Google lists non-existent downloader as site link

[heavymental]

Hi! If this forum isn't the right place for my post, please guide me to the right place.

Google's Webmaster Tools has been showing the following for a very long time:

These are some example pages from your site and the time that they take to load in a browser (in seconds).

/imprss/101ktm.php 4.0

The path is for an HTTP POST request from a Windows trojan downloader:

http://www.drwebhk.com/en/virus_tech...er3.18860.html

My server (shared hosting) is Apache and my personal computer is a Mac. None of the files related to this downloader appear on either my server or my personal computer.

Why does Webmaster Tools think this file has anything to do with my site? How do I fix this?

Thanks in advance for any help you can provide!

[dklynn]

hm,

If you don't have that in your directories (check via FTP) then there shouldn't be a problem. Hackers are sneaky so they may have compromised your webspace (use VERY strong passwords and work with your host to run maldet scans until it reports that you're clean - more than removing all .exe files!). To correct the Google link, though, merely use mod_rewrite in your DocumentRoot to update their database:

Code:

RewriteEngine on
RewriteRule ^imprss/101dtm\.php$ http://example.com/index.php [R=301,L]

You could have used a Fail code but that wouldn't help your visitors.

Regards,

DK

[heavymental]

Hi!

Thanks for the reply.

I've carefully looked through every single hosted file, hidden or not. There's nothing there that shouldn't be there. Since this file doesn't exist on our server, I don't think a redirect is necessary. After all, attempts to access it will just get a 404 error.

Webmaster Tools has a way to remove a URL from the Google index, but this link isn't in the Google index, either. The only place I see it is at Webmaster Tools. They've been showing it for at least a year.

You'd think by now it would have disappeared, since they know it's doesn't exist. Frustrating!

BTW, the password is already very strong.

[dklynn]

hm,

Gudonya for using a very strong password (and changing it regularly, I presume?)! That would mean that you're not a blonde, wouldn't it?

If anyone comes to your site via that link, wouldn't it be better to redirect appropriately (rather than merely using a "dumb 404" - and the mod_rewrite code should tell all SE's to remove that silly link and replace it with ...)? It's better to use a "smart 404" which guesses the visitor's intent or even mod_speling which corrects simple typos and CaPiTaLiZaTiOn errors. At least redirect to the Home Page if you don't have a sitemap page.

Regards,

DK

[heavymental]

I defer to your (much) greater knowledge. Combining all the changes I've made to my .htaccess file in response to forum answers, I now have the following. (Includes an anti-hotlinking change that still allows in Google, Yahoo & Bing.) Please note the change from "index.php" to "index.htm". Does this all look kosher to you? If so, up it goes!

RewriteEngine on
RewriteCond %{HTTP_HOST} ^www\.example\.com$
RewriteRule .? http://example.com%{REQUEST_URI} [R=301,L]
RewriteRule ^imprss/101dtm\.php$ http://example.com/index.htm [R=301,L]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?example\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?google\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?bing\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?yahoo\.(.+)/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]

ErrorDocument 400 /scripts/404.htm
ErrorDocument 401 /scripts/404.htm
ErrorDocument 403 /scripts/404.htm
ErrorDocument 404 /scripts/404.htm

Thanks (yet again!) for all your help.

[dklynn]

hm,

Knowledge is meant to be shared ... and I need a bunch in other areas ... but thanks.

IMHO, you're overkilling the RewriteConds for the anti-piracy (two googles, two bings and two yahoos and requiring at least one character after the domain name) ... but not by much! You've shown a good knowledge of regular expressions the way you've handled subdomains et al. I'll leave it to you if you're interested in combining the pairs into single RewriteCond statements.

Regards,

DK

[heavymental]

I'm ashamed to admit that my knowledge of regular expressions is newbie at best. What I'm good at is "frankensteining". I.E., taking what other people have written and molding it into what I need. SO... it will take me awhile to figure out how to combine the pairs into single RewriteCond statements, but it should be a good learning exercise.

Since the domains in the RewriteConds show the domain without the TLD, wouldn't it be wise to require at least one character? Or am I missing something?

I'm going to be away from my computer for much of this week, so there's no hurry in replying. As always, I value your advice, and I also hope that these Q&A threads might help others.

[dklynn]

Frankie,

You're selling yourself short. The regex you used was at least moderate level and appeared spot on!

If you have trouble with your "exercise," ask questions. Hint: What's the difference between

Code:

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?bing\.(.+)/ [NC]

and

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?(.*\.)?bing\.(.+)/ [NC]

I'm still a bit disturbed by the "junior" EVERYTHING atom after bing because it can include the tld, /, path and filename, none of which are needed because you are (properly) not using the end anchor. See below for what I'd recommend to replace that for just the tld.

While you don't need the tld, it's generally wise to be sure that there is a tld (and it's not a bogus subdomain of someone else's website, e.g., www.google.example.mysite.com).

What I would recommend is either a list of acceptable options, e.g., example\.(com|org|net) or a pair of character range definitions which exclude . which are separated by a . where the second part of the tld is optional, i.e., ^www\.othersite\.([a-z]+(\.[a-z]+)?)$. If that isn't clear, google.com might also be google.co.nz so the country part of the two-part tld is also handled.

Regards,

DK