Sunday, August 31, 2014

HackOff – a program to report on suspicious files on your webserver

HackOff has been written in and it’s a simple program that searches for suspicious files like global.asa, *.asp and *.php files.
You upload it into your root directory and it will search the main folder and all sub folders for any offending files.
It reports back to you on screen, plus it emails a report to you.  It tells you the folder, the filename and the last change date of the file.
It can be set up as a scheduled program to run each week, allowing you to quickly discover if you’ve been hacked and do something about it.
Don’t wait till it’s too late and don’t think that your website isn’t important enough to be hacked.  It can happen to anyone!  So it’s better to be prepared.
Just as you run an anti virus program on your computer, so you should run some sort of checking program on your webserver.

How to fix a hacked website with Louis Vuitton spam links

Often a hacked website goes unnoticed.
If the hacker wants to use your website to improve their Google ranking, they may upload some files that will hijack your Google SERPs (search engine results page) and add a whole lot of spammy links that actually go to their website
For example, you might have a website called which has a home page and a contact us page.  If you do a site search (by typing in Google), those 2 pages should be listed.  However, if you’ve been hacked, you might find a whole lot more references with strange titles and descriptions like Louis Vuitton replica handbags.
The first thing you should do is change your FTP password and your control panel password.
Then do a virus check to make sure there is no malware on your computer capturing keystrokes and passwords.
Then it’s time to clean up the mess the spammers have created.
If you don’t already have an account with Google, create one (it’s free).  Under your Google account, create a Webmaster Tools account and add your website.  You can use the Google Index/Remove URLs tool to get rid of unwanted links.
But first you need to find the files that have been uploaded and get rid of them or rename them to render them useless.  The files that you should look for are global.asa, *.asp and *.php.  If you are using an FTP client, make sure to change the settings to SHOW hidden files.  If you find any files that match, rename them to something like WTFglobal.asaWTF, WTFswing.aspWTF, etc.  This will disable the file from being run as a program – the web server will not be able to identify it as an executable file.  Make sure you check thru EVERY folder on your web server.
I’ve written a program that can be uploaded to your web server to check for global.asa, *.asp and *.php files in the root and sub folders – perfect for shared web hosting environments or large WordPress sites – contact me for more information about HackOff
Once you are sure you’ve killed off all possibility of those spammy programs running, use WebMaster Tools to remove the spammy links that you detected via your site search.  This is a laborious and time consuming task, but there is no other way to remove the spammy links than one by one.  Copy the link from the Google results page and paste it into the URL to remove in Google Index/Remove URLs.
This should take effect within a 24 hour period and you should see a clean list in your Google site search SERPs.
If you are having further problems, reach out to a Google representative via their forum –!forum/webmasters
I’ve found them extremely helpful and much more approachable than the help desk people at most web server companies who basically tell you it’s all your fault you were hacked into and have no further suggestions.