I dropped into my Google Analytics yesterday which I hadn't done in a long time - since May. To my surprise I found that search traffic to the site had dropped from about 30% of all visits to under 3%. An alarm bell went off immediately.
Along with this alarm bell I started thinking about my sales and how this could explain a shift in purchasing patterns I've been noticing. Meanwhile, I logged into Webmaster Tools to find two messages waiting for me letting me know that my site had been dropped from Google's index on June 6. Arrrgh!
They claim it's because my site was being used for cloaked content, and quite specifically pharma content. They list a bunch of the terms they claim came from a certain page on the site. They also list a bunch of search queries that supposedly were used to access the site, like "xanax," etc.
The problem is that NONE of this matches what's reported by Analytics. There it doesn't show any suspect keywords having brought visitors to my site ever. Not even a single keyword match for a single visit.
Now, what I don't doubt it that the files on my site were compromised at some point. On June 7 while uploading some pages to my site I discovered an anomaly which lead me to discover that a couple of files had been altered and a couple of files which did not belong on the site.
All HTML/PHP pages seemed to be intact and without illegal modification. There was an extra file sitting in my images folder and I believe my downloads folder. The HTACCESS file for the root had been changed and referenced these other folders.
A few days later I received a message from a vigilant customer who said he'd received spam at an address he had constructed specifically for my online store, three years ago. The address was in a database on my site. The database doesn't really contain any other information except a mailing record to track physical packages were sent. Anyway, more about that later or in another thread. Bottom line is this confirmed someone had been through the site in one way or another.
I re-upped all the pages from my local copy, changed absolutely all passwords remotely associated with the site and contacted Dreamhost customer support. They didn't find any unauthorized logins through any of my domains, which leads me to think someone came in via their servers after having compromised someone else's site on the shared host.
I'm kicking myself in the ass for not having noticed or checked immediately the Google stuff, since while they seem to send me emails 5 times per day about Apps transitions, they never send any about this kind of thing. Right now I'm trying to figure out how to consolidate some of my Google accounts so I can better manage email from them. Anyone know if I can transfer my Webmaster Tools ownership from one Google account to another?
I have to run right now so I'll be back a bit later with more info and some questions for Google and web security gurus...
Edited by hybrid8 (23/07/2011 19:15)