How I Recovered A Hacked Website And Optimized It for Search Engines

Ecommerce is on the rise and many hackers exploit websites for many reasons such as: recording keystrokes on visitor’s computers, stealing sensitive private data, stealing website’s disk space and domain in order to sell their own products.Here is how I recovered a hacked website and search engine optimized It.

Lately a prospect contacted me after reading some of my tips about website security on Twitter and asked for my help to recover his website from hacking.
He is running an ecommerce and accidently checked his website’s position in Google and instead of his links he saw bunch of Japanese links under his domain. So he hired me to save his website.
Challenges:
– Website got hacked
– Website blacklisted in Google
– Website got manual action penalty due to using blackhat SEO by the hacker
– Lost all backlinks
– Got 26000 spammy links
– Lost reputation
– Lost clients
– Client got warning notice from his web hosting that he should leave because of hacked issue.

Hacked Recovery Processes:

Mapping the entire domain and saving the infected website:

– Analyzing: mapping the website and audit
– Identifying infected folders under public html
– Removing malicious code and viruses
– Removing backdoors scripts
– Removing injected spams
– Restoring the website
– Strategies to ensure future safety
– Buying SSL certificate

Important! Using SSL and Transport Layer Security (TLS) doesn’t guarantee the security of a website.They are hack-able. Remember all the government websites have these security processes and tool but still got hacked.

First I scanned the entire domain and went through all folders and I found several viruses and PHP scripts. I didn’t destroy them, but saved them to track the hacker.

Then I identified infected folders under Public_html and cleaned all of them.

Search Engine Optimization

In just 20 days the entire website which had 20 links got 26000 links and all were indexed by Google. How I found out about it? I created a website ownership in Google search console and found out there is another owner for this website under a Japanese name, I saved that too, then I found Google webmaster code under my client’s website and removed it from his server. Hacker penalized my client’s website, so he got manual action penalty under manual action section of Google search console.
Hacker’s pattern

Every hacker has a pattern and his/her own style of hacking and tools. 98% of hackers use hacking software to hack.These programs are designed in different categories.

Types of hacking

  • Whitehat: These are experts who know programming and web security
  • Blackhat:  These are crackers who hack to bank accounts, social media accounts, social security accounts, online games and emails
  • Script Kiddie: Their attack pattern is DOSing and DDoSing method.They get paid to crash sites. They usually use a copy and paste code to attack a website.
  • Gray hat: They don’t steal money or information, they just compromise websites for the sake of attention. They do it for fun.
  • Red hat: these guys are programmers who can destroy the target attack. I explain a method which i used to track my client’s hacker.
  • Greenhat These are like script kiddies but want to learn more about hacking and usually hang out in deep web.

Hackers Motivation

  • game hacking
  • bank hacking
  • social media hacking
  • personal information hacking
  • virus creation which leads to hacking
  • credit card fraud
  • email hacking

The Japanese hacker who hacked my client’s website usually steals domains for his own or his client website and exploits their web space to sell his products.

Hacker’s Hacking Processes:

A) Injected an index.php under public html

B) created a cron job for his script

C) changed my client’s index.html to index.html000

D) Created PHP script and injected under /temp/image folder in several locations. This guy put this script randomly under various locations of image and JS folders to hide his own data

E) Then he created a webmaster tool account in Google search console and claimed my client’s website ownership

F) He created a dynamic ecommerce and redirected every single link of my client’s website to his ecommerce domain. He created geo location for each city in Japan.
G) He created two PDF files and put all these products on them then redirected them via cross IP strategy to the Japanese domain.( I don’t want to write his domain’s name here) He managed to sell many products and even got 2 two stars reviews and four 3 stars reviews. In only 20 days of hacking he created 26000 pages and run his ecommerce across Japan.
H) He optimized the crossed pages for mobile but his AMP had some errors.

I) He used Black hat SEO to index all these 26000 pages fast with Japanese backlinks.

J) He manually registered 27 URL parameters under google webmaster tools

He did a very systematic job in just 20 days. But spam the hell of my client’s domain and ruined his web information. The damage he did, was huge.  I searched on web by his hacker name and found out he did the same thing to an American website owner. The poor website owner couldn’t take his website back instead he wrote the hacker’s name on his blog so the others be aware of it.

