Viagra comments in my Yahoo cache

[antispm768]

Please forgive me if this thread has been discussed before - I did a search and couldn't find anything.

I've been getting a lot of Buy Viagra emails lately.

I did a search for my email address on Google and found a couple of PDFs on my site that contain the email address. I assumed these were the culprits but before I redid them without the email address I did a search in Yahoo, which I rarely use. Anyway, in the cache description are my keywords but also viagra, cialis etc...

I open the cache and there at the bottom of the page is comments code with a sh*t load of viagra text and links to a website

http://www[dot]calt[dot]insead[dot]edu/

(I put the [dot] in as I am not sure if the sp*mmers can use this page as a vault to their site.

What can I do here so the cache on Yahoo doesn't have these viagra links? Can I delete my site from Yahoo? Is that the answer?

Thanks

Matt (really dirty about this whole business)

[Farelf]

Hi Matt,

Everyone gets lots of "viagra" spam but if you could find your address by Googling it's a fair bet spammers have been finding it too and if you can remove the source you may stop more of them doing the same. Replacing the text version of the address in your PDFs with a graphic one would also do the trick though undeniably with some remaining risk - if it doesn't need to be there, take it out. The thing is, once your address is in circulation it is not likely to fall out of circulation, "closing the stable door after the horse has bolted" is one way to put it.

More important is the hacking of your "cache description". Not sure exactly what you refer to here but presumably this is a member summary of your (Yahoo) website on the Yahoo internal search engine? By "cached" do you mean you can't edit it? I'm not getting the picture. In any event, it sounds like you need to report this to Yahoo security (before changing any of the evidence, that being the spurious keywords). There's surely something I'm not getting here but I'm sure Yahoo would be interested.

calt[dot]insead[dot]edu by the way seems to be entirely legitimate. I checked it on LinkScanner online and SiteAdvisor (neither is perfect assurance) and I had a look and that reassures me. But no need to give any site a free ride with the search engines.

[Farelf]

Okay, Matt has clarified by PM, not wanting to have his address bandied about more than it already is but the issue is purely about the Yahoo search engine (not web hosting) and what appears to be some multiple hacking which affects his cached (but not current) website (one page) and a non-public page of the aforementioned .edu - the hidden links to which I have seen in the page source of Matt's cached site via Yahoo search and also observed, still current, at the .edu. No issue with Google because Matt's affected page is not cached in Google (possible issues of discovery and removal there - I couldn't find the current page either).

Suggested action is to contact both Yahoo and the .edu, in that order. Wazoo copied into PM to Matt with the details. Bloody hackers.

[Farelf]

Further thoughts - it is unlikely the (hacked) cached copy is anything other than a copy of the site as it existed (ie Yahoo not directly implicated), noting this was timestamped 14-Nov-2007 8:47 PM. The current timestamp (unhacked site) is 26-Dec-2007 12:00 PM. How and by whom was the current version loaded? Unfortunately the WayBack machine has a six month lag so cannot currently be used to check the insertion and deletion dates of the additional material if that is what happened - sometime on or before 14 Nov but more recently than mid June.

Anyway, whoever it was might have some ideas

• how to get the corrupt copy off of Yahoo
  
• how to get reinstated on Google
  
• how to stop the corrupt copies hitting the WayBack archives in 4-5 months time
  

Or I might be on the wrong track completely.

[Wazoo]

Got the PM, did some research, see that Farelf posted while I was taking even more notes. There are a number of issues that I see, but yes, I agree with Farelf's thoughts (as I think I understand them <g>) .... From what I see, this site was hacked a while back. Someone did some work to 'fix' it, but there are some oddities still floating around.

For example, doing the same search as described in your PM, the initial result offers the 'first' link as <your Domain>/patp/ .... taking a look at that page, one sees a 302-redirect back to the 'main' page. In my opinion, the work done to 'fix' the hacked site issue should have resulted in this page request being met with a 404-doesn't exist type message.

Somewhat strangely, clicking on the "show me all the results" link on that Yahoo Search return page brings up the 'main' page as the first link ... no mention seen of the /patp/ sub-folder. Not going to try to come up with an explanation for that, only going to state that it would appear that Yahoo needs to be contacted about this sub-page showing up as the intial/first return. (Of course, one would want to find and remove the actual link that apparently exists somewhere on that site .. if it's not an actual folder/directory, then there may ba something written into an .htaccess file that's causing the redirect)

If you know nothing about this, didn't perform the 'fix' ... then the next bext guess would be that your site was included in a server hack/break-in and Yahoo staff deleted the hacked extra material and apparently didn't say anything to anyone that (apparently) didn't notice it.

The actual hack probably was not noticed while it was in place because the code involved was wrapped up in some HTML < font > tags, thus not 'visible' in most browsers. I'm not going to try to get involved with trying to sort out just what the embedded java scri_pt/document_write crap was actually attempting to do, just going to leave it that primary focus was the search-engine-result-stacking.

If you take a look at your server logs, see how often the Yahoo seach-bots visit (and of more critical note, just what pages they are looking for.) As there was an update done yesterday, a new 'copy' should be captured sometime 'soon' and that updated copy will eventually replace the 'hacked' version of the page. The point being that things may take care of themselves somewhat quickly now that the hacked/extra code has been removed.

My immediate concern would be the lack of attention that allowed the hack to happen, what has been done to prevent it from happening again, and if Yahoo was aware of it, why they didn't contact you directly about it. (Some of this has a bit of a guess behind it, as there was no mention of yesterday's edit in any traffic seen 'here' thus far, and whether that edit included removing all this extra code. Noting the 'changed' file dates would have offered a clue as to just when it happened, but that data may be lost now.)

The .edu links are there as that web-site was also hacked with the same pill-pages added there.

NOTE: those pages still exist ..... a Microsoft server .... ht tp://www.calt.insead.edu/lib/nusoap/cnf/tmp/3/page.php actually found (and can't help but laugh at the complaint/error message included;

Notice: Undefined index: q in d:\Inetpub\wwwroot\lib\nusoap\cnf\tmp\3\page.php on line 74

(caused because I didn't use a 'full' URL that included the specific wonder drug query)

The actual 'payload' of the sales pitch leads one to ht tp://allpill.org/ which is actually pretty well known as yet another nasty spammer site. Hong Kong based with a .ru contact address, created way back on 19 Dec 2007 ... a definitely trustworthy business <g>

BTW: if it was ever a question, the web-site hack really has no direct connection to the spem e-mail. Different tools, different approaches, different techniques involved, so it's very doubtful that it would be the 'same person' involved.

[antispm768]

Thanks for the message Wazoo.

I'll have a read later and try to digest it all

:-)

I did contact Yahoo and await their response.

I also did a search for my other emails and didn't come up with any other 'covert' cached webpages of mine in Yahoo.

I had half a dozen more V*agra emails today, so I might have to change emails perhaps.

I have been using antispam software (Sp*mstopper - Mac) on my wenbites for 8 months now - that has dramatically reduced sp*m - the most effective options in that app seem to be java scri_pt versions of the email addresses - they are broken up and rejoined somehow.

Anyway, enough for now

Thanks again and also Farelf

-Matt