Google claims site hacked

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
dougytee
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Mar 28, 2017 1:36 pm

Google claims site hacked

Post by dougytee » Tue Mar 28, 2017 10:37 pm

I have recently taken over maintenance of a Joomla site for a friend.

I had an email yesterday from them saying a google search says the site may have been hacked.
I've added the site to my google account and in the google search console and it's telling me
"URL Injection
These pages appear to be created by a hacker with the intent of spamming search results."
then listing about 6 URL's all in the form http://my-friends-site/?xxxxxxxx

below are 3 of the query strings listed

domain/?w30y
domain/?9308170809
domain/?p=jk16ng4jkgqy9e0h

They all just load up the home page of the site, in fact if I just type a random query string after domain/? it takes to the home page of the site.

It had been on an older version of Joomla and I have eventually managed to get it all up to date with the latest version as a precaution.

I'm not sure I can see what the perceived threat is and therefore how convince google to take away the "hacked" message.

Can anyone help me work out what the problem might be?

Thanks

Doug

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37044
Joined: Sat Apr 05, 2008 9:58 pm

Re: Google claims site hacked

Post by Webdongle » Wed Mar 29, 2017 12:00 am

Url please in the form of www.site dot com
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

dougytee
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Mar 28, 2017 1:36 pm

Re: Google claims site hacked

Post by dougytee » Wed Mar 29, 2017 7:40 am

Webdongle wrote:Url please in the form of http://www.site dot com
The site is http://www.markp earsonartist.com
Last edited by mandville on Wed Mar 29, 2017 8:47 am, edited 1 time in total.
Reason: Broke link

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37044
Joined: Sat Apr 05, 2008 9:58 pm

Re: Google claims site hacked

Post by Webdongle » Wed Mar 29, 2017 9:12 am

https://sitecheck.sucuri.net/ shows the site clean however that is no guarantee.

Can you answer 'Yes' to any of the following ?
  1. You downloaded a paid Template from a site that offered a free 'cracked' version ?
  2. You removed files that you thought were hack files ?
  3. You are using a 3rd party extension that is listed in https://vel.joomla.org/live-vel or https://vel.joomla.org/resolved ?
  4. You left it a long time before you updated ?
If you can answer Yes to ANY of those then perhaps you should treat your site as hacked ?

Does google webmaster tools tell you which of your pages those domain/?w30y (etc.) pages are linked from ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: Google claims site hacked

Post by fcoulter » Wed Mar 29, 2017 10:50 am

It might be worth using the 'fetch as Google' tool available in the Google webmaster tools, it may give you an idea of what Google is seeing that you are not. It may be that there are some spammy links on your site, but they are crafted to only show when Google crawls your site, it is a fairly common tactic.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

dougytee
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Mar 28, 2017 1:36 pm

Re: Google claims site hacked

Post by dougytee » Wed Mar 29, 2017 11:10 am

Webdongle wrote:https://sitecheck.sucuri.net/ shows the site clean however that is no guarantee.

Can you answer 'Yes' to any of the following ?
  1. You downloaded a paid Template from a site that offered a free 'cracked' version ?
  2. You removed files that you thought were hack files ?
  3. You are using a 3rd party extension that is listed in https://vel.joomla.org/live-vel or https://vel.joomla.org/resolved ?
  4. You left it a long time before you updated ?
If you can answer Yes to ANY of those then perhaps you should treat your site as hacked ?

Does google webmaster tools tell you which of your pages those domain/?w30y (etc.) pages are linked from ?
I haven't built the site or installed any of the themes or extensions. So I can't say for certain, however I'm reasonably confident that the site was designed by someone who would have used a legitimate source for the theme.

I have in the past for this site removed redirects, unofficial users, and files I believed to be suspicious.
The site was running on Joomla 2.x at the time, I updated it to 3.x

There is one 3rd party extension that is on the live-vel list "Akeeba strapper" and other's by the same author, not explicitly mentioned on either list.
JCE is mentioned on the resolved list but is above the version listed on that list.
As I haven't built the site, and to be honest my knowledge of Joomla is relatively small I don't know which plugins/extensions are currently providing functionality and which aren't.

It seems the site has been well behind on updates until I updated it this week.

Webmaster tools doesn't tell me where the pages are linked from, unless I'm looking in the wrong place for that info.

Thanks for the assistance so far.
Last edited by dougytee on Wed Mar 29, 2017 11:38 am, edited 1 time in total.

dougytee
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Mar 28, 2017 1:36 pm

Re: Google claims site hacked

Post by dougytee » Wed Mar 29, 2017 11:24 am

fcoulter wrote:It might be worth using the 'fetch as Google' tool available in the Google webmaster tools, it may give you an idea of what Google is seeing that you are not. It may be that there are some spammy links on your site, but they are crafted to only show when Google crawls your site, it is a fairly common tactic.
Thank you. I have done that already, but there is no sign of anything suspicious in the content fetched.

I have also searched the whole database in phpmyadmin for the query strings google is reporting in it's suspicious URL's, finding nothing.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 37044
Joined: Sat Apr 05, 2008 9:58 pm

Re: Google claims site hacked

Post by Webdongle » Wed Mar 29, 2017 12:05 pm

dougytee wrote:...
I have in the past for this site removed redirects, unofficial users, and files I believed to be suspicious.
The site was running on Joomla 2.x at the time, I updated it to 3.x
...

It seems the site has been well behind on updates until I updated it this week.

....
If it was me then I would treat the site as hacked. 'unofficial users' and ' running on Joomla 2.x at the time, I updated it to 3.x' ... hmmmmmmm plenty of time for hackers to upload files that they can use to access the server. Once they have access they can hide files anywhere on the server.

If you decide to treat it as hacked then please see viewtopic.php?f=714&t=946026 and thread it links to. It is relatively simple as deleting all files then installing to a new database replaces the deleted files ... editing the configuraion.php to connect to the original database gives you a clean site.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein

spacegrrrl
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Tue Apr 04, 2017 8:38 pm

Re: Google claims site hacked

Post by spacegrrrl » Tue Apr 04, 2017 8:53 pm

So I am fighting the same issue. I did agree to sort out a clearly hacked site. I had found the version of Joomla was way out of date. I updated that and then secured the DB. I found a bunch of bogus users and cleared the user database table of everyone but the now updated admin account. I found the redirect table was full of hundreds of redirects for all manner of extensions of drug names. So I turned off redirect and cleared the redirect table. I looked at access logs and saw the hacker IP came from 5. so I added a "deny from 5." to the htaccess file. Sorry Russia. The I looked everywhere for remaining tricks to redirect someone. The site seems clean and Google even briefly said it was safe using their secure console. But it now shows back as hacked with malware. But the sites with this appended "/60-mg-adderall" when I "fetch as Google" just show the correct site. What am I missing?

Michele

User avatar
dhuelsmann
Joomla! Master
Joomla! Master
Posts: 19656
Joined: Sun Oct 02, 2005 12:50 am
Location: Omaha, NE
Contact:

Re: Google claims site hacked

Post by dhuelsmann » Tue Apr 04, 2017 9:24 pm

Unfortunately spacegrrrl you should have followed this topic viewtopic.php?f=714&t=946026
Regards, Dave
Past Treasurer Open Source Matters, Inc.
Past Global Moderator
http://www.kiwaniswest.org


Locked

Return to “Security in Joomla! 3.x”