Welcome to the Q&A Forum

the forum you are posting on was created on the backbone of the software used to examine backlinks. as per the rest of your questions.. you're on the right path. let's see how we can keep you moving along said path: http://bit.ly/16NVY3R

if you have a pharma hack should use Sucuri even if you have had your site cleaned up by Google Webmaster tools I would run it through the free site check at the link below. Then look at all the advantages to just $89 the year plus if you get hacked ever again during that year who is fixed 100% free. They're fast very good and will have your site running normally again. run your website through this free scanner and read below http://sitecheck.sucuri.net/scanner/ rather or not you are running a CMS like WordPress does not make much of a difference however in this tutorial or discussion regarding tarmac is focused on WordPress however all of these things would be happening to any website. http://blog.sucuri.net/2010/07/understanding-and-cleaning-the-pharma-hack-on-wordpress.html & http://blog.sucuri.net/tag/pharma I even have a live one right here for you I would not give you the actual URL but this is the cleanup URL http://sitecheck.sucuri.net/results/worldluxurynetwork.com Understanding and cleaning the Pharma hack on WordPress july 13, 2010 by david dede 52 comments In the last few weeks, the most common questions we’re receiving are related to the “Pharma” (or Blackhat SEO Spam) Hack on WordPress sites. This attack is very interesting because it is not visible to the normal user and the spam (generally about Viagra, Nexium, Cialis, etc) only shows up if the user agent is from Google’s crawler (googlebot). Also, the infection is a bit tricky to remove and if not done properly will keep reappearing. Because of this behavior, many sites have been compromised for months with those spam keywords and no one is noticing. A quick way to check if your site is compromised is by searching on Google for**“inurl:yoursite.com cheap viagra or cheap cialis”** or using our security scanner. For example, this is the result of our scanner against wpremix.com (which was infected at the time we were writing this post): [image: Picture+14.png] Pharma Hack – details The Pharma Hack has various moving parts: 1 – Backdoor that allows the attackers to insert files and modify the database. 2 – Backdoor inside one (or more) plugins to insert the spam. 3 – Backdoor inside the database used by the plugins. If you fix one of the three, but forget about the rest, you’ll most likely be reinfected and the spam will continue to be indexed. As always, we recommend that you update your WordPress instance to the latest version. This goes for all of your plugins, themes, etc. WordPress is typically very secure, it’s when you’re running old versions, and/or out of date plugins/themes that run into trouble. Keep your stuff up to date, and it will minimize the risk of infection significantly. 1 – Backdoor that gives remote access to the users This is the first step in the infection. Generally attackers do large scale scans and try to inject the backdoors into compromised sites. They do this by searching for vulnerable WordPress installations (older versions), vulnerable plugins, hosting companies with known security weaknesses, etc. When the backdoor is added, it is not immediately executed. Sometimes it stays for months without ever getting called. The common places for these backdoors are: wp-content/uploads/.*php (random PHP name file) wp-includes/images/smilies/icon_smile_old.php.xl wp-includes/wp-db-class.php wp-includes/images/wp-img.php Characteristically in the past, these files have had an “eval(base64_decode”, ultimately that’s what most people recommend searching for. However, on the pharma attack, the backdoor starts with: < ? php $XZKsyG=’as’;$RqoaUO=’e';$ygDOEJ=$XZKsyG.’s’.$RqoaUO.’r’.’t';$joEDdb =’b’.$XZKsyG.$RqoaUO.(64).’_’.’d’.$RqoaUO.’c’.’o’.’d’.$RqoaUO;@$ygDOEJ(@$j oEDdb(‘ZXZhbChiYXNlNjRfZGVjb2RlKCJhV1lvYVhOelpY… (long long string).. So, it still calls “eval(base64_decode”, but using variables making it harder to detect. In fact, none of the WordPress security plugins are able to find it. Our suggestion is to search for “php $[a-zA-Z]*=’as’;” also. After decoded, this is the content of the backdoor: http://sucuri.net/?page=tools&title=blacklist&detail=3ec33c4ab82d2db3e26871d5a11fb759 If you do an inspection of the code, you will see that it scans for wp-config.php, gets the database information, acts as a remote shell and retrieves a lot of information about the system. That’s the first thing you have to remove before you do anything else. 2 – Backdoor inside one of the plugins This is the second part of the attack. After successfully creating a backdoor into the system, a file will be created inside one of the existing plugins. Example: akismet/wp-akismet.php akismet/db-akismet.php wp-pagenavi/db-pagenavi.php wp-pagenavi/class-pagenavi.php podpress/ext-podpress.php tweetmeme/ext-tweetmeme.php excerpt-editor/db-editor.php akismet/.akismet.cache.php akismet/.akismet.bak.php tweetmeme/.tweetmem.old.php Note that they will infect one or more of your enabled plugins and use names like wp-[plugin].php, db-[plugin].php, ext-[plugin].php, or something similar. We do not recommend you rely only those samples for your search, but try looking for any plugin file with the “wp_class_support” string on it. $ grep -r “wp_class_support” ./wp-content/plugins If you are infected, you will see things like (full content of the file here ./wp-content/plugins/akismet/db-akismet.php:if(!defined(‘wp_class_support’)) { ./wp-content/plugins/akismet/db-akismet.php: define(‘wp_class_support’,true); Make sure to remove those files. To be 100% sure your plugins are clean, I would recommend removing all of them and adding from scratch (not possible for all sites, but this is probably the most secure way of doing it). 3 – Backdoor inside the database This is the last step, and equally important. This is where the spam itself is hidden. They have been using the wp_options table with these names in the “option_name”: wp-options -> class_generic_support wp-options -> widget_generic_support wp-options -> wp_check_hash wp-options -> rss_7988287cd8f4f531c6b94fbdbc4e1caf wp-options -> rss_d77ee8bfba87fa91cd91469a5ba5abea wp-options -> rss_552afe0001e673901a9f2caebdd3141d Some people have been seeing “fwp” and “ftp_credentials” being used as well, so check there too. These SQL queries should clean your database: delete from wp_options where option_name = ‘class_generic_support’; delete from wp_options where option_name = ‘widget_generic_support’; delete from wp_options where option_name = ‘fwp’; delete from wp_options where option_name = ‘wp_check_hash’; delete from wp_options where option_name = ‘ftp_credentials’; delete from wp_options where option_name = ‘rss_7988287cd8f4f531c6b94fbdbc4e1caf’; delete from wp_options where option_name = ‘rss_d77ee8bfba87fa91cd91469a5ba5abea’; delete from wp_options where option_name = ‘rss_552afe0001e673901a9f2caebdd3141d’; Conclusion Tricky stuff! The attackers are getting better and we have to learn how to protect our sites and our servers. If you need any help cleaning up the mess or you need a partner to help with your security needs, Sucuri is here to assist. Protect your interwebs! http://sucuri.net/ Malware Removal We love destroying malware, and we’ve been at it for a while! Our removal process uses our proprietary engine. It has been collecting malware definitions since 2004. Its history can be traced to early open source projects we released before becoming close source in 2008, and later formed into a company, Sucuri, in 2010. You can find information on the early incarnation of the engine by looking at Owl, version .1, and the Web Information Gathering System (WIGS). What does the Cleanup Process Consist Of? The cleanup process has been refined over the past few years. It’s very effective, but continues to evolve. The process is both manual and automated. The automated elements are quite restricted. Every cleanup is handled by a malware analyst whose responsibility it is to look through the results, identify anomalies and clean manually as required. The beauty of it is that the cleanup is included in every package for the no additional fees. Yes – cleanup is included in every plan! What do you Clean? As malware evolves, so will our service. Under the current cleanups we include remediation for the following: Obfuscated JavaScipt Injections Hidden & Malicious iFrames Embedded Trojans Phishing Attempts Cross Site Scripting (XSS) Malicious Redirects Backdoors (e.g., C99, R57, Webshells) Stupid, Pointless, Annoying Messages (SPAM) Defacement Anomalies SQL Injection IP Cloaking Social Engineering Attempts Drive-by-Downloads How do you Clean? In most instances our cleanups are conducted remotely, using preferably SFTP, but also HTTP and FTP. Because of the challenges with HTTP, specifically time-outs and other connection issues, we may request secure shell (SSH) access. Once we have access to your server we load tools that allow us to authenticate with the mothership. This connection allows us to traverse your server files and databases. How am I Notified? The internal ticket system uses the same notification options set in the alerting section. When a ticket is updated you are notified via email, you must log in to the system and update the ticket. It’s Not Automated? Unfortunately, no, not at this time. Here’s why: We require access to your server in order to perform the remediation process. We do not offer services as a ‘Password Manager’ so we do not create or reset existing passwords. After every cleanup the first change we ask you to make is to update every password you have (i.,e., administrator page, database, FTP, SFTP, SSH, etc.. ) We prefer to have a trained malware analyst working with each client. Sincerely, Thomas Picture+14.png

