Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

Stats Anomaly Reveals Website Security Issues.

   05 Feb 09   Filed in Website exploits

I’ve recently blogged about how hackers redirect Googlebot from legitimate sites to malware sites. In the update, I mentioned a real site that had been hacked and lost both PageRank and top positions in Google search results.

The owner of that site sent me a very insightful email and gave me permission to publish it here:

Hi Denis,

I thought that I would follow up with you regarding the recent exploit of
my site Old Ten Speed Gallery, and share with you some of the statistics
that I witnessed after being hacked.

An interesting thing about all this was that some how, my feedburner
subscriber statistics reflected the exploit almost immediately.

I’m assuming that feedburner reflected the exploit immediately because, as
you will see in in the screencap, after I found and removed the redirect my
subscriber count bounced right back up to it’s previous levels.

Feedburner Stats

Feedburner Stats

5 days after the feedburner drop I began to notice a decline in google
keyword traffic.

Google Analytics

Google Analytics

Roughly 7 days after my feedburner drop I noticed my PageRank had dropped
to 0. I’m not sure when this happened and if it even hit any spots in
between. But I’m fairly certain it happened in the first 7 days.

It seems to me that had I caught this in the first five days, some, if not
much of it could have been avoided. Perhaps I would not have lost all of my
page rank, and perhaps fewer of my pages would have fallen out of the

Another side-effect of the redirect that I failed to mention before was the
irrelevance of of google adwords on my homepage. They remained relevant
through the category and post pages, but the homepage had default
advertising displayed. I’m assuming this is because google was determining
the ad content based on the spam pages.

This was quite a learning expirience for me, and hopefully all this that I
have learned will not go to waste.

Thanks again for helpful tools and input. Feel free to use any of this
message and either of the screencaps in anyway you see fit.

Old Ten Speed Gallery

This is another reason why you should regularly analyze your site stats. Inexplicable changes may be caused by serious security problems. You’d better spot and investigate them ASAP.

(Abrupt) decline in Google search traffic and irrelevant AdSense blocks are very common symptoms of security issues. In this case, hackers redirected Googlebot to their own sites. Hackers can also redirect visitors coming to your site from search engines (search traffic will be lost completely), or insert hidden spam links (AdSense blocks will be irrelevant and Google traffic will decrease as soon as they penalize your site for spamming).

Feedburner stats are not reliable

On the other side, Feedburner statistics has not been reliable lately and should not be considered as a direct indication of site problems. Feedburner is in process of moving everything to Google and many bloggers reported that this year’s stats are strange to say the least. If you have Feedburner feeds, move them to Google ASAP.

Sitemap trick

In my conversation with Cameron I pointed him to the John Mueller’s tip on how this type of Googlebot redirection can be detected.

There’s another way to spot this kind of hack with Google Webmaster Tools: When you submit a Sitemap file, Google will show warnings for URLs that redirect. By design, you should be listing the final URL in your Sitemap file, so if the URL is redirecting for our crawlers (as in this case), we’ll show a warning in your account.

It appeared that Cameron noticed those warning but didn’t know how to interpret them:

When I started investigating the PageRank drop I notice the redirect errors. It seemed fishy, but I had no idea what to make of it. During this period, I was also having difficulty getting google to accept my sitemap. Finally, Tuesday they found it suitable.

Hope, this Cameron’s email and bitter experience will teach us all pay attention to anomalies in stats and be serious about website security.

If any of you wants to share your own experience, feel free to contact me.

Similar posts:

Comments are closed.