Black hat developer and a very dodgy link

I am a front end dev who has been asked by a client to help him to clean up his server & several sites.

He employed a black hat developer to try to boost his hits - but obviously it has backfired.

He now has several links on his main site that point to an external url: <snip/>

I have tried to track down the location of this link, but its not in any obvious place and I don’t really have the experience to locate it. He has obviously used some clever tactic to hide/obfuscate it somehow.

I am thinking it might be in a .htaccess somewhere.

His server is a bit all over the place, very untidy - bits everywhere. Part of the job is to remove all the crap and move his sites one by one to a brand new clean server.

I am able to setup new sites using virtual hosts etc, so I have a little experience on the command line.

I have also tried to do some very obvious greps - but no joy.

Can anybody give me a direction or any ideas here?

many thanks.

&,

You’ve merely described something which sounds more like a hack than good coding. IMHO, treat it as such and simply upload the ORIGINAL files to the new server. Unfortunately, I suspect that your friend does not even have the original files so you’ll need to capture what content you can and build new websites. That will be an expensive lesson for your friend but a good learning aid.

Tip: I shake my head at those who use code without knowing what the code does so you get a lesson, too. If you copy any code with the content, be sure that you scan it all to be sure that you know what it does … or you’ll likely be transporting the hack into the new server.

Regards,

DK

I found this think and removed it:
http://qnet.me/UK/$2Ybqio1rsYkg/Facelift%20Surgery/Facelift%20Surgery.html

The code was pre Panda and was based on multiple keyword reverse inward linking between a number of domains using different content. Hardly black hat! You can check for the url(s) using SQL search. The client was desperate for hits and the existing code base was broken. As I recall multiple htaccess rewrites were used to make all the sites work from a single host so checking every directory for htaccess and removing any bounces to the offending domain is advised and coupled with SQL searches will remove the offending code.