Recovering from hacks

Sigh. I love Google. I have had great luck over the years with DIY SEO and have always found Google’s resources to be extremely helpful.

Inexplicably, I seem to be in trouble with Google and have spent about 48 hours trying to figure out the issue, if there is one.

Sadly, I think it’s #$%@! hackers who are making a mockery of my attempt to run an informative blog. Nothing else to do but set other work aside and start looking for the evidence. From prior experience I know it will take me hours to find it.

Description of Problem:

This blog, Loosely Speaking, has suddenly disappeared from the search engine results pages where it once stood strong. If it is because of a violation of Google guidelines, I surmise that it was accomplished surreptitiously and I’ve been busy combing through my code, since I am pretty confident that I have not knowingly violated any of Google’s policies.

Here are the tactics I have tried, since I can’t find anything buried in my blog code:

1. Visited my account at Google Webmaster Tools to look for messages from Google, or indicators that there is something amiss with the site (didn’t find anything sketchy there to be concerned about).

2. Made sure my site map is up to date, just in case some of my more recent content wasn’t indexed yet.

3. Checked to see how many of my blog’s pages are indexed, and, yes, that’s looking good.

4. Wrote to Google to request reconsideration, explaining what I have done so far in trying to find what might be an issue resulting in my removal (though I hadn’t found anything). Wrote a followup request immediately after the first one. Wow, I am getting out of control!

5. Watched video at Webmaster Central Blog called “Requesting reconsideration using Google Webmaster Tools.” That had some helpful tips about looking (again) for hidden code.

6. Looking at Google’s cache view of my site, I see nothing initially, but when I click on “text view,” I have an AHA! moment. I see a whole bunch of embedded ringtone links at the bottom of the page. Are these the culprit? Or, are they a legitimate part of a Google Adsense ad that appears on my site? Could they be the reason I’ve been dropped from page listings?

Important to note: none of these links appear when I use “View Source” to look at my blog pages or when I use “View Source” to examine the php files within the blog. The links ONLY show up in Google’s cache view/text view.

7. Wrote ANOTHER request for reconsideration after FINALLY spotting those ringtone links.

8. Found a description of a do_action issue on Google’s Webmaster Tools Help discussion list:

“I found the problem and, yes, it was activated by requests containing “Google”, “Aol”, etc. The hack was embedded in the WordPress theme I had used, a theme called “[theme name removed]” (which is, ironically, otherwise a good theme). Anybody who is using [theme name removed] as a WordPress theme should look in footer.jsp, where a do_action call to “wp_footer” triggers the spam. I’m very glad to have finally solved this, and I pray Google will confirm that I have removed the violation and will restore me.”

So, I just removed that do_action tag, which appeared just above the body tag in my footer.php file. That may or may not be the right move: the tag looks like this, specifically: <?php do_action(’wp_footer’); ?> That tag probably calls some other legitimat functions that I may want/need on my blog, and I may have now broken those. For the moment, I am just hoping that works to solve the problem.

9. Reading further, in the Google Webmaster Tools discussion, someone asked:

“Have you found the actual function that embeds the links by any chance? “

And the reply was:

“Yes, I have — it’s in “defaultFilters.php”. The function’s name is a long series of digits and characters. It’s an obvious hack, once you see it — the problem is that most people probably never read their “defaultFilters.php” module.”

10. I downloaded my own file named default-filters.php, and stare at it. I have no idea what an “obvious hack” looks like.

11. With energy flagging, I headed over to WordPress Codex to see if I could find any other tips. There’s a lot of good info there; I just couldn’t find anything further to try.

Dejectedly, I sum up the “situation:”

I believe I have found some hidden links that were embedded by a hacker, which resulted in punitive action by Google.

I have modified my footer.php file in hopes of no ill results across the blog and grabbed my default-filters.php file, but can’t tell by looking at it where the code is embedded, or if I have even removed it. I have done everything I can.

How terribly vulnerable & cheated I feel. About ready to throw in the towel on blogging at this point.

A couple hours later…

Feeling better after a nice homemade smoothie, and here are some links for those who want to read more about Google’s position on hacking:

The Day Google Erased me From the Internet

Helping Hacked Sites

Three Tips to Secure Your WordPress Installation

WordPress Exploit Giving Backlinks, Redirects and Headaches, but no Visitors

Did Your WordPress Site get Hacked?

Addendum, 7/1/08: After MORE reading (see last two above articles) and a chat with my host’s Tech Support, I went into my directory and looked for bogus image files, ending with .giff, jpgg, pngg, and containing a variant on an existing file name, with _old or _new appended. Also, found many image files with .php appended.

These files are in my uploads folder, and match, in name, legitimate image files that I uploaded, but that were hacked into different names. Delete all those files that you can find.