Last weekend was character-building to say the least. Late Friday afternoon one of my clients emailed me to say that he had received an email from a web site visitor stating that when he clicked on the search results for my client in the Google search results, he got sent to a Russian Malware site.
I had a quick look at my client’s web site and all seemed in order. I then did a search for the client’s company name in Google and then clicked on one of the results. Sure enough I too got redirected to a Russian Malware site.
I then logged into the web server and had a poke around. The thing I noticed was according to the time-date stamp on the files, one of the files had very recently been updated. The .htaccess file had been edited in the last 5 minutes.
Peeking inside the file I saw what the problem was. There were some lines of code there that basically said: if this visitor has come from Google, Yahoo, Bing, Facebook, Youtube or Twitter, then send them immediately to this web site (the Russian Malware site).
If you do a search in Google for .htaccess file hacked redirect to malware site you will see this is a common problem. And not a problem easily fixed.
From an SEO point of view this hack was an issue because in no time at all (less than 8 hours), Google flagged the web site as being a source of malware and warned visitors not to go there.
Gee thanks Google 🙂
It took me most of Saturday to fix the problem. These hackers were good. These were not young script-kiddies.
As soon as I thought I’d fixed the problem by doing obvious things like changing access passwords, updating software versions, scanning for known vulnerabilities and changing the permissions on the .htaccess file, the problem would come back. Magically the .htaccess file would have new lines of code that I didn’t put there.
In the end I did two things that have fixed the problem. The first one was to update the server to the latest version of PHP. The other was to fix the .htaccess file then immediately change the permissions on the .htaccess file so that the world could read it, but nobody, not even a logged-in web administrator could see or edit the file.
In my research I came across a very useful free tool that can detect these sorts of issues. You can try it out for yourself here: http://sitecheck.sucuri.net/scanner/
The other good news is once I thought I had fixed the problem I then logged a review request with Google and within 12 hours, Google were no longer giving the malware warning message.