While working on one of our new house renovation projects, I was doing some research online and noticed that one of the contractor's websites wasn’t working right if I looked it up in Google, but it worked fine if I searched from DuckDuckGo. In fact, judging by the Google results, it looked like his site was hacked.
Here’s the detailed behavior: If I plugged this contractor's name into Google and pulled up his website, the summary contained a little bit of his info, but the title and remaining content referenced an online gambling site. The link for his site looked correct, but if I clicked into it, I was instantly dumped into an URL forward that landed on a gambling site, with back button disabled.
If I did the same search in DuckDuckGo, his website looked and acted fine. Likewise, if I came in from a clean link (such as a referral link on the product website), or if I typed in his URL directly, I got to his clean, normal page.
We’ve all heard about sites getting hacked and overwritten badly, but this was novel since it only affected search engine results. At first, it almost seemed like it was Google’s search results that got hacked. If I opened his index.html page, it was perfectly clean, with nothing bad hiding in the source. It wasn’t even a complicated website - just a single page with his work info and contact details. No menus, contact forms, multi-pages, etc. But failure through a major search engine can’t be good for business!
It turns out the hack works on the behind-the-scenes files. The site was most likely targeted through an XSS attack, or perhaps by it being run with an obsolete version of PHP living on the server that allowed hackers to break in and overwrite content within the site.
The search engine hack works like a tripwire. The hackers overwrite the .htaccess file or modify one or two PHP files, causing an URL redirect if - and only if - a user enters the site via one of the “tripwire" routes, such as coming in via Google or Bing. It can not only trip on the search engine, but it can also detect based on the user agent used, for example using IE or Firefox. The site owner might not notice the issue because the regular html files remain clean and the direct URL works fine. Some owners don’t even begin to look for the issue until they notice a sizeable downsize in site traffic, or a customer reports the issue.
Here is a sumary of repairs to address this hack:
- Repair the .htaccess file (in the root directory) if it was hacked, and modify it to block future XSS attacks (details in the links below).
- If PHP is running on the server, upgrade it to at least 5.3.X.
- If using WordPress, use the Bulletproof Security plugin.
- Examine all files for the hack, and strip out the forwarding line of code that has been added to them (sometimes in PHP files, for example those found in the wp-content directory)
You can monitor the behavior of your website from different search engine referrers or user agents using this tool:
https://aw-snap.info/file-viewer/
The tool above can actually help you identify specific lines of suspicious code in the site.
There is an excellent technical explanation of the hack here:
For additional reference material, check out forum discussions such as these:
https://productforums.google.com/forum/#!topic/webmasters/AGcTYi0Me3E
https://productforums.google.com/forum/#!msg/webmasters/6dPdJhz7nYc/qLwRIb-MAwAJ
https://productforums.google.com/forum/#!topic/websearch/fU6aj5DjCNs