The World's Greatest Blog

We’ve been spammed. Hard. We’re still trying to work out how and why it occurred, and how we can best mitigate the problems it has already thrown up, but our rudimentary investigation has demonstrated one thing which has wider implications for the entire web population: at least 28,000 other websites have been similarly attacked!

This problem is potentially huge (as are most spam attacks alas) so please do share this news around and help yourselves and each other prevent the sorry state of affairs we found ourselves in this morning – here’s the story.

Our Story

Last night, just before I turned off the machines for the end of the day, I noticed that a great number of pages had lost their search ranking. However, this happens fairly often, so I was not too worried, in any case, it was almost past my bedtime, and I’d been looking at computers for far too long, and anyway, the pages I was monitoring were on a relatively new domain, which can often fluctuate a lot in the Google rankings as they find their natural position. Fine then. Will check first thing.

At the back of my mind I expected what happened in the morning. Which was this: almost all of the pages I was checking were completely invisible.

There were a couple of small changes I had made to the footers across several of our networked sites which could well have impacted the search performance, but not, I felt, this markedly, but, in any case, it was the best starting point to set off trying to diagnose and correct any problem which had caused this sudden marked drop in SERPs.

After a time, I came to the homepage for this very site – http://www.24hourtrading.co.uk/ – as soon as I opened up the html file and scrolled to the bottom to check for errors in the footer, I got a sinking feeling. There they were. Clear as day and bold as brass: tens and tens of links containing the spammers words of choice “Viagra” and Cialis” and other “soft pill” related words. All of these links were hidden from ordinary view with CSS. You can see what I found by looking at Google’s cache by clicking here – check out the source code on that page. Go to the bottom. Oh dear. That’s ugly. I’ll upload a copy of the exact text here when the google cache updates.

The last piece of text interested me, however – it was “dfgsdfgfr@r45t“. Strange, I thought, but I’ll tell you about that in a while, firstly, how on earth did that code get implanted in the first place?

How The Spam Was Injected

As yet, I am unsure, however, I note from my log files that it wasn’t FTP’ed in (which was my first suspicion). The injected spam was also limited to the index page (you can, I hope, only imagine how laborious the search for other instances were!). I would assume, since these homepages, not being particularly server intensive, are still on shared hosting, that any security breach occurred somewhere further up the chain (I would expect a root level access).

The page affected was a simple html page – not in php, or a wordpress page – so I believe that whoever did this targeted only pages called index.htm or index.html in order to ‘get at’ the commonly named highest ranked / most visited page of a site. I am also sure that these links didn’t come in by utilising any of our scripts.

So, in short, we’re still at a loss as to how it got in. Passwords have been changed, but we’ll be moving the entire domain elsewhere (and we’ve backed everything up as is!) to prevent a future attack of the same ilk. Unfortunately for our friendly shared hosting reseller, with whom I’ve been dealing since I started this game in my teenage years, this means the end of the line for our relationship, as the last of our sites will soon be gone from his stable. A shame.

The Scale of the Problem

As my introduction suggests, this appears to have affected a large number of sites (hence my assumption that it is either a large scale, or root level access(es) which has caused this) – have a look at this google search to see how many sites are now displaying the spammers viagra links in glorious technicolour. That’s over 28,000 web pages displaying this unique spammer’s string at the last count. Not an insubstantial number of sites which have lost (or are about to lose) their ability to pass on Google PageRank.

Google has clearly penalised our site – not its SERP, but the site’s ability to pass on PageRank to other websites. With our newest websites, this means a large amount of their PR is effectively wiped out in one fell swoop! The older domains we have are OK as they have had time to achieve more backlinks – however, it would be great if someone like Matt Cutts or similar could help with clarification regarding this (type of) situation: what happens here – will it be noted that this was a spam attack and not just a rudimentary spammy attempt on our part? Will our site be unpenalised? Is unpenalised even a word? And other such questions.

If anyone else has been affected by similar – or the same – feel free to make a comment. It would be great to get to the bottom of what happened here, and how we can avoid it.

In any case, our PageRank and search rankings have been seriously affected – don’t let this happen to you – tell your friends, and watch your files if you’re on shared hosting. Change your passwords regularly and avoid FTP. This sort of thing can and will finish a search engine reliant website! The main thing I want to do is get the word out to all those websites who already have hidden (or not so hidden) spam links injected in their websites. A couple I discovered even had all of their content removed. I, for one, shall be moving this entire domain to our own servers as soon as humanly possible!

Please pass on this warning to all who should or could heed it.