digg

Join DiggAbout

Donkeys and Elephants and Delegates,oh my!
Check out the most popular Elections 2008 content on Digg.

How Google Handles Hacked Sites

mattcutts.com — Matt Cutts a google employee and head of the web Spam team at Google. Explains how Google handles Hacked Sites using a real example site that got hacked recently.

Bury
show profanity settings
expand all
  • eric1, on 10/12/2007, -6/+16Thanks Wordpress. I don't even think Duggmirror got it...
  • mistercharlie, on 10/12/2007, -12/+5Site is down already....
  • marklj, on 10/12/2007, -11/+6wow. 38 digs and dead?
  • zedomax, on 10/12/2007, -6/+6Cache here but i can't find the story...
    http://72.14.253.104/search?q=cache:FssCjuOfo7QJ:www.mattcutts.com/blog/+matt+cutts+blog&hl=en&gl=us&ct=clnk&cd=1&client=firefox-a
  • zedomax, on 10/12/2007, -16/+3actually it's there, nevermind...
  • zedomax, on 10/12/2007, -20/+1oops...no it's not there...
  • ace87, on 10/12/2007, -6/+20Wordpress sucks it always suffers from the Digg Effect!
    • XooX, on 10/12/2007, -0/+2I just made a search on Digg - It returned saying "digg is experiencing high loads of traffic. Please try again later"..

      I guess an army of surfers have just landed from Mars..
  • Pimpalicious316, on 10/12/2007, -2/+19you'd think a Google employee would have some sort of access to better blog hosting than WordPress.
    • mistercharlie, on 10/12/2007, -14/+3He uses WP because he wants to replicate the experiences of an average user.
    • matthewaaron, on 10/12/2007, -1/+25Like blogger perhaps?
    • spyrochaete, on 10/12/2007, -7/+4WordPress is far far FAR superior to Blogger in terms of features and customizability, but Blogger is a very stable hosting platform. I just switched from Blogger to WordPress and I'm SO relieved at how much easier it is.

      Here's an example of how awful Blogger's HTML code is:
      http://blog.demodulated.com/2006/11/29/demodulated-routed/
    • jcaino, on 10/12/2007, -7/+4actually...the server hosting the site is up....

      the db server is up...

      the guy just doesnt have his wordpress install done correctly...
    • djlosch, on 10/12/2007, -12/+4thats why i wrote my own cms from scratch, and it looks sweet too (check my website in my profile for a link, i'm not going to spam you here)
    • spyrochaete, on 10/12/2007, -2/+2@djlosh

      It's not spam if it's relevant. I wish you'd posted your link because many people would like to see your design.
    • Tuplex, on 10/12/2007, -2/+0@djlosch

      It looks "OK"... Certainly not comparable with many of the WP themes though... In terms of looks anyway. I may work flawlessly however... And you should recieve points for that...
  • crexor, on 10/12/2007, -12/+4its working fine... and the article is pretty lame on top of that.
  • MrSpontaneous, on 10/12/2007, -2/+67I got in before the digg effect:
    =============================
    How Google handles hacked sites

    December 4, 2006 @ 2:40 am · Filed under Google/SEO

    If you’ve never read my blog before, welcome. I’m the head of the webspam team at Google. And I have a blog for days just like this.

    Okay, first off you should go read this post. It’s entitled “Me Against Google” and the author is unhappy that talkorigins.org was nowhere to be found in Google for the last 5-6 days. After that post, go read this Slashdot post, entitled “Google De-indexes Talk.Origins, Won’t Say Why.” By the time you’re done, your pulse should be pounding. Hell, you should be angry. Damn that evil Google for not communicating with webmasters!! Or as Wesley put it in his blog:

    You might think that a company that prides itself upon advanced textual analysis and automated decision-making algorithms might provide helpful warning messages to webmasters concerning problems found in their sites. You would be wrong.

    Okay, ready for my side of the story? Here’s the timeline of how things happened:
    - talkorigins.org was hacked on November 18th. I know this because Wesley says so in his blog post.
    - By November 27th, Google had detected spammy links and text on talkorigins.org. In case you’re wondering, here’s what the cracker added:


    document.write(String.fromCharCode(60,100,105,118,32,115,116,121,108,101,61,39,100,
    105,115,112,108,97,121,58,110,111,110,101,39,62))animal porn, animal sex, beastiality, rape sex, sleeping sex, animal porn, beastiality, dog porn, horse porn, rape sex, sleeping sex, animal porn, animal sex, beastiality, dvd covers, dvd ripper, psp downloads, psp games, psp movies

    Not pretty stuff–lots of text about rape and animal porn. In case you’re wondering, that JavaScript at the beginning produces the string “”, which makes the entire section of spammy junk hidden. So talkorigins.org has these porn words and spammy links, and it’s all hidden via sneaky JavaScript.

