Hacked type: Code injection

What does it mean to have pages marked with the hacked site type “Code injection” in Search Console?

This means that a hacker has compromised your site and is redirecting visitors from your site to their spammy site. Sometimes, only certain users are redirected, based on their location, referring site, or the device they're using (such as a mobile phone). The hacker may have injected the malicious code directly into your site's HTML files (for example, a JavaScript redirect) or into files that generate your site's content (for example, PHP files). Another way the hacker could redirect visitors is by modifying your server's configuration file(s). Server configuration files commonly allow the site administrator to specify URL redirects for specific pages or directories on a website. For example, on Apache servers, this is the .htaccess file as well as httpd.conf. (If you are unfamiliar with how to examine your server’s configuration files, see Step 2: Build a support team in the Help for Hacked Sites recovery process.)

For more general information on sites compromised with spam, see Step 5: Assess the damage (spam).

How can I investigate the redirect on such a page?

First, avoid using a browser to view hacked pages on your site. This is because hackers often configure pages to redirect based on user characteristics such as:

  • Location, often inferred through their IP address
  • Referrer, such as a search results page
  • User-agent, such as a mobile or less-secure browser

Consider confirming the behavior using the following technique instead:

  • Use cURL or Wget to fetch a page:
    These freely available tools let you view the source of the page as seen by a search engine, and have the flexibility to include referrer or user-agent information. By serving spammy content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and anti-hacking algorithms used by search engines. (Your site will need to be online to use these tools.) For example:
    $curl -v --referer "http://www.google.com/search?q=page" --user-agent "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html
  • Fetching a page with a compromised server configuration file may return the following headers:

    > HTTP/1.1 301 Moved Permanently
    > Date: Sun, 24 Feb 2013 21:06:45 GMT
    > Server: Apache
    > Location: http://<spam-site>/index.html
    > Content-Length: 253


    Or, on inspecting the contents of the returned page, you may see injected code like so:

    • JavaScript or another scripting language that calls and runs scripts from a spam site: <script type='text/javascript' src='http://spam-site/js/x55.js'></script>
    • Scripting that redirects the browser to a spam site:
        if (document.referrer.match(/google\.com/)) {
    • Spammy code that’s obfuscated to avoid detection:

    Investigate all possible suspicious code present on the site. It may be helpful to search for words like "script" to find JavaScript code. Other helpful keywords are "eval", "unescape", etc.

    How do I clean my site of the "code injection" hacked type?

    When you're ready to clean up your site (Step 7 of the Help for Hacked Site recovery process), you can either replace affected files with the last good backup or you can remove the code injection from each page and all related scripting functions and files. If you modified server configuration files, you may need to restart your webserver for the changes to become effective.

    Please be aware that while cleaning the hacked type "code injection" is helpful in recovering a hacked site, it doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be hacked again in the future. One useful thing, for instance, is to update any software running your site, like an old WordPress installation. For more information on cleaning your entire site, not just this hacked type, see Help for Hacked Sites, specifically "Filesystem damage assessment" in Step 5: Assess the damage (spam).

    Was this helpful?
    How can we improve it?