Here is what I did to him:
–  I deindexed his entire 26000 links using my own secret strategy

– I wrote negative reviews in Japanese ( I know Japanese) for his ecommerce and spread them on entire Japanese directories and search engines. I used drip feed tactic so the result appears gradually in search results.

– I destroyed his website’s reputation at domain level, product name level, product number level in Japanese language. This will also appear gradually in search results.

– I exposed his identity as an unethical script kiddie and thief in deep web and all over clear net and search engines. Since I did a huge damage to hacker’s reputation and website I can’t write his name here.Then he knows I did it.

– I created a virus added to his own PHP script and pointed back to each single redirected links which he exploited from my client.

Now back to my client:

I indexed my clients’ pages, removed hacker’s URL parameters and added manually my client’s URL parameters.Huge job! You won’t find online how to do it. There is a guideline in Google, but if you don’t know what you are doing, you won’t understand how it works. All other tips on changing URL parameters online are rubbish. They won’t work. So yes, it took time for me to be able to remove those manually added parameters and add my clients. Some say let Google decide what parameter to use. I disagree. It takes time and for a person like my client who was in hurry, we could not afford to wait for Google to ignore those 27 parameters and accept ours, so i had to dig deeper and finally fix it.

I fixed my client’s structured data and used fetched as Google to index his lost pages. In one day all Japanese names disappeared from Google search results  and client’s name and links appeared.
My client got his website back and I ranked one of his keywords in Google, in just 2 days after recovery my client got two customers.
I optimized his business on social media and had my team to promote his products on Twitter.

How did hacker found my client?
I think the hacker found my client’s website on social media and found out his website is the best environment for running his own ecommerce. He was selling through my client’s website everything from home improvement to clothing, toys, car equipment etc. It was a huge ecommerce. Why he stole my client’s domain and its bandwidth? Because it is free. He just run scripts on people’s websites and make them host his products. This is his job. He makes  a good money this way.
I secured my client’s social media accounts and unfollowed suspicious followers.

Security processes:
I had my client to use a strong password ( a very long key) for cpanel,emails and FTP.These are already cleaned from viruses and worms.
– Improved security holes on entire domain
– Closed ports which an intruder may access
– Hide .htaccess file
– Secured PHP ini from future hacking
– Advised client to run virus scan regularly
– I had my client to buy SSL certificate

Finally I contacted his hosting provider and informed them the website is 100% secure. I also gave them more detailed information about hacker, his website, his ecommerce website and ISP provider. My client’s web host provider thanked me and agreed not to let client leave their hosting.

Securing Website From Hackers
Hosting: I recommend using dedicated server with a dedicated IP. If you use shared hosting, use the policy of least privileged. You must give a very little access to the file required for the site to work. If you have files or directories that are writable, then those are targets for the attacker. Change them immediately ( right now if you have time to do it) to more secure permissions.
Monitoring: Create a cron job or ask your developer to do it for you in order to monitor the integrity of your content for changes. Message Digest 5 (MD5) is a hash function producing a 128-bit hash value. This hashing algorithm takes all of the bits of a file and generates a unique value. This value is called the checksum of the content. If the file content changes even by one bit the checksum should be different.
Check for malware and virus : You should monitor your website regularly for malware and viruses. Make sure to add your website to Google search console and verify ownership of your website. Make sure to add the www and non-www versions of the site (you’ll need to request the review at the level where your site is blocked).
Once the site ownership is verified, open the site in Google search console aka Google Webmaster Tools. In the Dashboard, you’ll see a prominent message in a red frame that says “This site may be distributing malware”. Click on the link that says “More Details” to expand it. At the bottom of the message click on the “Request a review” link.
In my client’s case as soon as I removed all hacked content,disavowed the spam links and cleaned it from all damages he did on my client’s site,  this message appeared under security issues section at Google search console: “Currently, we haven’t detected any security issues with your site’s content.

Finally! Don’t browse to whereever, don’t add useless plugins under wordpress. The above processes i did was for a HTML responsive website. Not wordpress. So if you have a wordpress website remove plugins and outdated scripts. Don’t install free templates, they inject virus usually at the header section. Don’t click on free online wallpapers and install in your computers, 99% are infected with virus and trojan horses. Wallpapers are one of methods hackers use to exploit your data. Don’t download free movies, music and files from torrents, they have hidden viruses mainly created to hack bank, credit card, social security number and your private data.

 

Your website got hacked? hacked website recovery service