We launched new forums in March 2019—join us there. In a hurry for help with your website? Get Help Now!
    • 6892
    • 7 Posts
    Hi everyone,

    I received an email from Google saying they will take my site from their index, becuase it appears to be modified by a third party and has spam text in it (i.e it is hacked). I checked my server logs and modx logs and found nothing unusual. So I contacted my hosting company to ask them and they also foud nothing unusual. When i checked the site yesterday, the pages rendered correctly, but at the bottom of each page there was a table describing an modx parsing error. I didn’t save it then, so don’t know exactly what it said, but today the errors have disappeared.

    I have now changed all passwords just in case and re-submitted my site to Google. But do you think something dodgy is going on?

    I’m using MODx on a shared server. I also use SMF version 1.1.6. My website URL is www.hedgelink.org.uk

    Thank you for any advice!!

    Below I have pasted Google’s email:
    Dear site owner or webmaster of hedgelink.org.uk,

    While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

    The following is some example hidden text we found at http://hedgelink.org.uk/:

    Fund of ltd greatest angers liquidation as a biographies hamburger for the repeated methods herds, a conduits that solids what dormant venture keynes are readable to do in gambler japanese whistleblower. Brompton advantaged tracker fund are fuzzy to nurse, they knows to revocation in an pause and paycheck up the litigators diana fabrication are breeding with the albanians felonies and amiable liberation. T the hereinafter internal rate of return financial calculator bulletin has ya programmers t

    In order to preserve the quality of our search engine, pages from hedgelink.org.uk are scheduled to be removed temporarily from our search results for at least 30 days.

    We would prefer to keep your pages in Google’s index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html. When such changes have been made, please visit https://www.google.com/webmasters/tools/reconsideration?hl=en to learn more and submit your site for reconsideration.

    Sincerely, Google Search Quality Team

    Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview?hl=en and going to the Message Center.

    And here is the reply from my host:

    We did not find any infected files or hidden text in the web pages. The account seems to be clean. We request that you submit a review request to Goggle:
    1. Sign in to Webmaster Tools with your Goggle account.
    2. On the Dashboard, select the site you want.
    3. On the Overview page, click Request a review and follow the instructions.

    If you have any other questions, please update the Support Console.


    Jim Hudson
    Technical Support Specialist

    Thanks again
    • SMF 1.1.6 is vulnerable to an Avatar upload hack. The likely outcome is that a script kiddie used this vulnerability to upload a specially crafted avatar which then allowed them to upload a c99shell. From there they then likely modified every JS and PHP file on your account. You should upgrade to SMF 1.1.9 immediately, likely by reinstalling and looking at recent discussions on the SMF forums.

      Do you also have register globals enabled, and the snippet.reflect.php in your /assets/snippets/reflect directory?
        Ryan Thrash, MODX Co-Founder
        Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
        • 6892
        • 7 Posts
        Thank you very much for your help Ryan. I do have the snippet.reflect.php in my assets/snippets/reflect directory, but register globals is off. Would i be wise to delete the snippet.reflect.php anyway?

        I’m going to update SMF now.

        Thank you again for your advice smiley - much appreciated
        • Subscribe to the security topics and keep your software up to date. Go ahead and remove the snippet.reflect.php file, too.
            Ryan Thrash, MODX Co-Founder
            Follow me on Twitter at @rthrash or catch my occasional unofficial thoughts at thrash.me
            • 6892
            • 7 Posts
            Many thanks for your help! smiley