Tthis will be the second time I have been hit by the Pharma Hack. The Pharma Hack did not damage my site, but it replaces document titles with ads for pharmaceutical products such as Biaxin and others, but only on Google search results. This time my software was updated, I had installed additional plugins and had been monitoring my site rigorously for any illegal intrusion, and there were none that I could see. Still, somehow, my Google search results show these unwanted and hacked result titles.
The first time I was hacked was early December 2011, and I still do not know how they hacked my site, as there was no indication my site was illegally breached. Remedial measures included upgrading my blog software version and widgets, checking for unauthorized file manipulation through my ISP, adding a couple of security widgets, and manually going through my site’s PHP to see if there were any untoward site redirects. At that time I could not find any definitive deficiency in my site’s security. Eventually Google reindexed my site and life carried on. I never did find out how my site was hacked. I did recall that some of the offending titles did appear in my “Incoming Links” area.
As what happened last December, my content indexes correctly on Google search, but the titles have been replaced with titles selling pharmaceutical products. Click on them and my web pages appear, complete with proper titles. It seems like the hackers have somehow manipulated Google and not my site.
A check from Securi Sitecheck shows that I have no malware or any other infection, though there seems to be some web pages added to indexing that are not part of my site. These are:
Neither of these pages exist on my site. Both these pages redirect to other pages that exist.
I have also gone through Google Webmaster Tools and have verified that Google crawls my site without error and I have no infected pages.
The only place I see reference to these “Buy Pharmaceitucal product without prescription” content on my site are from Incoming Links. The source of these incoming links are from Google itself. I do not know if this is cause or effect.
I continue to search for the security hole.