    We have pretty good reason to believe that this site was hacked, but it’s still causing problems for regular users, so Google has to take action. Here’s what we do:
    - By November 27th, the site was classified as hacked and spammy. We stopped showing it for user queries.
    - By November 27th, we started flagging this site as penalized in Google’s webmaster console. I believe that Google is the only search engine that will confirm to webmasters that their site does have penalties. No, we don’t confirm penalties if we think it might clue in web spammers that they’ve been caught. But yes, we do try to confirm penalties if we think a site is legitimate or has been hacked. You can read more about how we confirm penalties in this previous post.

    I hear a few people ask, “It’s nice that I can sign up for Google’s webmaster console and learn that Google penalized my site. But couldn’t Google have done more?” Well, it turns out that we did do more:
    - By November 28th, we emailed multiple addresses at talkorigins.org to let them know exactly what happened. According to the records I’m looking at, we tried to email contact at talkorigins.org, info at talkorigins.org, support at talkorigins.org, and webmaster at talkorigins.org with a timestamp of 2006-11-28 14:24:15. Here’s an excerpt from the email that we sent:

    Dear site owner or webmaster of talkorigins.org,

    While we were indexing your webpages, we detected that some of your
    pages were using techniques that were outside our quality guidelines,
    which can be found here: http://www.google.com/webmasters/guidelines.html
    In order to preserve the quality of our search engine, we have
    temporarily removed some webpages from our search results. Currently
    pages from talkorigins.org are scheduled to be removed for at least 60 days.

    Specifically, we detected the following practices on your webpages:

    * The following hidden text on talkorigins.org:

    e.g.
    animal porn, animal sex, beastiality, rape sex, sleeping sex, animal porn, beastiality, dog porn, horse porn, rape sex, sleeping sex, animal porn, animal sex, beastiality, dvd covers, dvd ripper, psp downloads, psp games, psp movies


    We would prefer to have your pages in Google’s index. If you wish to be
    reincluded, please correct or remove all pages that are outside our
    quality guidelines. When you are ready, please visit:

    https://www.google.com/webmasters/sitemaps/reinclusion?hl=en

    to learn more and request a reinclusion request.


    You can read more about how we try to email webmasters about issues on their site in this previous post. According to his post, Wesley did a reinclusion request recently, and I’ve confirmed that the reinclusion request was approved, so I expect talkorigins.org to be back in Google within 24-48 hours.

    But let’s take a step back. This site was hacked and stuffed with a bunch of hidden spammy porn words and links. Google detected the spam in less than 10 days; that’s faster than the site owner noticed it. We temporarily removed the site from our index so that users wouldn’t get the spammy porn back in response to queries. We made it possible for the webmaster to verify that their site was penalized. Then we emailed the site, with the exact page and the exact text that was causing problems. We provided a link to the correct place for the site owner to request reinclusion. We also made the penalty for a relatively short time (60 days), so that if the webmaster fixed the issue but didn’t contact Google, they would still be fine after a few weeks.

    Ultimately, each site owner is responsible for making sure that their site isn’t spammy. If you pick a bad search engine optimizer (SEO) and they make a ton of spammy doorway pages on your domain, Google still needs to take action. Hacked sites are no different: lots of spammy/hacked sites will try to install malware on users’ computers. If your site is hacked and turns spammy, Google may need to remove your site, but we will also try to alert you via our webmaster console and even by emailing you to let you know what happened. To the best of my knowledge, no other search engine confirms any penalties to sites, nor do they email site owners.

    Wesley and anyone else who works on talkorigins.org, I’m sorry that this was a stressful experience for you. Could Google do a better job? Absolutely, and we’ll keep working on it. For example, maybe we can show a more specific message for hacked sites in the webmaster console. Google could also try to identify better email addresses when writing to site owners. For example, for talkorigins.org, there are email addresses such as “archive@” and “submissions@” that we could have used instead that might have reached the right person. I’m open to other suggestions too. But please give Google a little bit of credit, because I do think we’re doing more to alert webmasters to issues than any other search engine.

