Site tanked in Google. Found something very funny but need your help

Discussion in 'SEO' started by arkueckelhan, Feb 15, 2012.

0
  1. #1
    My site tanked HORRIBLY in Google the other day. The good thing is it brought many things to light for me that I needed to change on my site. But after fixing sever errors and deleting tons of spam on my forum, the rankings have not come back.


    So, I did the google query "Site:battleforums.com" to make sure I hadn't been sandboxed... nope. But something VERY weird happened. This is where I need your help.

    When I clicked on the google result for one of my pages http://www.battleforums.com/forums/diablo/ This page came up instead: http://url2short.info/65c2eb15

    There are a few helpers that do have access to my FTP but not able to really look in stats to see what or if files have been modified. Could someone help me find out if they implanted this is my code somewhere? If so, that would explain why google is hitting me so hard. I was unable to reproduce the issue a second time.


    You can do the google search
    (exact page was the ninth result but I'm sure it could be on all pages).



    Thanks guys
     
    arkueckelhan, Feb 15, 2012 IP
  2. Trapped

    Trapped Well-Known Member

    Messages:
    1,832
    Likes Received:
    48
    Best Answers:
    0
    Trophy Points:
    130
    #2
    What it looks like is that your forum has been compromised (hacked) and a (most likely) encrypted javascript code has been inserted in one of the files that get called (and again, most likely the header or footer) which identified the "referrer" and only redirects users if the traffic is coming from organic results and not direct typeins. It is something I have seen on few of clients sites (and mine unfortunately LoL).

    You will need to carefully check each and every file and pay close attention to 1 line long "jibberish" like encrypted code. I haven't experienced this on vbulletin forums so I can't tell exactly which file it is that is compromised.
     
    Trapped, Feb 15, 2012 IP
  3. mevidai

    mevidai Greenhorn

    Messages:
    88
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    16
    #3
    This I also, just trying to
     
    mevidai, Feb 15, 2012 IP
  4. arkueckelhan

    arkueckelhan Active Member

    Messages:
    386
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    80
    #4
    Turns out that vbseo had an exploit that was allowing for site hack. I patched vbseo so this should no longer be an issue.

    But please PM me if anyone still has this show up for me site, I would greatly appreciate it. Like I said, I patched vbseo but that doesn't mean their code is necessarily gone.
     
    arkueckelhan, Feb 16, 2012 IP
  5. arkueckelhan

    arkueckelhan Active Member

    Messages:
    386
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    80
    #5
    I officially resolved this.


    For anyone having similar problems: go to vbseo's site for instructions. You basically will run a test on your site that will identify the rogue plugin, delete that plugin, reset datastores for vbseo and then patch vbseo... simple to do but was hard to figure out with information being scattered everywhere.

    Best of luck if you are having similar problems!
     
    arkueckelhan, Feb 17, 2012 IP