Today @Hanski alerted me to google search informing that “your website may be hacked”
And indeed, there was script injection but it had been done on non-active http pages. Due to the .htaccess rerouting all traffic to https no-one should actually have come across any compromised content (fake North Face clothes, Viagra etc etc).
I’ve run the site through malware checks, and they come out clean. The only thing that really is affected seems to be the result that google search gets, since it crawls through pages that are normally not visible.
I’ve also taken pokitto.com front page down for safety.
I’ll be going through the non-active pages and remove any bs.
Jonne
edit: talk.pokitto.com runs on a completely different server and hosting, has not been affected in any way
just for info, i saw the “your website may be hacked” message since August 28, `18 when i ordered my Pokitto with credit card. I hope everything will be fine
Thanks for that info. It seems that the “japanese keyword hack” in question is only messing up the google search results and giving that error message.
I have been going through the .htaccess and php files on the site and I have not yet seen any evidence of those scripts on the site itself.
If they were indeed running, according to the stuff I’ve read, you should have gotten redirected to some fake goods pages. But I haven’t noticed any such activity / have not been reported anything like that.
EDIT: and, paypal and braintree payments are handled off-site by paypal servers. So credit card details are never handled on my site.
The only issue that remains is that I need to clear the warning from google search.
I think I have found something that may be the cause of the hack message
I had (yes yes I know I know) a previous install of ModX on this server in a different directory - you would have not navigated through it, and those pages were not served. But Google search crawls through everything on the website and finds them.
It seems that this ModX directory may be the cause of the alert. I have not found anything suspicious on anything in the current wp installation.
[02-Sep-2018 18:31:33 UTC] PHP Notice: Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:31:34 UTC] PHP Notice: Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:31:46 UTC] PHP Notice: Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
[02-Sep-2018 18:40:06 UTC] PHP Notice: Undefined index: HTTP_REFERER in /home/smultron/public_html/core/xpdo/changelogs.txt on line 666
HTTP_REFERER in a txt file? What?
Until I look at the index.php in the old ModX root:
Just ran a filecompare against the wp install from december. No changes in any of the core files.
I think I am ready to conclude that this was Google search crawler talking to an old modx installation that had been hit by some sort of a scanner with knowledge of a new exploit
That should teach me not to leave old stuff on a server.
EDIT: the way the hack modified the Google Search results was to spoof the sitemaps:
EDIT: just for your interest, these pages never existed. They were only in the sitemap, that google was reading. The creator of the hack got some kind of money for referral links. That was the idea of this entire thing.