Hacked type: URL injection

What does it mean to have pages marked with the hacked site type “URL injection” in Search Console?

This means a hacker has created new pages on your site, often containing spammy words or links. Sometimes these new pages contain code that does things you didn’t intend, such as redirecting your users to other sites or making your webserver participate in a denial-of-service attack against other sites.

Typically, hackers modify your site in one of these ways:

  • By gaining access to an insecure directory on your server. For example, you may have inadvertently left a directory with open permissions.
  • By exploiting a vulnerability in software running on your site, such as a content management system. For example, you might be running an older, insecure version of WordPress.
  • By hacking third-party plugins that you use on your site, such as visitor counters.

For more general information on sites compromised with spam, see Step 5: Assess the damage (spam) in the Help for Hacked Sites recovery process.

How can I confirm that spammy pages have been added to my site by a hacker?

Begin your investigation with the example URLs shown in the message you received or the listing on the Security Issues page of Search Console.  Keep detailed notes of what you find at each URL.

To confirm that new pages have been added to your site, you can use the following methods, even if your site is offline:

  • You can also do a “site:” search such as [site:example.com] in Google (note: there should be no space between the site: operator and your domain name). This query on your site shows the pages from your site indexed by us. Here you can check if there are more pages that were definitely not created by you. For large sites, you can use a more specific query, such as [site:example.com pharmacy], [site:example.com/wp-admin/], or [site:example.com inurl:hacked.php].
  • You can log in to your server through shell/terminal access and check specifically for the existence of examples provided under “URL injection” type in Security Issues.

To see the content of the new pages, avoid using a browser to view them. They could contain malware, which often spreads by exploiting browser vulnerabilities. Opening such a page in a browser may damage your computer. Even if there is no malware on the pages, what you see in a browser often doesn’t reveal what Google and/or users see, since hackers can hide the spammy pages using cloaking techniques.You may see either nothing or the page won’t be found in the browser (HTTP return status 404). More about cloaking has been covered in the video corresponding to Step 5: Assess the damage (spam) in the Help for Hacked Sites recovery process.

Instead of using the browser, you can confirm that spammy pages have been added to your site by using one of the following methods:

  • Use “Fetch as Google” in Webmaster Tools:
    Google’s free Search Console provides a feature called “Fetch as Google” that you can use to see a page on your site as Google machines see it. This is useful since many hackers make changes that are visible only to Google machines. For example, they might add links to their site from yours that are only rendered when the referrer is Google.
    • Use cURL or Wget to fetch a page:
      These freely available tools let you view the source of the page as seen by a search engine, and have the flexibility to include referrer or user-agent information. By serving spammy content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and anti-hacking algorithms used by search engines. (Your site will need to be online to use these tools.) For example:
      $curl -v --referer "http://www.google.com/search?q=page" --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html

    In the output of Fetch as Google, Wget, or cURL, you can see the content of the newly-added suspicious page.

    How can I clean my site of “URL Injection” hacked type?

    When you’re ready to clean up your site (Step 7 of the Help for Hacked Site recovery process), you can either replace affected directories with the last good backup or you can remove the unwanted pages and any files or functions the hacker used to create them.

    Please be aware that removing the malicious pages doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be hacked again in the future. One useful thing, for instance, is to update any software running your site, such as an old WordPress installation. For more information on cleaning your entire site, not just this hacked type, see "Filesystem damage assessment" in Step 5: Assess the damage (spam) of the Help for Hacked Sites recovery process.