Its been a while since I developed my web site using concrete5 5.6.3.4 and I am embarking on updating the site to v9 but I have a perplexing problem with the existing site which I am hoping someone can shed light on.
Google search console shows approx 90,000 404 errors to links on my site. like this : “https://mydomain/lowpr/php?/U451783” these links always have the lowpr.php? followed by a letter and random number.
is this some malfunction of the cms? or could the site be compromised? I have spent quite some time looking where these links come from without success. I’m not quite ready to move over to v9 just yet so ideally want to find the cause of this first.
From my experience your server is most likely compromised. I did some googling for lowpr.php. Every site I find containing a link like that is dead in the water…
lowpr.php is usually a sign of a hacked wordpress or prestashop website, well it seems this can affect concrete’s website too; you have to clean your website from malicious code, usually it’s in apache writable directory and enclosed in php files, most probably encrypted (but maybe not if you’re lucky and the hacker stupid)
try sthing like:
find . -name "*.php" -exec grep -l lowpr {} \;
or firstly find an infected file with malicious code crypted then
Thank you for your comments and recommendations. My isp seems to have removed the backdoor malware but l’m still getting 404’s on search console. So far I have not found any instances of the “lowpr” in the website code nor identified any encrypted files. I can find links in the database but these may just be related to 404 errors. Unfortunately I only have and old backup of the site and I don’t want to risk breaking the site. Next I’m going to search the database for suspicious functions based on what I’ve read about hacked sites to see if anything can be found.
In a compromised site the malicious code maybe outside just .php files.
I would first disable and clear all cache, create a .sql dump of the database (mysqldump) that is not readable by the web server, and then make a backup of all the site files.
Then instead of find/grep run this from the site directory - replace lowpr with any other appropriate string you are looking for:
Thank you All for your comments. It seems my site had been infected with something called the ‘Japanese keyword/seo hack’. My hosting provider had removed the malware and re hosted the site on a new server equipped with ‘immunify’> Maybe they removed the backdoor/downloader but I was not convinced the malware was gone totally, because of persisting 404 errors on google search console.
After spending days on this I have not found anything using your suggested searches, other than logs in the database provided by the ‘url director’ addon ( now removed). I have replaced concrete5 core files as a precaution and now will just wait to see if the 404 errors stop getting reported. It seems google has the 404s indexed (although not available in search results) so hopefully in time google will remove them from the index and stop seeing the 404’s.
Have you registered your site with Google Search Console Tools? It is a very useful Dashboard that allows you to see detailed Site Performance and perform URL Inspection (among other things). It is very easy to install (as long as you have access to the site’s DNS settings: you add a specific TXT Record ), and you can use it to speed up the process of fixing or removing troublesome links, as well as receiving monthly reports on site health and performance.
Yes. thats how I knew about all the 404’s. What I’ve done now is to add the following to the top of my .htaccess in order to redirect all the spam links as 410’s (‘G=Gone’) .