Email from Google - Is it real?

[Geraldm]

Hi,

Just received the below email. The TO address contained all my currently registered email addresses for my domain:

Quote:

Dear site owner or webmaster of <my site url>,

While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/webmasters/guidelines.html. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.

The following is some example hidden text we found at delphi-php.net:

purchase zyrtec the drug zyrtec what is zyrtec zyrtec 5 mg zyrtec 10 mg tablet and pregnancy zyrtec 10 mg zyrtec 10 zyrtec 10mg zyrtec allergy pill zyrtec allergy pills zyrtec buy zyrtec canadian pharmacy zyrtec cheap zyrtec cost zyrtec d 12 zyrtec d description zyrtec d pregnancy zyrtec d prices zyrtec d tablet zyrtec d tablets zyrtec d zyrtec drug zyrtec for sale zyrtec from canada zyrtec hydrocodone zyrtec mexico zyrtec online zyrtec pfizer zyrtec pill discription zyrtec pill zyrtec pills zyrtec prescription drugs zyrtec prescription zyrtec price zyrtec tab 10mg zyrtec tab zyrtec tablets zyrtec tabs 10mg zyrtec tabs

[...]

In order to preserve the quality of our search engine, we have temporarily removed some of your webpages from our search results. Currently pages from delphi-php.net are scheduled to be removed for at least 30 days.

We would prefer to have your pages in Google's index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogsp...ebmasters.html.

When you are ready, please visit https://www.google.com/webmasters/to...nclusion?hl=en to learn more and submit your site for reconsideration.

Sincerely,
Google Search Quality Team

Is this email real? My site is a forum with 10k+ pages (6k+ pages indexed in google) but I do monitor it and have never seen a page with spam on it!

Cheers ....
Gerald.

[godmode]

What was the email address you received it from? and did they actually de-index?

[farrhad]

What was the email address???

[hsc]

Yes pl let us know email address , and if de-index your site?

[Kuldeep1952]

The e-mail seems to be real.

You can see a similar example on matt cutts blog at
http://www.mattcutts.com/blog/helping-hacked-sites/

[kmofo]

Seems to be real, because you've got some problems:
http://www.google.com/search?hl=en&q...delphi-php.net

If you look into the source of this: http://www.delphi-php.net/category/examples/
you will find a ton of hidden links.

[tong1991]

What was the email address you received it from? and did they actually de-index?

[hiteshb]

i think the email address was correct. I think if the question is about email address then the from and reply-to must be same. All the way everything is correct in mail.

[johnenderson]

all the details are correct.

Matt cutts has specified always in his blog and interviews with many peoples
like he said already in the blog, mattcutts.com/blog/helping-hacked-sites/

now they have improved many techniques and support team so there is lots of chances of get support with Email which you received.

Now just take care about Guidelines which they has specified in email.

Thanks

John

[Freewebspace]

First check to header of mail to see that you received it from Google

if it's from Google, Go ahead check all your pages for the above words in database

if your query returns go ahead and remove it... otherwise there is possibility that these might have posted by a spammer in athread using some technique and it might have been indexed by Google before the mods had removed it...

[Lovely]

...check the header of the mail, it will enable to know if the mail is from Google or not.

[Geraldm]

Hi,

After investigating, the email is ligitimate and my site had been hacked.

Someone had managed to copy two files to my blog:

• zip.php
• 1.zip

Contained in the 1.zip file were .html files containing links to spam sites. They were also able to modify my header.php file to include a hidden section containing these spam links.

I have since removed all the spam crap and changed my cpanel/ftp password, I've also changed the permissions on the folder where the files were found to 'read only'.

I've just completed Google's online form requesting to be included again in the Google index.

The only thing I can think of for them to be able to do this is a brute force password hack which must of taken them a while to do. What other way could they have done it?

Cheers ....
Gerald.

[WishBone]

Well done investigating, my friend's site got the same problem and situation too, that zip file was found on his FTP folder. He's looking now for better web hosting.

[kmofo]

Quote:

Originally Posted by Geraldm

What other way could they have done it?

Some kind of code/sql injection that would allow a further file upload. Wordpress is not that vulnerable, but one of the plugins might be...

You can check if one of these fits: http://securitydot.net/search.php?sc...word+press+zip

[dpking]

Yes this is true !!