Help - just found spam links on server! - Webmaster General forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Help - just found spam links on server!

No idea how they got there, need help!

mooperlee

10:53 pm on Apr 23, 2009 (gmt 0)

10+ Year Member

I run a little site and I noticed my traffic was down over the past few days. Checked Google rankings and my site was missing for many terms. Just by chance checked the site:example.com command and Google said my site had over 3,000 pages - should be closer to 300.

Looked at those pages, lots of this kind of stuff:

www.mysmallsite.com/products/store/order-adobe/adobe-plug-in.php

What! All these pages redirect from my site to this other spam site! I have a directly called 'products' but everything in the products/store directory is absolutely nothing to do with me.

I have a plesk 8.3.0 control panel. Does anyone have any idea how the could have got there? The only I can think is that I have not updated my blog software lately (I know, am a moron, but it's movable type and it's a big hassle to do).

I would REALLY appreciate any help or ideas. I will obviously delete all the spam I can see but I can't have it happening again. Thanks!

Quick edit - just been looking at Plesk and under the column "User" all the spam pages are marked as "apache" where all of my pages are marked with my username. Maybe this is a clue?

MatthewHSE

12:49 am on Apr 24, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I would upgrade your blog (and any other scripts) as immediately as possible, delete the spam, and check carefully for any other files you don't recognize (e.g., back doors).

However, if the spam pages are owned by Apache, then it sounds like your host may have gotten cracked, so it would be worth checking with them.

But if your blog is out of date, it's definitely high on the list of suspects.

lammert

6:50 am on Apr 24, 2009 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Shared host, VPS or dedicated server?
If it is shared hosting I would move to another host which is cheaper and easier to do to get a clean install than trying to find and fix the hole (which might not be on your side) and remove all spam traces and backdoors.

On a VPS or dedicated server:

1) Change all your passwords which apply to your installation, including those for FTP, Plesk, blog posting, email etc.
2) Upgrade your blog software to the latest version
3) Update your OS version to the latest version with all new security patches
4) Remove all spamlinks
5) Check with all possible tools and possible help from your hosting provider for backdoors and close them.
6) Restart the server to close some possible persistent network connections to the hacker.
7) Again change all passwords

Or option 2: (easier and safer)
Move to a fresh new server either at this host or at another hosting company.

mooperlee

10:37 am on Apr 24, 2009 (gmt 0)

10+ Year Member

Thanks for the replies. It's shared hosting, and I agree, the answer seems to be to move host, otherwise I will be worried all the time...

Had a closer look at the files and found this: "Captain Crunch Security Team" and they have even helpfully provided their website address like the gentleman they are. Looks like it is called a C99 shell hack which relates to php, and my host may be to blame...

I'm hoping it was either my host, in which case it wasn't my fault and moving host will solve the problem, or it was the blog software, in which case that's my own silly fault and again moving host will solve the problem as I'll get the latest version of the software. If it's anything else that was insecure I really haven't got a clue how to fix it...