Thread

Hi all,

A client has just brought to my attention that Google has flagged ‘This site may be compromised’ on the search results for the sites home page. The site uses EE 1.6.9. I followed the Google links through to the webmaster tools and the ‘Notice of hacking’. The message gives me a URL of (domain)/index.php/member/73/ as an example of a hacked URL. I followed this link and found a list of members. (See attached JPG)

Edit: I have found over 800 members in the membership section - there should be only 2.

Edit: I’ve just realised that the URL (domain)/member/memberlist doesn’t point to the EE system directory. When I looked at the files on the server there is no such directory - and the URL (domain)/member does not exist.

Can anyone give me any advice how to remove this and prevent further attacks?

Thanks

Andrew

The majority of the paths in EE don’t exist - they are virtual paths, so you cannot find most of them!
Still, they do exist in terms of your web server and google…as you can see.

My quickie suggestions (I’m not EE support, just a user)....

You must have some form that allows membership signups (register)!
If you have only a few members- you want to either disallow people from signing up, or else have to manually approve them.
In your control panel, go to members and groups - membership preferences
you will see there the options which allow you to restrict users…....
also change the membership triggering word at the bottom of that page.
Erase all those users…...various ways to do that…...
Also, I think you can eliminate HTML in user bio - or something like that.

After you get that under control, you can restrict google and other search engines from seeing your member list.
You can do that in either .htaccess or possibly in robots.txt

It sounds like you have not yet wrapped your head around the way EE works…...you might want to read some tutorials or check out one of the books some of the folks here wrote.

Andrew,

Edit: I’ve just realised that the URL (domain)/member/memberlist doesn’t point to the EE system directory. When I looked at the files on the server there is no such directory - and the URL (domain)/member does not exist.

You wont see one. These are system generated URLs to view member profiles. What I think has happened here is that those spam members have included spam URLs in their profiles which would generally appear in a site that has actually been hacked. So Google has flagged them as compromised.

handyman offers good advice on what to do next. Specifically changing the membership triggering word and disabling signups.

Once you have cleared out all the spam members you can ping Google again in Webmaster tools and they will come around and check your site again and hopefully you will lose that status.

Let us know if that helps

OK, thanks for your advice I really appreciate it. I’ve already deleted the spam members. There was a form on the site that allowed comments - which I’ve also deleted. So I’m hoping that this will allow Google to ‘unflag’ the URL.

I must say this is a bit frustrating, as even using CAPTCHA on the sign-up form the site has still attracted over 800 spam registrations in less than 3 months. If anyone can give me any advice on what I’ve done wrong, or how I can stop this kind of spam I would be very grateful.

But I’m still bothered that the member list can be accessed by simply using the URL (domain)/members/memberlist. This can’t be right can it?

Edit: I’ve just looked at the membership preferences, and found I had the following:
Allow New Member Registrations?  Yes (Changed to No)
Require Member Account Activation? Self activation by email (Changed to Manual)
Enable Membership Captcha: Yes (Is this correct)
Profile Triggering Word: Members (This is what confused me - so I’ve altered this)

Regards

Andrew

I must say this is a bit frustrating, as even using CAPTCHA on the sign-up form the site has still attracted over 800 spam registrations in less than 3 months.

In fact many registrations these days are down manually. A CAPTCHA isn’t much use here.

But I’m still bothered that the member list can be accessed by simply using the URL (domain)/members/memberlist. This can’t be right can it?

This is default behavior, yes. If you don’t want it or need it just turn it off.

Allow New Member Registrations?  Yes (Changed to No)
Require Member Account Activation? Self activation by email (Changed to Manual)
Enable Membership Captcha: Yes (Is this correct)
Profile Triggering Word: Members (This is what confused me - so I’ve altered this)

That all sounds good, yes.

just for giggles, view this video on youtube about backlink robots for EE

http://www.youtube.com/watch?v=XvG6Jb1ntZs

here’s a thread i posted on the robots a while back

http://ellislab.com/forums/viewthread/166496/

Thanks for the assist, rokker.

Andrew, did the information from Ingmar and rokker help?

But I’m still bothered that the member list can be accessed by simply using the URL (domain)/members/memberlist. This can’t be right can it?

Change the word ‘member’ into something less obvious. (In the CP) The URl is then less easy to reach.

Let us know where you stand with this Andrew. Do you require further assistance?

Thanks, changing the prefs and deleting the sign-up form has stopped the spam registration. And the site has become ‘unflagged’ in Google search results.

I could be wrong but I’m assuming that the amount of spam was caused by the membership prefs being wrong to begin with. And maybe the use of CAPTCHA is not as secure as it once was? I’ll look into the issue of sign-up forms more thoroughly and if I have any problems I’ll post on another thread. Thanks again.

Regards

Andrew

Sounds good. Don’t hesitate to post again as needed.