    Note to new readers of my blog: I pre-moderate my comments, and it’s after 2 a.m. and I’m going to bed now. If your comment doesn’t show up immediately, it’s waiting for me to approve it after I wake up. ;)
    • jeanmaxime, on 10/12/2007, -2/+4What about the porn tags right in the middle of the article ??
      They are even on the original article
  • kylesellers, on 10/12/2007, -18/+3And yet, the diggs keep coming in for this. Can all of you diggers tell us where you were able to read the article? 'Cuz I can't imagine that you would digg without reading it first...

    EDIT: Thanks Mr. Spontaneous. Wow, the article isn't even any good.
    • itisme, on 10/12/2007, -1/+15what's wrong with the article?

      Seems google have a really decent policy for this sort of thing.
      I like to moan at any company bigger than about 5 people :-) but on this I think google are trying pretty hard and the article is a good heads up for what to expect if anyone is unfortunate enough to get hacked by these lets face it reprehensible spamers!
  • XooX, on 10/12/2007, -6/+9A Google guy - shouldnt he be using Blogspot??
  • dusco, on 10/12/2007, -14/+3why do we care how google handles hacked sites?
    • tnwake, on 10/12/2007, -1/+10Because some of us have websites and this could happen to us.
  • domokun, on 10/12/2007, -3/+8Now here is the real problem:

    wouldn't his blog get flagged as well for the fact that he uses all those keywords in his article?

    makes you wonder how automated this thing really is.
    • tEhKewleSt, on 10/12/2007, -9/+3Dugg down for no pics or info on who spoke the lines and from what movies.
    • jcapogna, on 10/12/2007, -1/+10No, his website contains all sorts of porn words, but thats ok. Google will index a site that talks about animal porn. Google notices that the words are hidden in a sneaky way and thus, identifies the site has hacked.
    • Koray, on 10/12/2007, -1/+11It wasn't that he used keywords, it was that the keywords were hidden in the source. This is an attempt to draw people via blackhat seo, and is against Google TOS.
  • IchiroBoston, on 10/12/2007, -0/+8Google found a hacker using our sites and let us know. It was very well hidden but a very effective hack. It allowed them to gain full root access to our hosted webservers.
    Everything is fixed but we are still trying to figure out how they entered. I am 99% sure it was a misconfigured server with the hosting provider.
  • Urusai, on 10/12/2007, -7/+2Haha, pathetic web admins getting their sites hacked, and Google has to tell them! What losers!

    animal porn, animal sex, beastiality, rape sex, sleeping sex, animal porn, beastiality, dog porn, horse porn, rape sex, sleeping sex, animal porn, animal sex, beastiality, dvd covers, dvd ripper, psp downloads, psp games, psp movies
    • XooX, on 10/12/2007, -4/+1heehee..I tell you., he should have had "qwerty" for his website password...
  • Jubii, on 10/12/2007, -5/+0"Matt Cutts a google employee and head of the web Spam team at Google."

    Not only am I head of the Google Spam team, I'm also an employee!!!

    Hey, the site's down, what have we got to do?
  • MattCutts, on 10/12/2007, -0/+8Thanks for posting the copy of my post. I'm getting hit by digg and Slashdot at the same time, so my industrial-strength pair.com hosting is still melting down to liquid. :)
    • hanapbuhay, on 10/12/2007, -1/+2...the page is loading for me. 12/04/2006 1:14 PM Pacific Time.
    • XooX, on 10/12/2007, -1/+1why don't you go for Blogspot? It is after all Google's...
  • mianos, on 10/12/2007, -0/+7Summmary: Guy's web site gets hacked and replaced with porn and bestiality keywords. He does not notice. Google sends a mail to him and he does not get it. Thet flag it in his google console. He's still not noticed anything. They de-index his site and he notices. Now he winges like it's his god given right to have his site indexed again immediatly. A google sguy ays all this and says we are still trying to improve the system but the above is what happened.
    Frankly I'd keep the site in the no index list because he's a winer but maybe I'm not as nice as the guys at google.
    • XooX, on 10/12/2007, -0/+1Maybe he wanted his site to get hacked..thats why he dint care..why is Google being overly-protective?

      and by the way, if I replace my acad site with porn, will Google immediately start suspecting me??
    • alexkorova, on 10/12/2007, -0/+1@XooX,

      only if you hide the keywords in sneaky ways that are against Googles guidelines.
  • yatoobin, on 10/12/2007, -2/+2Why does Matt assume the hacker is white? "here’s what the cracker added"
  • rudeck222, on 01/24/2008, -0/+0http://www.yahoo.com
  • mydave, on 07/31/2008, -0/+0thanks Wordpress for good information.
    http://www.ksusg.com
    http://mitip2007.org/location.html
    http://www.felixdelcampo.com
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.