Hacked content detected by Google Search Console

Received an email from Google Search Console stating my site had malicious


"Google has detected that your site has been hacked by a third party who created malicious content on some of your pages. This critical issue utilizes your site’s reputation to show potential visitors unexpected or harmful content on your site or in search results. It also lowers the quality of results for Google Search users. Therefore, we have applied a manual action to your site that will warn users of hacked content when your site appears in search results. To remove this warning, clean up the hacked content, and file a reconsideration request. After we determine that your site no longer has hacked content, we will remove this manual action.

Following are one or more example URLs where we found pages that have been compromised. Review them to gain a better sense of where this hacked content appears.

/wp-opml.asp?xilishixiaoguo=17356

The list is not exhaustive."

I'm not sure how this was included in my site, but connecting to my file server there are several .asp files in the root directory of my site. I'm the only one with password permissions for file upload. Not real sure how they were added but my last site backup doesn't show the files. Anyone else having issues or was I just a lucky contestant? Here are a few files I found that were copied. Haven't made it through the rest of the folders, but will be doing that now.

AboutUs.asp
blog-footer.asp
category.asp
confirm.asp
cron.asp
footer.asp
help.asp
license.asp
licenses.asp
Mapzoom.asp
userprofile.asp
wp-opml.asp
wp-webmail.asp

Don't forget to disable legacy ASP when your done, is it an old server? patched?

I'm not real sure about the server other than I'm hosting through Arvixe. I'm sending them a ticket about the situation and will check about legacy ASP. Thanks for the heads up!

just an idea not an accusation, it sounds like your office security has been compromised not arivxe's - via ftp passwords and such, sending them via unencrypted email and using it in an unsecure way on public networks can get the data picked up by other infected computers on the network, and then further automated infections happen...

this would be a reminder to myself to lock-down my sites after publishing and turning off or locking down unneeded services like ftp when I'm done with them etc. and not connecting to the server through a public machine etc.

interesting though, those are wordpress type url's but with .asp on the end instead of .php

I ran through many scenarios in which password protection would've been my first response however, I'm the absolute only one with site and ftp passwords which these passwords haven't been shared or stored anywhere except in my head. FTP access passwords aren't saved in Filezilla, rather typed in when prompted. FTP access is only going through one computer as well. I'm stumped as to how it would've been uploaded still. Regardless, passwords have been changed and files removed.

Good you know. I must be wrong about my statement. When was the password changed last? I googled it and it looks like Arvixe had issue at 6AM US Eastern time on September 28, 2015.