Google uncovers spammers hacking sites

Back on July 27, 2006, Neonblitz asked SearchEngineWatch members for help in discerning why a client's site was showing up with some porn related phrases when searching for the domain name in Google.  Those phrases were nowhere to be found on the site, yet it appeared as if they were, when looking at the description in the SERPs.

Matt Cutts originally chimed in that it looked like the site was using cloaking, and that he suspected the webhost was monkeying with the client's site, inserting porn links into the page.

Today, Brian White, a member of Google's webspam team alerted everyone to the actual cause of the problem.  He said,

We've discovered that the likely explanation is that a third party gained access to a number of sites and dropped files in these accounts (including a modified .htaccess using rewrite rules) for the purpose of rewriting the home page through a proxy script. The proxy script adds links when Googlebot visits, and in a sinister twist, adds the rel=nofollow link to cap off PageRank bound for any external URL not under control of this third party. As Danny noted, they also add a NOARCHIVE meta tag to disable the cached version in results.

We've taken care so that the malicious party doesn't receive benefit of PR from the affected websites.

We don't know how the third party got the files on the webhosts, but cPanel seems to be the common denominator. We're in touch with some hosts who appear be affected by this.

At the risk of allowing the folks who created this to adapt, you can use Google Translate to confirm the behavior. Check any of the affected sites (no Cached link) on the Google search ["hairy sex porn free"] via Translate to see the cloaking, since the proxy script checks for a visit from Googlebot IP addresses, and doesn't discern between a regular crawl visit and a Translate request.

Thankfully, this particular spammer/hacker has been caught out.  It definitely makes me nervous to think how many more may be out there.