When’s the last time you looked inside your website’s HTACCESS file? It really should become a part of your monthly (ack, weekly? daily?) audit routines. There could be gremlins at play you see…
Ok, here’s the gig, one day a mate comes along as asks me, “You mind Googling Twitter?” and I told him to mind his manners as I didn’t go for that kind of thing. Anyway, obliging him, the mighty Google was consulted and from what I could see, the oracle of the ‘Plex was behaving as normal.
Upon pressing for details as to what exactly he is seeing he sends me this;
As you can see the top results are for an Anti-virus website… NOT for Twitter
Being the curious type, I inquired with a few other folks to see what they were seeing. Sure enough, we were all seeing the proper set of results. Fair enough, it sounds like the hull has been compromised and he’s taking on water.
As we backtracked it seems there was a search result that had a peculiar behavior earlier that day. Upon clicking the top result in Google his AV software had done the jig, (although it may have been the Trojan mimicking to gain access). I went over to the website in question – and nothing.
I then searched the website in Google and clicked on the listing – voila! Sure enough you we’re redirected and a pop-up prompted to do a ‘security scan’ cough cough. This behavior ONLY happened when accessing the site via Google.
The HTACCESS Gremlins
What could this be one wondered. Certainly the mighty Goog’ has not fallen pray to wrong doers have they? After all they say they’ve done it before;
Google serves up malware????
Naw, that couldn’t be it.
Initial suspicions leaned towards the site being hacked, but the site administrator was as confused as a link baiter on truth serum, no hacks could be found. To be on the safe side, a few of those in the know, information retrievers, were consulted and one specializing in rarefied AIR (adversarial information retrieval) had the answer. Check the HTACCESS file; which was an enlightening journey.
You see kind reader, they had gone in and were redirecting ONLY the traffic from Google which then prompted and had caused the computer to be infected. Then, on subsequent searches they were intercepting it and sending back their own (modified) Google results. The sneaky little buggars.
Make it a part of your site audits
You can just imagine the reputation problems that could come from this not to mention its potential for sabotage. While this may not seem like the domain of the SEO, having low search engagement and possibly infecting visitors is sure to have negative effects ultimately. No matter how you look at it, from hacking to put nasty (outbound links) on competitor sites to redirecting incoming SERP requests, this is something SEOs need be aware of.
In the modern world of SEO, close ties with the security and system administrators is key. Everyone needs to be aware of the potential for such attacks and be vigilant. A lot of time and money (into search campaigns) could easily be washed away and replaced with a reputation management problem.
What to watch for - This type of attack is often found when you are using a CMS or WordPress type installation that requires the htaccess to be writable (such as SEF URL creation). To guard against it, be sure to chmod your hataccess so the at it’s not writable until you need to publish something new - then make it writable, create pages and then set it back again.
…. Something to consider…
Saturday, November 14, 2009
Home tips seo Google hijackers from crackers; check your HTACCESS
Google hijackers from crackers; check your HTACCESS
Subscribe to:
Post Comments (Atom)
0 comments: on "Google hijackers from crackers; check your HTACCESS"
Post a Comment