: Google reports URL injection - but the reported URL returns a 404 even when fetched as Google Yesterday we found out that in Google Search, the website is reported as "This site may

@Kaufman445

Posted in: #GoogleSearch #GoogleSearchConsole #HackedSite #Security

Yesterday we found out that in Google Search, the website is reported as


"This site may be hacked."


It is a Joomla website. In webmasters tools there is a report for URL Injections. There is only 1 url showing there and it looks like a .html url page inside Joomla's /cli directory. I followed the URL and all I got was a 404 error for that page. I inspected the cli directory via FTP and also found nothing there.

We are hosting on managed Dedicated Server with a high reputable and experienced host. We are putting a lot on security. For example we run daily malware scans and file changes scans, we have strict firewall rules and WAF enabled, we have latest Joomla version installed and all extensions we have installed are reported as non vulnerable. From the scanners reports we have not seen any unexpected changes in the files/directories structures. I reviewed the htaccess - nothing suspicious in there also.

I tried to fetch as Google the reported URL - first it was not allowed, as the cli directory is disallowed through robots.txt. I changed the robots.txt temporary, and tried again and Google crawler reported back that this is a 404 page.

I also did the site:example.com search but this URL isn't appearing in the results - also no other unexpected urls appeared there.

I also tried to reach to this URL via pingdom, gtmetrix, a VPN connection using a few different IP locations and still everything I get is a 404.

So, having done everything Google suggests and even more, I submitted a request for review in webmasters tools.

However, today I checked the webmasters security issues report again and this same URL is showing with last detected date of today.
I did all tests again from scratch - still this URL isn't existing on our website. I submitted again a request for review - asking for some feedback and more clues from Google - e.g. a referrer page - not sure though if Google is able to respond via this channel.

But how can Google see this URL as an existing page in our website?
Add to this that our cli directory is disallowed through robots.txt.

Also, what else do I have to do in order to remove the mark of this site might be hacked?
Any chance this is something like a bug/error by Google?

Also, I am posting here the part of the URL Google reports as URL Injection - as it may be something someone from you might have seen again:

/cli/Qv2-shopping_ocsU8.html


Any input, suggestions are appreciated.

Update 1

I also have checked the access logs for this URL. The first entry I found was my own first try to reach to this URL, after finding in webmasters with a 404 HTTP response. Google is only reported later on, after I was requesting to crawl that URL - again logged with a 404 response.

I have no clue so far of how and why Google has discovered and reporting this URL.

Update 2

Some days later and various efforts, Google Webmasters Tools is still reporting that URL as a detected one.

What else I have done:
Explicitly allowed GoogleBot in our robots.txt to access the said url, as previously it was not allowed to crawl it, and fetching it as google it was stopping because of the robots.txt. So now Google can see this URL is a 404.

Now from the Security Issues menu this is the road I am taking:


I see the injected URLs report - last detected 2016-11-22
Clicking Show Details.





In the details window I see the option to fetch as Google, which I click to do..





Fetching as Google returns a 404 error for that URL.



I have submitted many times that the issues are fixed and request a review - but nothing happens and Google always update the report saying that this URL is last detected again every day.



I am out of other ideas of what to do here.

Vote Up Vote Down

Login to post a comment!