Zonua website makers logo

How I fixed a website hacked with Japanese pages

73

1st August 2017

How I fixed a website hacked with Japanese pages

How I fixed a PHP Website Hack (I like to call it Dehacking)

This article is based on a very specific website hack (I will be blocking out the name of the website to protect the privacy of the owners)

  1. How I found out the website was hacked

    When I came across this hack, I was not looking for a hack. I was doing some research for a marketing plan for the website. So, I did a Google search for the brand name, to see what was coming up in Google for the business generally.

    Noticing strange Japanese pages on your website in Google search

    As you can see from the graphic above, there's something not right going on ... This website is an English-language website, so it makes no sense for there to be any Japanese characters on this website.

  2. Find all pages that Google indexes on your website

    Type site:example.com into the search box in Google

    Find all pages that google indexes on the SERP page by typing site:example.com into the searach box

    Note that there are no spaces before or after the colon

    Note that http:// is not included

    NOte that www. is not included

    With this method, you will find all of the pages that Google indexes on your website.

    This should make sense. So, if there are ten pages on your website, this search should return ten results. So, in the case of the website I was working on, I knew there were roughly only ten pages. However, when I did the site:example.com search like above, I saw this:

    Google returned 5160 results for this website was an indication something was wrong

    5,160 results is about five thousand more than I expected. Something is wrong.

    When I scroll down, to see all of the pages, on the domain, I saw this ...

    Example of Japanese hacked pages on the Google SERP page

    ... loads more Japanese pages on this non-Japanese website.

  3. Find out What Caused the hack

    The reason why I am writing this article, is because this particular hack occured on a PHP, non-CMS custom-built website. Typically, it is much more unlikely for a custom-built website to be hacked, but it can happen, and the good news is that it's usually easier to locate the issue and fix than on a CMS.

    1. First I checked the .htaccess file. This is a file that lives on the in the 'root' directory of your website. It looked fine. Nothing suspicious there.

    2. I checked the javascript files. Javascript files end in .js. I found nothing suspicious.

    3. I checked the PHP files. PHP files end in .php. I found a file called events.php. This was suspicious to me, as this website doesn't have any 'events'. By checking the files and folers in the most recent backup, I could see that this was an addition - but the website owner knew nothing of it. Also, the file was added on a date when no changes were done to the website - this is highly suspicious. I deleted this file. This then removed all of the Japanese files from the website (the files now returned 404 errors. 404 means the webpage was not found.

  4. What to do after my website has been hacked

    After your website has been hacked, change all the passwords. This means;

    • FTP passwords
    • Admin login passwords (if applicable)
    • Database passwords (if applicable)
    • Host Admin passwords

    Oh, and back-up your website (if it's a WordPress website find out how here), just in case something funky happens again in the future.

    #

    After your website has been hacked, monitor closely for the next two weeks to be sure that you really fixed the issue.

  5. After Hacking: Login to Google Search Console

    This is why you should set up with Google Search Console (previously known as Google Webmasters) from the first day you launch your website, on the same day that you set up with Google Analytics. Login to your Google Search Console and check are any dodgy sites linking to yours.

    Sometimes, Google Search Console will actually alert you to the fact that your website was hacked (in this particular case, it didn't).

    Check that there are no dodgy websites linking to yours (and if there are, disavow them), by going to Search Traffic > Links to Your Site:

    Check what sites are linking to yours

    In this case, dealing with this Japanese hack, suspicious sites would be Japanese websites (Obviously, assuming that you don't do business in Japan, or otherwise expect genuine links), especially ones that have linked to your website since the hack. In my case, I didn't find any suspicious sites linking.

If you have any questions or experiences with hacking, please do share in the comments below.

Facebook Twitter Zonua on Skype Zonua on Pinterest Zonua on Vine Zonua on LinkedIn Google Plus Instagram

comments powered by Disqus

You might also be interested in . . .

Top 10 most Popular . . .

by Dorcas Réamonn

Feel free to find and contact us on any of the social media:

Facebook Twitter Zonua on Skype Zonua on Pinterest Zonua on Vine Zonua on LinkedIn Google Plus Instagram

Web Awards Ireland blog awards ireland Semi Finalist Social Media Awards 2014Eircom Spiders Shortlistee in the Best Small Agency category 2014

©Zonua 2010–2017