japanese keyword hack

Fixing hacked Japanese links in your sitemap results

If you open up the Google Search console and see a bunch of junk links in the search results for your website, it is possible that you have fallen victim to the Japanese Keyword Stuffing Hack.

In most cases, a hacking group (generally originating from Japan) got access to your Google Webmaster Search console.  Using this access, they were able to submit URL’s into the Google crawling engine that supposedly originated from your website.  These links would attempt to boost the SEO of various products being linked to.

To cleanse this hack, there are several steps you need to take.  The full details are provided here by the Google Support team:  https://developers.google.com/web/fundamentals/security/hacked/fixing_the_japanese_keyword_hack

Backup Your Content

First – make sure that you have a full backup of your site data and content.  If you make changes to your site that you need to reverse, you want to ensure you have a reliable backup ready and available.

Validate Search Console Accounts

Next – is to validate your Search Console Accounts.  Go into the Google Search Console and look at the user accounts.  Make sure that you recognize any accounts that are present.  If any accounts are present that you do not recognize, remove them.

Remove Invalid Verification Files

As part of cleansing your Search Console Accounts, you will also most likely need to remove or rotate any verification file used on your site.  It is possible that the malicious users also had access to the site files on your site and was able to upload a custom verification file, which is what allowed them to validate their account under your site.

bad google auth

Above is an example of a bad Google auth file that had to be removed.

Even if you don’t see a malicious verification file, it is a good idea to rotate your own verification files.  This helps to eliminate future possibilities of your verification file being compromised further in the future.

Remove Dynamic htaccess Verification Methods

Another approach that these hackers take to fake the verification method is to create a rewrite rule inside your .htaccess file.  Navigate to your .htaccess file and look for a snippet of code that looks similar to the following:

RewriteEngine On
  RewriteRule ^google(.*)\.html$ dir/file.php?google=$1 [L]

This allows the malicious user to essentially use any file following the Google formatting to be validated.  This means that anyone can properly claim access to your site.

Validate .htaccess File

At this stage, you might want to validate the rest of your .htaccess file for any snippets of code that you do not recognize.  Malicious users can use this file to create redirect rules to bring the links off your site and onto the locations they control.

Depending on the type of site you have, you may even want to consider removing the .htaccess file and replacing it with a new or default one.

Rebuild Sitemaps

Now is the time to rebuild or replace your sitemaps.  Malicious users may have entered a bunch of junk urls into your sitemaps.  Use whatever process you used originally to create them to have them rebuilt / recreated.

Remove Other Malicious Files

Scan the rest of your website for malicious files that you do not recognize.  Remove files as needed.  If you are using a CMS, you may even consider reinstalling or resetting the CMS to it’s default settings.  Note that depending on how much resetting you do – you may loose and/or have to redo customizations that you have added.

Change Passwords

As one of your last items, it is a good practice to rotate any associated passwords that you site uses, or accounts that access your site use.  This includes passwords to databases, ftp accounts, ssh access, administrator accounts and the like.  If the malicious users got access to the webfiles on your website, then the could have access to any passwords that were stored on that site.

Posted in Blog and tagged , .