Nasty Hacks Hijack Your Site’s Traffic

Any popular content management system, be it for a blog, a website or a forum, is going to be targetted by hackers at some point. They'll try to find ways to exploit any security vulnerability that they can find.

To be honest you could expand that statement and simply say "any popular software".

If the hack is a defacement or similar you'll notice it pretty quickly, but other types of attack are much more subtle.

Instead of visibly changing a site they'll take its web traffic.


By intercepting traffic coming from certain sources. So, for example, if you visit the site by typing the address directly into the address bar you won't notice anything, but  if you follow a link from Google or other search engines you get sent somewhere else entirely ie. they intercept search engine visitors.

This kind of compromise has hit pretty much every CMS out there at some point and it's a hard one to spot unless you take the time to check your web stats regularly. If you notice a sudden dip in traffic then that might be an indicator.

Another way to check, in conjunction with your web stats, is to check Alexa. Yes - Alexa can be useful for something! 🙂

Here's a screenshot of the stats for a site that was infected by a Vbulletin hack:

Alexa clickstream - downstream sitesThe top two sites are not legit and being used by a number of hacks targeting Vbulletin installs to hijack traffic.

If you're using Vbulletin there are a couple of tools available that can help detect and remove infections. Vbseo has a good thread on a hack that impacted them and also provide both removal and monitoring tools. There's also a plugin that will check your vbulletin install for dodgy code. Most of the vbulletin hacks I've seen hide themselves in the datastore, so reloading it can remove them, though obviously you need to find the point of entry or it'll just get reinfected again.

If your site is setup in Google webmaster tools you can keep an eye out for any notifications there. While Google's tools may not catch all hacks they can spot quite a few and will also do things like informing you of updates to your CMS.

No matter what CMS you are using make sure you keep it up to date AND check for updates for any plugins or extensions you might be using. Remember the TimThumb security issue last year? Thousands of WordPress installs were compromised via a hole in a popular script that was being used by a lot of templates, themes and plugins. Nasty!

Remove plugins and extensions that you aren't using. Even if they're not "active" a malicious 3rd party could exploit them.

If you're running WordPress remove themes that you aren't using. The defaults ones that ship with WordPress will be kept up to date automatically, along with your core WordPress install, but a lot of 3rd party theme developers don't provide notifications or automated updates.

If anyone has any other tips or tricks please share them via the comments.

Related Posts:

, , , , , ,


  1. IWF redirecting from Google searches - April 22, 2012

    […] Just posted this which is in relation to the problems here, but also expanded a bit to cover other CMS, since this kind of attack is unfortunately pretty common Nasty Hacks Hijack Your Site's Traffic […]

  2. Traffic Levels Returning After A Fix - April 30, 2012

    […] I mentioned in my previous post, the malware was stealing the site’s search engine […]

  3. Website Traffic And Hacks - July 7, 2012

    […] Once the hole had been plugged properly the traffic levels returned to normal. […]

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.

Powered by WordPress. Designed by WooThemes