Black Hat SEO Technique Demystified – hideMeya

Black Hat SEO

Black Hat SEO

All your SEO efforts will go down the drain if a SEO guy who is wearing a black hat (a.k.a. Hacker) starts injecting links to Viagra and Cialis websites into your website. And you might not even be aware of it. Thousands of website have been hacked and the owners have no clue that they are victims of one of the darkest Black Hat SEO techniques out there.

What is the objective of link injections?

The objective of the link injection is to get backlinks to websites that have a hard time finding legitimate link partners. Hackers illegally hide backlinks on websites without the permission of the webmasters to create backlinks to the websites they want to optimize.

What is the impact to my website?

Once the link injection software was successfully placed on your website the search engine bots will find outbound links to highly suspicious websites. They will then mark your website as malicious and they will stop sending traffic to you. Your organic traffic will die.

How can you detect that your website has been compromised?

The way link injections work is pretty sneaky. You actually can not see any links on your website unless you view the html source code.

View Page Source

View Page Source

To view the source code simply load the website into your browser. Depending on which browser you use there are different ways to view the source code of an html page. On Firefox for example, simply click the right mouse button and select ‘View Page Source’ from the menu popup that opens up.

Now search through the code for any suspicious links or words. In the example below we looked for the word ‘viagra’ and promptly found a link to a Viagra site. You can also search for ‘href’ and simply look through all the links.

 

Link Injection

Link Injection

If you are using SiteOlytics.com to monitor your website you can view all links in the Links Dashboard. Simply load your profile and click on ‘Links on Page’ in the left navigation. The dashboard does not only show you the total number of links and the total number of outgoing links but also a list of all the links found.

Link Dashboard

Link Dashboard

So if you suddenly see the number of outgoing links going up you can assume that your site was hijacked.

How many websites have been compromised?

The number is shockingly high. A simple search on Google for a term the term  ‘hideMeya’, which is used in one of the implementations for WordPress returns 33,900 results (on Jan 13, 2014).

hideMeya

hideMeya

See yourself: (By the way if know someone who owns a website that comes up in this search please let them know)

https://www.google.com/search?q=hideMeya&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Your website does have a link injection. Now what?

There are different versions of link injection implementations out there. For all of them you need to follow these steps:

  • Step 1: Identify which software was installed on your website
  • Step 2: Eliminate the link injection software from your web server
  • Step 3: Eliminate the vulnerability that allowed someone to put the software on your server
  • Step 4: Start monitoring your website to prevent this from happening again

Step 1: Identify which software was installed on your website

A very wide spread implementation is hideMeya. This software was build for WordPress implementations. There are other flavors like hideMe or KickeMe.

For the hideMeya malware you will find the following code snippet within the source code that you can view in the browser:

<div id=’hideMeya’> Living paycheck enough equity from paycheck advance lenders to process viagra questions <a href= …

If you do find this then proceed to step 2.

Step 2: Eliminate the link injection software from your web server

Log on to your web server. Navigate to the directory that has the php files of your word press installation. Open the file that renders the body content. In our case it is header.php. You can see that the timestamp of this file is different then the timestamps of the other files.

Infected File

Infected File

Open the file and look for the following line of code:

<div><p><?php echo stripslashes($wpl_header_desc); ?></p></div>

This is the line that prints the links into your website. Simply remove the entire line. You will not see the links on your site anymore.

Step 3: Eliminate the vulnerability that allowed someone to put the software on your server

The php script that is actually creating the vulnerability is called xmlrpc.php and resides in the root directory of your server. You can see that this file also has a different timestamp.

By calling it directly http://yourserver.com/xmlrpc.php you can see the plain links on the page.

Another place where it can reside in is the robots.txt file. http://yourserver.com/robots.txt

If you do not need the xmlrpx script simply delete it. You can learn more about the purpose of this script at this blog post:  http://digwp.com/2009/06/xmlrpc-php-security/

Step 4: Start monitoring your website to prevent this from happening again.

Prevention is the best way to not become a victim again. Hackers are not stupid. Once their software gets discovered you can be sure that they are working on the next version already. So the only way to make sure that your website is fine is to keep an eye on it. SiteOlytics.com allows you to track your website daily and it is free. So stop worrying and start tracking your website today.

If you have questions on any of the above feel free to contact us.

Cheers,
Roland

Roland Oberdorfer is a Managing Director and Co-Founder at SiteOlytics Inc. Prior to his current role Roland was the CTO of HP’s consumer direct organization and the General Manager for Web and eCommerce at NIVIDIA. You can find him on Google+ and on Facebook.

    • Nick
    • February 21, 2014

    We found the nasty little snippet of code in our functions.php, FYI.

  1. Pingback: Blackhat SEO - "Help! My website is full of bogus spam links!" - Pica Design + Marketing

Comments are closed.

Categories

Archives

More from our blog

See all posts