5xxx SEO attack spoofing domain name

G’day all,

This is an odd one. WE’ve been getting an ongoing SEO spam attack for a while and it’s taken us some time to get to the bottom of what seems to be causing.

Our site, matrix.edu.au is getting spammy backlinks from a site that is masquerading as one of our domains matrix.education. We have thousands of these links


They seem to be causing 5xxxx errors on our search console that I can’t figure out how to resolve as they don’t actually exist (couldn’t post second image, will post as reply).

When I try to go matrix.education it doesn’t resolve and shows a Cloudflare DNS error. We haven’t set up matrix.education on Cloudflare though.

I’ve asked our website developer and he’s not really sure how to deal with this. We own the matrix.education domain, but we don’t use it or have it pointing anywhere. I could block backlinks coming from matrix.education but I’m not entirely sure I do that in case we start using the domain. I’ve spoken to a few other IT people, but nobody really has any ideas on how to solve this one. Any help or directions would be appreciated.

To be clear, I’m an SEO person with some tech skills, but this is way out of my comfort zone.

Cheers
Pat

Greetings,

Thank you for asking.

I’d suggest you to:

  1. Use the “Pause Cloudflare on Site” option from the Overview tab for your domain at dash.cloudflare.com .
  2. The link is in the lower right corner of that page.
  3. Give it five minutes to take effect, then make sure site is working as expected with HTTPS.
  4. Contact your hosting provider
  5. Check and scan for any malicious file, malware, disable all plugins, etc.
2 Likes

Hi @fritex , Thanks for replying. For a bit of context, we only use Cloudflare for DNS hosting. Our main site is located at matrix.edu.au and is hosted on Kinsta. We don’t actually have anything on matrix.education it’s just a domain we own sitting dormant. Could you explain how the above would help, please? Just so I can understand why I am doing things?

We’ve already been troubleshooting with point 5 and turned up nothing.

Thanks in advance!

Hi, @patrick.condliffe,

It seems there’s a problem of ownership that needs to be resolved before Cloudflare would be able to help you with other issues.

You claim that matrix.education belongs to your institution, but it has been added by someone to a Cloudflare account, and it seems you have no control over that Cloudflare account. Surely someone then must have gained access to your institution’s account with the registrar for that domain, to be able to point its Name Servers records to Cloudflare.

The first thing to be done is verify with the domain’s registrar if you still have ownership of the domain. After the domain ownership issue is resolved, hopefully favorably to your institution, change the NS records to point to your hosting provider’s default (don’t use any Cloudflare nameservers yet).

At that point you should open a ticket and request to Cloudflare support to remove the domain from that account, as by then you’ll be able to demonstrate you have control over the domain. Post back here the ticket number in case you face any difficulties.

After all is settled, then you add the domain back to Cloudflare, by pointing to its newly-assigned nameservers, making sure to subsequently protect it with DNSSEC and HTTPS. As your experience shows, even a parked domain resting somewhere can be a security vulnerability!

As for the existing backlinks, please head over to Google Search Console support community for instructions on how to best deal with, and possibly remove, them.

Hi @cbrandt , thanks so much for this. We’re looking into the domain issue. It’s definitely ours, it’s listed on our dash with Ventra IP, our provider. But something doesn’t match up with doing a whois search. I will post back when I learn more. Will do the support ticket and post that here.

Thanks a bundle!
Cheers
Pat

1 Like

I’ve logged a ticket with support: 2388903

Will keep the thread apprised.

cheers

1 Like

I’m unsure what support will be able to do in this case. My suggestion is to report all the backlinks from the bad domain to google directly; that way, your rankings shouldn’t be affected.

I believe you are facing what’s called negative SEO.

3 Likes

Hi @jnperamo , Thanks for your input. I’ve got the disavow file ready to roll in SE. Yes, it is definitely a negative SEO attack. The whole thing that kicked this off was tanking SERP rankings and a 404 issue from thee spammers hitting our search feature back in October. It’s been an epic journey involving multiple dead-ends and IT support rabbit-holes that lead nowhere, @fiorpare is right though, we’ve had a dev look into it and somebody definitely seems to have hijacked one of our domains (matrix.education) to their Cloudflare account - we had it dormant and so never set it up in Cloudflare and so didn’t notice until now). Once we can put a stop to that, I’ll send off that disavow. I’m just waiting until we solve the domain issue. One of the problems is that I’m pretty sure they’re turning that domain on and off so I’m not entirely sure that disavowing the links is going to work on its own, it’ll just kick the can down the road. This article Anatomy of a Negative SEO Attack 💣 - The Raven Blog kind of sums up what I think is going on:

To make it even tougher to spot with tools, I’m seeing the attackers turn on and turn off domains really, really quickly…they’re hoping (I think) before the link analysis tools get any data on the domain, so it just looks like a weak domain. No nasty spam score in the toolbar.

Another problem is, because of the domain issue, none of my tools like HREFS and SEMrush show it up as an issue because they think it is internal.

I’ll keep you posted once support get back to me.
Cheers
Pat

2 Likes

matrix.education → SSL_ERROR_NO_CYPHER_OVERLAP
matrix.edu.au → disable XML-RPC for WordPress, disable comments, disable pingback

  1. Remove Newsletter form / add captcha to it
  2. Contact Us page, remove that form / add captcha to it
  3. my.matrix.edu.au/users/sign_in → add captcha to it + create a firewall rule “JS Challenge”
  4. Create a Firewall Rule to challenge all the requests
  5. Block some of the know AS numbers → SEMRUSH, CRITEO, SEZNAM, MICROSOFT/BING, YANDEX, HETZNER, CONTABO, SCALAXY, GLOBALHOST, HIVELOCITY, OVH, AMAZON-AES, AMAZON-02, LIQUIDWEB, Flyservers S.A., Linode LLC, M247, LEASEWEB, SELECTEL, DIGITALOCEAN, Online SAS, DDOS GUARD LTD

You are using Yoast SEO v17.8 → not the latest, old one. Is it paid or nulled one?

1 Like

Hi @Fritex,

thanks for this. I will pass this on to our front end dev to implement. He looks after our WP plugins. We have paid Yoast and SEMrush. I appreciate the time you took to reply!

Cheers
Pat

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.