Help me understand whats happening

#1

I hate being so new to all of this and not understanding what is happening most of the time, so I want to thank anyone willing to help in advance! I am trying to figure out why Google Search console is showing website links to/from folders on my server that do not even exist. From reading on the internet, perhaps this is what is called spam backlinks? What is confusing me is that I would expect spam links to come from external websites/domains, not from my own domain. Maybe I am using the wrong terminology here. I am attaching a pic of the links being reported by Google that I have no idea why they are there, or if there is way to stop them via my Cloudflare setup or even my htaccess file? Obviously the links are porn spam, but where the heck are they coming from? You can see things like:

mydomain.com/profiles/xxxxx
mydomain.com/videos/xxxxx
mydomain.com/tags/xxxxx
mydomain.com/random_crap

My domain does not even have a profiles folder, or videos folder, or tags folder, or any of that. It is a static one page site. I don’t get it. Please help me understand what it is and if Cloudflare can stop it.

0 Likes

#2

I’d scan everything for malware to start.

1 Like

#3

I know you have the two variations of your domain name, the one without the “g” being the main one that the redirects to the non-g domain.

So why does the top of your screenshot show the non-g one, but all the links in the list have the “g” version.

Is the “g” version a recent acquisition? Maybe whatever it was before you started using had all kinds of other stuff going on.

1 Like

#4

If no malware is found or issues found in logs, by any chance have you recently changed SEO or Sitemap plugins of any kind?
While those directories aren’t found in this sitemap groundthumpinmotors.com/sitemap.xml
/tags /videos /category /images etc. are common in a sitemaps.

0 Likes

#5

Thank you everyone for your help so far!

Cloonan: What would you suggest I use to scan for malware. I am on a shared host Cpanel server.

Sdayman: Yes, I noticed that too. I have no idea why all the spam is coming from the (g) domain. I have owned the two domains for over a year and just withing the last month went live with them. I also have the same two domains with the .net extensions. They are all 301 forwarded to the non(g).com address through Cloudflare.

Withheld: Not sure what to use to scan for malware. My hosting provider said my logs are clean and I do not use any plugins as it is a simple static site with a script snippet that creates the store on my static page. It definitely does not use any of those directories showing up in the spam listings, so not sure why they are there.

Perhaps I might have an answer. So I remembered that I created an Trial ahrefs account back in the beginning to search for keywords and stuff. It expired but still seems to be tracking my backlinks, although it only gives me limited access. Regardless, I looked in there. It says I have 33 backlinks on groundthumpinmotors. Google search console says I have 83 but they are coming from groundthumpin(g)motors. Regardless, in the list of 33, I am seeing some of the same spam links that I am seeing in search console. Please see attached screenshot of groundthumpnmotors

and also the one from groundthumpin(g)motors here

They seem to be coming from russia and a few other websites. How are these even attaching to my website? Is there a way to stop them? Is there a way to tell google that I do not want these links attached to my domain? Can I stop it via Cloudflare? Thanks everyone!

1 Like

#6

Based on the first screenshot, it seems that the hacker was only linking from the http version of your website, which indicates it was done before you configured your site to redirect to https. Is this http to https something you set recently? These links should vanish from Google Search Console report within several weeks, as the redirect is now being imposed to https, where theses links will return a 404.

The fact that it lists links from http://example.com/porn-links/ to http://example.com/ means it was probably a smart hack that detected Googlebot user agent and act accordingly. Very likely, while this hack was still active, a visitor not coming from known bots would be redirected to another website.

The fact that the hack is no longer active, as far as redirecting from http to http, does not mean the hacker went away. You need to figure out how a hacker had access to your website in the first place.

If you are the only person with admin access to your website, make sure the computer(s) you use to access the admin areas are malware free, and change any access passwords no matter how much you love them. Also check your home and office routers, change their passwords (never keep the preset passwords given by the manufacturer or ISP).

If other people have admin access to your website, cut this access and just renew it when they need it, forcing them to also change their password for a strong one. By access to your website I mean both access to any application that you may use to generate/edit/config your pages AND your access to your account with your hosting provider, including FTP/SFTP/SSH access. Make sure to require 2 factor authentication for access to your hosting account if available.

Cloudflare has a great tool called Access, which you can use to block public access to areas of your website that should be only seen by admins. You can create a rule to only allow visitors with specific emails. This would force you and them to authenticate a visit every so often, and all public access to your admin areas would be restricted.

Good luck!

1 Like

#7

Thank you for all that information. What worries me is that I did hire a few people from Upwork to fix a few things back in December, but I have changed the passwords since then. I will change all of my passwords again just in case. Also, if you look at the 2nd screenshot of the 3 I attached earlier, you can see an entry as new as 1/25/19 which is only 4 days ago. Ahrefs does not show if these are http or https or not. I made the Cloudflare force https a year ago in the general settings, but I have turned the orange cloud in DNS on and off various time throughout the year when running tests. It has not been turned off now for at least a month or two though. And all of my alias domain redirects were setup within the last month or so.

1 Like

#8

You should try to force the redirect from http to https on your .htaccess file or equivalent. This way, whenever Cloudflare is off for your site, your visitors are still forced to go through https.

Also, you should make sure that your server bars direct requests to the server IP, as Cloudflare would not be able to stop those direct requests. You should probably talk to your hosting provider about how best to ensure this, but if you search this forum you’ll find many topics about it.

1 Like

#9

OK thank you. I will definitely investigate this. All input is much appreciated!

1 Like

#10

So although I have my http redirected via page rules and forced via settings to https in Cloudflare, I am trying to take your advice and add it to my Cpanel as well for good extra measure. So I created the redirect using Cpanel to make ALL of my domains point to https://mydomain.com and the resulting code added to my htaccess file was this:

RewriteCond %{HTTP_HOST} ^.* RewriteRule ^(.*)https://mydomain.com/$1” [R=301,L]

However, I am now running into a weird problem with that code added. My custom error pages are no longer working. It is now simply showing the generic error page instead. As soon as I remove the newly added redirect code and hard refresh the page, my custom error pages work again. What am I missing here? Why is the redirect code messing up my error pages? My error page code in htaccess is:

ErrorDocument 403 /403-forbidden.html
ErrorDocument 404 /404-missing.html
ErrorDocument 410 /410-removed.html

0 Likes

#11

You could try to use the full path in the error document directive, see if that works.

ErrorDocument 404 https://example.com/404-missing.html

If it doesn’t work, than perhaps other community members may be able to help you out with this, as I (almost) always count on my hosting support to edit my own .htaccess, out of fear I may make a big mess out of doing it myself.

1 Like

#12

You are a genius :slight_smile: …that did the trick. Thank you very much!

2 Likes

Firewall Rules vs IP Access - Best method for my idea?
closed #13

This topic was automatically closed after 30 days. New replies are no longer allowed.

0 Likes