website marked as "may be hacked" by google

website marked as "may be hacked" by google - .htaccess files are extremely useful in many cases for users who either do not have root permissions or for users who simply aren't comfortable in making changes in their web server's configuration file. Trying to debug .htaccess not working isn't always the easiest thing to do, however, hopefully by checking the discuss below mentioned about google-search-console, htaccess, url, hacking, .htaccess common problems as well as the troubleshooting tips, you'll have a better grasp on what you may have to modify to get your .htaccess file running smoothly.Problem :

My website is marked by google as "may be hacked". Through the admin panel of google search console, I see several links that are list as "URL injections".

My site is built with opencart. As you can see from the image there are two new entries of today(7/4/2016). I open these two links and there are no actual contents on them, just opencart's 404 page. I go through the HTML but no abnormal script or content is found. I use google's "fetch as google" feature, it seems what google fetches is not different from what I see from browser's view source panel.

So my questions(mostly out of curious, not merely aiming to solve the problem) are:

1. How does google determine these pages are compromised if there are no malicious code can be found from both my browser or google's "fetch as google"?




2. How does the hackers take advantage of these "injected URLs" if there are no actual malicious content or script on them? Or is the malicious content/script only visible to some certain people(not including me obviously)?

Solution :

How does google determine these pages are compromised if there are no malicious code can be found from both my browser or google's "fetch as google"?

Google may be using a separate IP address that is not the same as that used when the "fetch as google" operation is performed. For example, someone actually working at google might be randomly manually scanning your page and could find something different.

How does the hackers take advantage of these "injected URLs" if there are no actual malicious content or script on them? Or is the malicious content/script only visible to some certain people(not including me obviously)?

The latter. Your server is programmed to deliver different content based on IP address and/or group of IP addresses. Look for configuration files like .htaccess if you have apache and remove any lines that look like IP addresses. You want to serve the same guest content to all guests to your site.

Also, check the opencart PHP code and look for anything in there that would cause different content to load based on remote IP address. It's likely that your .htacccess or the PHP code itself is modified to the hackers needs.

Additionally, if you would like to do some further testing, give the htaccess tester tool a try. It allows you to specify a certain URL as well as the rules you would like to include and then shows which rules were tested, which ones met the criteria, and which ones were executed.