Google delivers take down notice for A Distant Soil.com UPDATE
on May 27th, 2010A few months ago, Drugshopworld.com hacked our site and inserted page after page of links to sales of illegal drugs.
We thought we had cleaned up the mess, but apparently not.
Here is the message I got from Google this morning:
Dear site owner or webmaster of adistantsoil.com,
While we were indexing your webpages, we detected that some of your pages were using techniques that are outside our quality guidelines, which can be found here: http://www.google.com/support/webmasters/bin/answer.py?answer=35769&hl=en. This appears to be because your site has been modified by a third party. Typically, the offending party gains access to an insecure directory that has open permissions. Many times, they will upload files or modify existing ones, which then show up as spam in our index.
The following are some example URLs from your site:
http://adistantsoil.com/322b?sodia=3100
http://adistantsoil.com/328f?sodia=4271
http://adistantsoil.com/32a9?sodia=2376
In order to preserve the quality of our search engine, pages from adistantsoil.com are scheduled to be removed temporarily from our search results for at least 30 days.
We would prefer to keep your pages in Google’s index. If you wish to be reconsidered, please correct or remove all pages (may not be limited to the examples provided) that are outside our quality guidelines. One potential remedy is to contact your web host technical support for assistance. For more information about security for webmasters, see http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html. When such changes have been made, please visit https://www.google.com/webmasters/tools/reconsideration?hl=en to learn more and submit your site for reconsideration.
Sincerely, Google Search Quality Team
Note: if you have an account in Google’s Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview?hl=en and going to the Message Center.
I’ve sent the note to my webmaster, and I assume she can fix it, but if not we’re going to need some help.
I’ve read that Google will take down sites completely, but losing our indexing can really kill our traffic, too. I also don’t know if this is limited to those added “sodia” pages that the hacker inserted. We’ll see what happens.
I’ve had many complaints from people that they could not register to comment at the site, but it is because of this hack that I keep registration closed most of the time. The hacker gained access via registration.
If you want to register, send me a note and I will set up an account for you. Don’t forget to tell me your preferred username.
c
PS: Am I the only one who sees the irony in Google delivering a take down notice to me because of a hack, but leaving up hundreds of pirate sites, many of which illegally load tens of thousands of books every day?
Just asking.
It might not just be the registration – security at the server level might also have been compromised. I’m sure your web person is already doing this, but the OS on the server and all the software running on it need to be kept up to date, too.
DC is working on it right now. I don’t really know what she is doing, but if anyone has suggestions, please feel free to post them. I appreciate the help and will forward everything to her.
When last we looked, the hack was entirely via the registration, but that may have changed, of course.
BTW, someone was using my site email for spam, too.
Alas, we’ve also been unable to restore the Open Source ads from Comicspace. Full of viruses.
You don’t have to “use the site email for spam.” They might use the @blahblah address, but they are probably not using your site itself. One of my email addresses was continously spoofed years ago and the admin tracked the idiot down to an IP in China. He then played with the settings for “this is legit mail from this server” so that it can only come from a North American address. If I were to go to Europe, I’d have to let him know ahead of time. This is where the number crunching and technical stuff makes my head hurt.
Google is full of irony. I don’t think they can take your site down, not unless they owned the isp that maintained the site.
“outside of our quality guidelines”
well, Google, why not just not include those pages? Duh!
I think they’re just pissed you won’t run their Adsense nonsense.
One thing DC should definitely look at is how the SMTP (outgoing mail server) on http://www.adistantsoil.com is configured. I did a quick check and verified that an SMTP server is running on your machine.
SMTP servers are notorious for being easily compromised. Unless you absolutely need it to send out emails (you seem to regularly use your earthlink.net address for email), the SMTP server should either be disabled (may not be an option if your server or blog software use email to send notifications) or configured to require authentication or to not accept email unless it’s to particular addresses or from certain addresses.
I’m not an SMTP configuration expert and getting the settings right can be tricky. What sort of hosting company do you use? Do you have a managed hosting plan, or does your webmaster also handle all of the system administration, too?
And yeah, forging the “from” in an email is really easy. It’s much harder to forge the trail an email generates as it relays from server to server. You can usually trace an email back to its source. Spamcop.net has some good tools for that.
Justin you are so kind to post this. Thank you, I will have DC look in to it.
Arlnee: Google closed my account themselves declaring this a “harmful site”. And they never paid the ad money they owed me.
I don’t know what to say except I’m pretty sure this isn’t a harmful site, but I am pretty sure I’m not on Google’s Christmas list for posting lots of the stuff I do about Google.
It seemed to me in their communication that they were talking about specific pages that had coding problems on them and that those were the pages they would “take down” from their indexing. It didn’t seem to me that they meant the whole site (although it wouldn’t surprise me if that’s certainly what they meant to imply).
