Concrete 5.6 generating thousands of random links "/lowpr.php?"

Its been a while since I developed my web site using concrete5 and I am embarking on updating the site to v9 but I have a perplexing problem with the existing site which I am hoping someone can shed light on.

Google search console shows approx 90,000 404 errors to links on my site. like this : “https://mydomain/lowpr/php?/U451783” these links always have the lowpr.php? followed by a letter and random number.

is this some malfunction of the cms? or could the site be compromised? I have spent quite some time looking where these links come from without success. I’m not quite ready to move over to v9 just yet so ideally want to find the cause of this first.

any advice or insight?



From my experience your server is most likely compromised. I did some googling for lowpr.php. Every site I find containing a link like that is dead in the water…

1 Like

lowpr.php is usually a sign of a hacked wordpress or prestashop website, well it seems this can affect concrete’s website too; you have to clean your website from malicious code, usually it’s in apache writable directory and enclosed in php files, most probably encrypted (but maybe not if you’re lucky and the hacker stupid)

try sthing like:

find .  -name "*.php" -exec grep -l lowpr {} \;

or firstly find an infected file with malicious code crypted then

find . -name "*.php" -exec grep -l SUBSTRINGofMaliciousCodeEncrypted {} \;

then replace all those files with official files

check you db too to be sure the code is not injected in it

but anyway you’ll have to find the door used by the hacker, if not it well comes back

1 Like

Thank you for your comments and recommendations. My isp seems to have removed the backdoor malware but l’m still getting 404’s on search console. So far I have not found any instances of the “lowpr” in the website code nor identified any encrypted files. I can find links in the database but these may just be related to 404 errors. Unfortunately I only have and old backup of the site and I don’t want to risk breaking the site. Next I’m going to search the database for suspicious functions based on what I’ve read about hacked sites to see if anything can be found.

In a compromised site the malicious code maybe outside just .php files.

I would first disable and clear all cache, create a .sql dump of the database (mysqldump) that is not readable by the web server, and then make a backup of all the site files.

Then instead of find/grep run this from the site directory - replace lowpr with any other appropriate string you are looking for:

# look for "lowpr". grep -lfr = list, non-regex, recurse directories
nice grep -lfr lowpr *

After the cleanup (remove the .sql file), generate a new sitemap.xml and make another backup of files/database.

Renable the concrete cache, and run this to prime it:

pushd /tmp;
nice wget --delete-after -r -nd \
  --spider -R txt,js,css,jpg,png,gif

Submit the new sitemap.xml to Google search console.

Take a day off to spread peace and happiness across the universe, and wait for the positive results :sunglasses:

Any real stubborn 404s can easily be handled with 301 redirects to the home page in .htaccess (or really large files on the hacker’s site :skull_and_crossbones:).

Thank you All for your comments. It seems my site had been infected with something called the ‘Japanese keyword/seo hack’. My hosting provider had removed the malware and re hosted the site on a new server equipped with ‘immunify’> Maybe they removed the backdoor/downloader but I was not convinced the malware was gone totally, because of persisting 404 errors on google search console.

After spending days on this I have not found anything using your suggested searches, other than logs in the database provided by the ‘url director’ addon ( now removed). I have replaced concrete5 core files as a precaution and now will just wait to see if the 404 errors stop getting reported. It seems google has the 404s indexed (although not available in search results) so hopefully in time google will remove them from the index and stop seeing the 404’s.

Thank you


Have you registered your site with Google Search Console Tools? It is a very useful Dashboard that allows you to see detailed Site Performance and perform URL Inspection (among other things). It is very easy to install (as long as you have access to the site’s DNS settings: you add a specific TXT Record ), and you can use it to speed up the process of fixing or removing troublesome links, as well as receiving monthly reports on site health and performance.

I use it for all of the sites I develop.


Hi Craig,

Yes. thats how I knew about all the 404’s. What I’ve done now is to add the following to the top of my .htaccess in order to redirect all the spam links as 410’s (‘G=Gone’) .

RewriteCond %{REQUEST_URI} ^/lowpr.php [NC]
RewriteRule ^.*\.php$ - [L,NC,G]

Hopefully google will see that they are permanently removed and de-index them.

time will tell.