Hi,

Apologies if I’m posting this to the wrong forum. If I’m told somewhere more appropriate I’ll repost there.  I’m looking for help with a problem which has arisen with Google.

About 18 months ago I did a lot of SEO work to make my site http://www.jeremynicholl.com search friendly. Did all the tags in the source, wrote Google friendly text, the works. Based it around the following keywords:

editorial
corporate
photographer
photography
Moscow
Russia

Once the bots kicked in this worked very well. I rose in the search results until after a few months any 3 word combination put me at no 1, apparently permanently. I checked from time to time, but was always in the top 2 or 3 in Google/Yahoo/MSN.

Then a couple of weeks ago I found I'd disappeared. Not in the top 100: no idea how far down I've gone. The site's still listed in Google though, it just seems I'm being penalised for something.

I've been searching to figure this out, and I think I've found it. A search <site:www.jeremynicholl.com> shows I've been linked to 100s of porn and drug sites. They're not actually links: somebody's built for example a page url www.jeremynicholl.com/ru/panty-gallery.htm
or
www.jeremynicholl.com/icon/ other/carisoprodol-side-effects.html which takes the visitor to hardcore-land.

I assume this what's caused me in problems in Google. My questions are:

Am I correct in assuming this is the source of the problem?
Any idea how I fix it?
And any way to stop it happening again?

By the way I really know absolutely no geek stuff at all, so if anyone does have any answers it would be a big help if you keep them Simple Enough For Photographers.

Many thanks in advance,

Jeremy Nicholl

Looks like you've been hacked like several others were recently.

This is in your source on your index page. I've cleaned it up a bit for obvious reasons.

Thnaks to everyone who's replied, and also for the "Hacked!" link. Someone smarter than me has fixed it, here's his report on the problem in the hope it helps anyone else:


"You've been hacked on 2 different occasions. I've fixed it now.

Your front page index.html, contact.html and archive.html were hacked - on 23 Dec - with a little PHP script that loaded a Javascript from their own site, which rewrote URL's for anyone arriving from Google, MSN, Yahoo, or Live search engines to point at apparent porn. Their server has now gone, been taken down, so the porn links don't lead anywhere. Which means it will have stuffed your rankings at all of those for now.

They had also hacked your .htaccess file so that the PHP script would run

The really evil thing is that they had been using your hosting space and bandwidth. They'd added scores of pages to your site, all the panties stuff etc. The only good news is that no porn images have been put there. It was all just spam redirects, to catch people looking for porn and channel them to www.smut.com. I've been right through the site and can't find any porn images.

Then you were hacked again on 31 Dec with someone embedding a little Carisprodol pharma sales site in /icon/other That one was much simpler, just a few pages, no scripting to deal with. So a different crew.

I have removed all the offending code and pages, so the site is now 'clean'. Nothing I've checked seems to be broken, shouldn't be either.

Oh and I changed your copyright statement from '2003-2005' to '2003-2007' while I was at it

The pages of Google crap links will expire within 1-7 days or so once the crawler spots that the homepage has been updated - that should stimulate it to follow all the legit links and drop all the old spam ones that no longer exist. So within a week it should be back to normal.

I can try and write an .htaccess which will force the links to expire if anyone attempts to follow them from Google - a 'Gone' page would be returned, which should provoke Google into delisting the offending link. But it's tricky because of the huge number of filenames used, it needs some cleverness with regular expressions to pick them all up without also messing up legit filenames. Probably not worth the effort and risk.

But not now anyway 'cos I have to go and do a short interlude of real life.

Oh, and change your FTP password ASAP. 'XXXXXX' is compromised and far too easy to guess anyway - a simple dictionary attack would quickly find it. I run an FTP server at home and see at least a dozen crack attempts a day. That is how they got in, so they know it already. Try a mix of letters and numbers, eg an old registration no for a vehicle you once owned or something else you remember."