Thursday, March 20, 2014

Detect and remove SPAM SEO (BlackHat SEO)

Today using SPAM SEO (Black Hat SEO) is a stupid way to get higher ranking in Google. The website uses SPAM SEO is detected easily by Google and Google will shoot penalty the website if it detects many SPAM SEO for the website.

However this is the best way to knock out a competitor. The competitor will take much time to work with Google and remove / disavow these SPAM SEO links. It is not an easy work.

So your website may become a victim of bad guy for his cruel purpose.

1. How to know if my website gets Malware Spam SEO (MW:SPAM:SEO)
You can do one of the following way:
-Install an antivirus like Avas, AVG, etc. on a computer, then browse your website. It will alert if your website infects MW:SPAM:SEO.
-Scan your website via It will alert and point out where MW:SPAM:SEO appears on your website. Although it just makes highlights the MW:SPAM:SEO on HTML code, but it will help you to find out where the Malware comes in the source code of your website. I recommend this tool.

2. How to know where MW:SPAM:SEO stays in the source code
2.1 Use antivirus software to scan your source code files. Normally, some antivirus software can detect infected / compromised files. This is fastest way to remove the Malware if its code pattern is in a database of an antivirus.

2.2 Sort files by created / modified date to limit files or make priorities on files for exploring.

2.3 Check & sort by date your web server log on POST requests if you have configured the log. It will help a lot to limit files or make priorities on files for exploring the Malware manually.

2.4 Based on scanning result of, you can know which page then guess which file can be infected.

2.5 Search special phrases
-Some popular malwares can have a special phrases to find out. e.g. Clickjack will have function dnnViewState or function xViewState. So just do a search on these famous phrases and see if you are lucky.
-After doing above steps, and you still cannot find where the Malware stays. It's time to do some hard works. It will take your time depending on your experiences. If your source code is written by PHP, search special functions of PHP such as: eval, base64_decode, gzinflate, str_rot13, hexdec, file_get_contents, mail, fsockopen, pfsockopen, stream_socket_client, exec, system, passthru. For example, if your server is Linux you can use below command to find all files containing eval or base64_decode function then export these file names to forexploring.txt file:
find . -type f -name '*.php' | xargs egrep -i "(eval|base64_decode) *\(" > forexploring.txt

In my real case, I have 2 websites infected MW:SPAM:SEO. One website infect Clickjack, then I remove it easily by searching function dnnViewState mentioned in step 2.5 above. Another website I tried to scan with some antivirus as also as searching keywords of popular malwares but not found. Then I use step 2.4 above, then I guess that it can be in a free module which I installed in my Joomla website. The module is mod_InowSlideShow. After that I search special functions of PHP in the source files of this module, and I found the file modules\mod_InowSlideShow\tmpl\default.php use function file_get_contents to insert a HTML code to my site. I removed it, then didn't get any warning after doing step 1 again.

3. Prevention is better than cure
-Update frequently security fixes for your server (OS, web server, DB server, PHP etc)
-Update frequently security fixes for your CMS (Joomla, WordPress etc)
-Set up an antivirus on your server, set up firewall on your server
-Set up logs for your server
-Change your passwords frequently and follow password name rule

Good luck to you!
Subscribe to RSS Feed Follow me on Twitter!