This site may be hacked

I got a disturbing text a few days ago. Seems that when a business associate looked up my business name in Google, they saw a message, just below the main site URL, that said “This site may be hacked”.

You can see an example of this message here.

Grammar aside (Google is not giving permission to hack the site, they are letting me know that the site might already be hacked), this is a pretty disheartening message to see, especially on a site you worked so hard to bring to life.

In a nutshell, the message is telling you that Google scanned your site and has detected the possibility of malware. In their words:

You’ll see the message “This site may be hacked” when we believe a hacker might have changed some of the existing pages on the site or added new spam pages. If you visit the site, you could be redirected to spam or malware.

In my case, I had an old install of WordPress on the site, one that I no longer used and one that was not exposed via any publicly linked pages. Somehow, the varmints got in and added some extra PHP files to the site. The code was cryptic, using arrays of bytes that clearly held a stream of code to be executed by another chunk of code.

No matter, I wiped the server clean, changed my passwords, reinstalled the site from backup. By the time I got all this done and tested, it was late and I was done for the day. All that remained was to figure out how to connect to Google to get the site rescanned.

Woke the next morning, ready to dive into the Google bureaucracy, and what do you know, the message was gone. My theory is that Google maintains a list of hack-tagged sites, rescans on a regular basis.

I have to say, I appreciate the help Google. You really had my back there. Thanks.