hope you get it sorted soon

Ian

Link to comment
Share on other sites

...that's an EXCELLENT rant Ian...and probably all true. However I do wonder whether more expensive / more reliable hosting would result in more sales.....but I'm sure that's a discussion best had outside the forum. If you could PM me regarding your prices that'd be great...

Geoff

Link to comment
Share on other sites

Hi Geoff

PM already sent but just to follow up regarding your question regarding more sales from more reliable hosting, this can very much be the case.  Firstly, if your site is down or slow then that obviously restricts sales. Secondly a faster website will also rank higher in Google search.  In addition, our free CubeCart support allows you more time to focus on your website rather than worrying about or dealing with problems and finally we also provide help and advice to increase visitor numbers and therefore hopefully increase sales as  well

Ian

Link to comment
Share on other sites

Still having trouble after my Reconsideration request....see reply at bottom from Google.

When I use "Fetch as Google" do I need to manually add each individual URL into  the http://www.piccolina.com.au/ BLANK FIELD ?

I've re checked the code snippets (there's only one by B Smither Latest Products Image Resize)

 and snippets in /includes/extra has the above snippet.

Any assistance would be appreciated.

Reply from Google below

A note from your reviewer:

We are seeing content on your site that we believe is injected by a hacker. The content may be cloaked, meaning that Google sees different content than what’s being shown to you or your visitors. You can use 'Fetch as Google' in Search Console to see the content that we are seeing. Learn about cloaking and 'Fetch as Google' here:https://support.google.com/webmasters/answer/2604723. Here is an example of hacked content on your site: "African American Wigs" (http://www.piccolina.com.au/ext1/hair46.php?/celebrity-wigs-c-8_15.html)

Link to comment
Share on other sites

Hi Geoff

I did send you a PM as requested but havent heard back from you but a quick check of your website confirms Google's assertions that your website is still serving injected content - you may have removed the snippets but we have seen quite a few CubeCart sites (with other hosting companies as none of our customers were hacked due to the action we took to prevent it) where the hacking was much more intensive than the basic initial version and so these sites need a lot more action to clean

Ian

Edited by havenswift-hosting
Link to comment
Share on other sites

Thank you Ian....I appreciated your Pm and i'll admit to being a serial procrastinator...but I'm still not clear on how to remove these corrupt files (or whatever they're referred to as). Is this some thing I'm able to do myself or does it require professional methods? 

Geoff

Link to comment
Share on other sites

Hi Geoff

We have just chatted via Live Chat on our website but for completeness, I will also update here.  The snippets were a way of gaining / regaining admin access and many stores simply had them (probably via an automated hacking script) but nothing more so once the site was patched and these removed then they were safe.  Other sites like yours had additional content uploaded and once this level of access has been achieved it no longer becomes a simple task. I have seen and cleared several sites and while it isnt the most destructive or invasive website hack I have ever seen, there are multiple variations of what content is uploaded and where so giving a simple set of instructions to remove this and that file, replace this file etc isnt possible

Ian

Link to comment
Share on other sites

Hi,
This is my first time posting. We have had Cubecart for 3 years or so. I have managed to muddle my way through updates over the years but I would say I have limited knowledge.
I came across this topic looking for solutions to my account.
I have been unable to log in since 11th Nov.
 

We haven't seen you on the forums for awhile. You may have missed a critical security update.

Here is what you must do to remove the hack:

In admin, Manage Hooks, Code Snippets tab, delete any weirdly-named snippet.

In the site's folders, delete all snippets in /includes/extra/. (The legitimate ones will be rebuilt from the database. That's why it is important to delete the database record first.)

 

I have also deleted the snippets in the   /includes/extra/. and I think I replaced the patch from the "critical Security update" link from my webhost admin area.
but I still can't log in.
I don't have any Google message associated with my problem.
My hosting company gave me a Cubecart link. https://support.cubecart.com/index.php?/Knowledgebase/Article/View/205/0/i-cant-login-to-the-admin-side-of-my-store-and-the-password-reset-tool-doesnt-work

website is www.tinoneeorchids.com

Link to comment
Share on other sites

Double check to make sure there are still no snippets in the /includes/extra/ folder. Also, if there is this folder, /images/images/ (yes, an images folder inside the proper /images/ folder), delete that rogue images folder.

As mentioned before, it is critical that the snippets be deleted from the database first! If you can't login to admin, then you must use an external utility such as phpMyAdmin in your hosting account's control panel to access the database directly. Find the CubeCart_code_snippet table and delete all records found in it.

While you are in phpMyAdmin, try the manual entry of the admin user as discussed in the Knowledgebase article.

Also, if you don't have a local copy of the same version of the CubeCart package as what you have on your site, download that version from cubecart.com. Then, using the File Manager tool in your hosting account's control panel, compare the folders and files of your site with the package. Other than the images you know you have uploaded to your site, everything else that is different is suspect.

 

Link to comment
Share on other sites

Thank you Brian,
I've checked and there are no   /images  within  /images folder. I have tried accessing  phpMyAdmin  but I get a http error500 message.
Now I've contacted my host to see if that can be resolved. Needless to say I've done nothing very productive today.

I'll try comparing the folders & files

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...