And frankly, the only problem I’ve ever had on your site, Colleen, were connected to ad that came from Google, so they aren’t particularly careful about what they accept themselves.
But things like this make me a little anxious about my own site. There are lots of little things I don’t know about the mechanics of the internet that worry me. When I look at my visitor stats (not that I understand all of them) on my hosting service, I see long lists of cigarette and drug “referers” — which I’ve assumed are those annoying “index” sites, that have long lists of sites stuck on pages of ads. But I’m kind of clueless about what that is.
Hey scribbler. I think you are right. I am pretty sure they will not remove the whole site, but I’ve read accounts of other websites being removed for the same thing. So, we’ll keep an eye on it.
I don’t want to be a Cassandra, but my read of Google’s email is that adistantsoil.com in its entirety is scheduled to be removed. When Google finds something objectionable about a site, they typically remove the entire site from their main index. This is known in the interactive business as the “Google Sentence of Death”.
I’m not in the office this week, but I can ask some of the search engine optimization folks at work next week to verify this.
BTW, I didn’t actually try to send an email through your server. I just verified that the service was running and accessible. I can try sending an email if you want.
The reason why server security is so important is because hackers are constantly scanning for vulnerable machines. They run programs that scan vast swaths of IP addresses, looking for vulnerable machines. When the software finds a computer that has a security vulnerability they can exploit, it automatically breaks in and opens your server. Once your server’s been opened, the hackers can do pretty much anything they want.
@ Justin,
Yes, I have read other accounts of sites being removed from Google’s servers, and I do wonder if that is what is about to happen to me. Sure hope not.
Got DC on it, and I have forwarded your notes.
Naturally, Google would not miss having my anti-Google complaints about book search on their search engine.
Maybe Google hacked you
They’ve got a van, running around my house, taking pics of my neighborhood, spying on my WIFI…
If the issue is dealth with, they wont remove you. Or, alternatively, they will re-list you after the fix. Google updates their listings index several times a week.
Yes, but won’t my posts lose their rankings immediately? Rather a kill on the searches for articles and whatnot. They’ll have to work their way back up the search engine, which will effectively kill us for months.
A not inconsiderable percentage of my traffic comes from people searching articles and info.
Hopefully Google gives you a little time to get this fixed.
I have faith in DC.
I have faith in DC, too.
I have absolutely no confidence in my own webfu. Thank goodness for DC!
I don’t know, Colleen, how much you’d lose in search rankings. Because the number of links TO your site is also a contributing factor. (My secret for getting a high ranking fast — I put the link in my signature for my CBR forum posting. Each post counts as a separate link to my site.) Their search spiders can’t distinguish that you are the one doing the linking, only that the links exist.
Thanks, but that’s not what I mean.
Of course all the links will still be there, but they won’t show in search engines.
For example, when I moved the blog address over a year ago, our rankings tanked because all the old post locations disappeared form the search engine.
Even though links from other sites remained, since the posts were moved, search engines did not list them and that was a substantial hit to our traffic. It took more than six months for our rankings to recover. Six months is a lot of lost traffic and advertising income.
“PS: Am I the only one who sees the irony in Google delivering a take down notice to me because of a hack, but leaving up hundreds of pirate sites, many of which illegally load tens of thousands of books every day?”
Yes, it is ironic but “strictly business” for Google, the bad links could cause them to lose business while the illegal sites generate income for them.
I don’t know if DC did the magic yet, but I just noticed that adistantsoil/sodia links are not being redirected to drugshopworld, but are now coming in to the A Distant Soil home page.
Problem solved? We shall see.
Fingers crossed!
It seems to me like you have had a sql injection attack, so maybe you should look at that. That’s when arguments sent to the server and stored to the database have been maliciously altered in such a way that it mutates the resulting sql into more commands than it should, and that can be done simply using a malformed url for example.
Okay, amikael — I’d say “that’s Greek to me” except I studied (classical) Greek for a year.
But it was way over my head. Heh. Is there a comic book version of it?
If you send a string to the server that is used to make up a sql string to be executed, it might end up like this: “update blog set entry=’sent_value’” where sent_value is “Hello”. But the sent value could be “hello’ more_sql_added” and the full string which is executed then becomes “update blog set entry=’hello’ more_sql_added” and you have a sql-injection happening.
There are more complext versions of this, but this is the original form that originated the term.
Huh. Okay, I think I almost grasped that! Thank you. If I mull it over some more, it will fall into place now. (Me no talkee computerese, see?)
DC will do a complete revise on the site later this week, with a new version of ComicPress and everything rebuilt from scratch.