Google rank loss - redirect hijack
Hacking is a topic that is often dreaded many web masters and production studios. There are a number of hacking techniques and we’ve seen (at one time or another) most of the common exploits used by hackers to disrupt sites. Recently we were faced with a new challenge. A client’s client was having big SEO problems which our client believed was the result of a previous hacker infiltration…being the helpful agency we are, we investigated to find out more.
The problem
The site had been hacked a while back by a CPanel exploit, as a result lots of sinister links were appearing throughout the site. This was down to some nasty JavaScript placed into the HTML files. The hacker had got high level access enabling them to gain access to the site via FTP, SSH and CPanel. This issue was resolved and the content removed but the site’s rank had gone in Google and none of the site’s pages were ranked anymore….we investigated further.
The investigation
Ok, our first step was to investigate the Google Webmaster Tools. There was a chance that someone may have hijacked the webmaster tools by placing a verification file on the server when they had FTP Access. Unfortunatly this was not the case, after going through the site and looking at the webmaster tools there were no settings anywhere that were causing the site rank damage.
One thing we did notice is that in the Webmaster Tools the “robots.txt” was indexed 11 hours ago yet the content it was indexing was completely different to what was on the server. This led us to believe there was some form of redirection going on.
We decided to take a look at the server logs hoping this would shed some light to the problem. We noticed an unusually high number of “301″ response headers.
For those that are unsure what than means a 301 response header informs the user agent (the browser) that the file its looking for has been moved permanently.
Ok, so we check the headers ourselves using a FireFox addon called Live HTTP Headers, but they were not showing anything out of the ordinary, just standard 200 OK responses . This meant that in certain instances different response headers were being served for different user agents. The hacker had manipulated an Apache config file to issue 301 headers for search engines only, which is why the site had gone from Google. As far as Google were aware the site had been moved permanently and did not need to be indexed.
To prove this we used a Googlebot emulator found at:
http://www.smart-it-consulting.com/internet/google/googlebot-spoofer/
It’s thanks to the guys at Smart IT Consulting we were able to pin point exactly what the problem was!
Why?
By setting up permanent redirects, the hacker is effectively stealing the page rank of the hacked site’s pages as the site’s backlinks will be seen by Google as going to the hacker’s site. When someone searches for a keyword relevant to the hacked site, they will infact see the site which it’s being redirected too. So the why is simple, to increase the hacker’s site’s ranking…..even if it is for keywords not necessarily related to what they’re selling or promoting.
The solution
This hack has affected the server on a very high level, we have contacted the hosting provider with the hope that they will resolve this, as a result there is a chance all sites on this shared hosting box will be affected in the same way. Our client is planning to change hosting provider to someone more reputable.
We hope this helps and now you may know what to look for if your getting similar issues.