Alright guys, I have spent quite a few hours over the last few weeks trying to figure why when you search "site:dynamicearth.net" in google it comes up with almost 700 pages that are all spam pages. These cached pages are all linking to articles that come back as a 404 error and if you check the cached page, it takes you to some other site that talks about perscription drugs. When I first found out about this problem, the main google listing for the site had different pharmaceuticals listed as the title and meta info. The search results for ask and bing all come up fine but I did just notice that if you search yahoo.com for dynamicearth.net, the second listing is for one of the bad pages. We thought we had found the problem when we noticed there were close to 40 bots crawling our phpbb so we delete all of them and we thought that worked because all the search results were right, whether you searched Dynamic Earth or site:dynamicearth.net. Then a few days later I did the site: search and what do you know, 600 pages of the same stuff.
We had some bots get registered on the site and forums when their captchas were cracked but they have all been deleted to the best of my knowledge. We have also added recaptcha to the website registration and the forums registration with hopes this will keep them out.
I have read through the Security Checklist and have done most of the stuff on it.
I followed what Dynamicnet said from
this forum topic. The box is secured and runs quite a few websites and they have never had this problem. He is using mod_security on the box. I have updated all extensions and removed all unused extensions and all files and tables belonging to them. All machines have been scanned and there are no viruses on any of them. (One of my buddies helping with this problem thought it was user related until he searched it at his store.) Only the people who are supposed to be above registered, are. I have not changed the passwords to everything yet because I would rather get this taken care of first.
The website did not come back as a malicious site but I setup the webmaster tools through google and scanned the site as a googlebot when this first happened and it was coming back with all the wrong meta info, but this was corrected with deleting the bots from phpbb3.
Here is the jtspost assistant info.
Diagnostic Information
Joomla! Version: Joomla! 1.5.14 Stable [ Wojmamni Ama Naiki ] 30-July-2009 23:00 GMT
configuration.php: Not Writable (Mode: 444 ) | RG_EMULATION: N/A
Architecture/Platform: Linux 2.6.18-92.el5 ( i686) | Web Server: Apache/2.2.10 (Unix) mod_ssl/2.2.10 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_perl/2.0.4 Perl/v5.8.8 ( dynamicearth.net ) | PHP Version: 5.2.6
PHP Requirements: register_globals: Disabled | magic_quotes_gpc: Enabled | safe_mode: Disabled | MySQL Support: Yes | XML Support: Yes | zlib Support: Yes
mbstring Support (1.5): Yes | iconv Support (1.5): Yes | save.session_path: [color=red]Not Writable[color] | Max.Execution Time: 30 seconds | File Uploads: Enabled
MySQL Version: 5.0.81-community ( Localhost via UNIX socket )
Extended Information:
SEF: Disabled (without ReWrite) | FTP Layer: Disabled | htaccess: Not Implemented
PHP/suExec: User and Web Server accounts are not the same. (PHP/suExec probably not installed)
PHP Environment: API: cgi | MySQLi: No | Max. Memory: 32M | Max. Upload Size: 2M | Max. Post Size: 8M | Max. Input Time: 60 | Zend Version: 2.2.0
Disabled Functions: show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, allow_url_fopen
MySQL Client: 5.0.81 ( latin1 ) Any help would be greatly appreciated.
PS I am sure you are going to need more info but this is what I could think of now. Just let me know if there is anymore you may need.
Login
Register
Rules
FAQ
The team