Hi Redirection is not something to fix this.. Yes, you are right because of the "name" sitelinks are not coming up in search engine.. Here is the example : Search with "Matt Cutts" (Name) site links will not appear, but if you search with "matt cutts gadgets" or "matt cutts gadgets google and seo" the site links will appear. Hope my answer will helps you. Thanks

The error says: "redirecting users to another page such as the homepage instead of a 404." I don't see the image, I do see a page but it "immediately redirects" me - as per the soft 404 error message. I get sent back to: http://www.chrisboar.com If you want to see the auto redirect - http://www.highonseo.com/examples/boar.avi

Those are called sitelinks. Here is Google's explanation: We only show sitelinks for results when we think they'll be useful to the user. If the structure of your site doesn't allow our algorithms to find good sitelinks, or we don't think that the sitelinks for your site are relevant for the user's query, we won't show them. At the moment, sitelinks are automated. We're always working to improve our sitelinks algorithms, and we may incorporate webmaster input in the future. There are best practices you can follow, however, to improve the quality of your sitelinks. For example, for your site's internal links, make sure you use anchor text and alt text that's informative, compact, and avoids repetition. If you think that a sitelink URL is inappropriate or incorrect, you can demote it. Demoting a URL for a sitelink tells Google that you don't consider this URL a good sitelink candidate for a specific page on your site. Google doesn't guarantee that demoted URLs will never appear as a sitelink, but we do consider a demotion a strong hint that we'll try to honor when generating sitelinks. Demote a sitelink URL: On the Webmaster Tools Home page, click the site you want. Under Site configuration, click Sitelinks. In the For this search result box, complete the URL for which you don't want a specific sitelink URL to appear. (How to find the right URL.) In the Demote this sitelink URL box, complete the URL of the sitelink you want to demote. Once you've demoted or undemoted a sitelink, it can take some time for search results to reflect your changes. You can demote up to 100 URLs, and demotions are effective for 90 days from your most recent visit to the Sitelinks page in Webmaster Tools.

Hi Erik, Yes, you were correct. I was in IE. Ah, yes, in Firefox, much better, but George's comments below are very good. I would definitely follow his advice. Good luck! Dana

Redirection is a good plugin, though I've had two cases where it interacted strangely with another plugin, in which case I used Simple 301 Redirects successfully w/o interaction issues. That said, Redirection provides some more advanced options like redirecting based upon the referral site, which has come in handy.