Imagine a scenario where a CISO or platform owner receives an alert from Google Search Console. The number of indexed pages for a corporate resource has suddenly jumped from a few hundred to tens of thousands. The list of addresses now includes paths containing pharmaceutical names, gambling terms, or nonsensical parameters. The instinctive reaction is often to set up a mass 301 redirect of all unknown URLs to the homepage to quickly hide the issue and supposedly save SEO metrics.
Acting without prior investigation is extremely dangerous. According to the Cisco Cybersecurity Readiness Index 2025, only 27.7% of organizations have a sufficient level of readiness for modern cyber threats, which often leads to chaotic decision-making during incident response. Furthermore, the ENISA Threat Landscape 2025 report states that up to 53.7% of compromises occur due to the exploitation of vulnerabilities or architectural flaws. A sudden spike in indexed pages usually indicates a massive automated spam injection. However, before starting the "treatment," it is necessary to accurately classify the anomaly, as incorrect routing actions can permanently destroy the domain's authority in search engines.
Anatomy of an anomaly: why Google Search Console shows thousands of unknown URLs
Search bots are constantly scanning the web. When attackers gain access to an infrastructure, they often attempt to monetize this access in the simplest way possible—by exploiting the search engines' trust in your domain. They implement scripts that generate thousands of pages optimized for gray-market niches and direct search traffic to them.
However, not every thousand unknown URLs implies a compromise. Often, this is a consequence of technical debt or misconfigured site filters. If an internal architectural issue is mistakenly identified as a hack (or vice versa), you might block the crawling of legitimate content or leave a backdoor active that continues to generate spam pages. Manual analysis of server logs is a mandatory step before making any changes at the server or CMS level.
The triad of suspects: distinguishing page injection from legacy 404s and crawl traps
When faced with an atypical array of indexed URLs, the incident should be classified into one of three categories:
- Page Injection (Hacking). Google classifies content added without permission via a site vulnerability as "hacked content." During page injection, attackers create new spam pages on a compromised site. The number of such URLs is usually in the thousands, indicating an automated attack. These pages may contain hidden links or text (content injection) that are visible to search engines but invisible to regular visitors.
- Legacy Technical Debt. This refers to outdated URL structures that no longer exist but were once part of the site (e.g., before a system migration). Usually, the number of such pages is in the hundreds. They consistently return a standard 404 error and show no signs of malicious code.
- Parametric Crawl Trap. This is a configuration issue within the web server or content management system (CMS). Incorrect filters, product sorting, or session IDs create an infinite number of URL combinations for the bot. Googlebot continuously scans these duplicates. The number of addresses can be astronomical, but they lead to existing (though duplicated) site content.
Cloaking technology: how attackers manipulate User-Agents
The most complex aspect of detecting page injection is the use of cloaking by hackers. Google Search Central defines cloaking as the practice of showing different content to search engines and real users to hide spam or hacks.
Attacker scripts analyze HTTP User-Agent and Referrer headers. If an administrator opens the page directly in a browser, the server returns a standard 404 error (or a soft redirect), creating the illusion that everything is fine. However, if the request comes from Googlebot or the transition is made from Google search results, the server serves the generated spam content. Therefore, relying solely on direct link navigation is insufficient: you must always verify URLs exactly as the search bot sees them, using the URL inspection tool in Search Console or terminal utilities with User-Agent spoofing.
Why mass redirects to the homepage are a mistake: effective index cleanup strategies
Mass configuring 301 redirects for all unknown URLs to the homepage is the most destructive step following an incident. Google perceives mass redirects of irrelevant pages as Soft-404s. This not only fails to pass page authority but can also be interpreted as an attempt to manipulate search results, leading to further sanctions. Furthermore, redirects hinder the rapid removal of spam from the index.
The correct strategy is based on using differentiated server response statuses:
- For addresses generated via page injection, the server should return a 410 (Gone) status. This code signals to the search bot that the content has been permanently removed, which significantly accelerates de-indexing.
- For legacy 404 pages, it is sufficient to return a standard 404 Not Found code, or a targeted 301 redirect to truly relevant new content (but not to the general homepage).
- In the case of crawl traps, redirects are inappropriate. The solution lies in properly configuring the robots.txt file, using canonical tags, or blocking parameters in search engine settings.
Auditing entry points: identifying the source of spam page generation
After classifying the problem and issuing the correct HTTP statuses, the next step is to eliminate the root cause. If it was a hack, the vulnerability must be found—most often these are outdated plugins, incorrectly configured database access rights, or weaknesses in custom routing logic.
To prevent such attack vectors, the architecture of corporate web platforms should rely on Secure by Design principles. As part of its cybersecurity and secure development services, Softengi helps companies build Threat Modeling and Incident Response processes, which allows for the timely localization of injection sources at the code and configuration levels.
The technological foundation for such secure systems is often the UnityBase platform (a joint development of companies within the Intecracy Group, where InBase is a key, but not the only, developer). Thanks to the Domain metadata approach, the platform automatically generates REST APIs based on the data model, which minimizes human error in writing custom route handlers—typical targets for injections. For projects with high security requirements, the official UnityBase documentation recommends Enterprise or Defence editions, which provide Row-Level Security (RLS) and maintain a deep Audit Trail. This ensures that any unauthorized attempt to generate or change data is recorded and instantly tracked by the system.
| Anomaly Type | Signs in logs and Search Console | Root Cause | Recommended Action |
|---|---|---|---|
| Page Injection (Hacking) | Requests return 200 OK for Googlebot (cloaking), but 404 for regular users. | CMS compromise, code injection, or plugin vulnerability. | Remove malicious code, return 410 (Gone) code, clean sitemap. |
| Legacy Technical Debt | Stable requests to old URLs that previously existed. No signs of cloaking. | Outdated site structure, incorrect migration. | Configure correct 404 or 301 redirects to relevant new pages. |
| Parametric Crawl Trap | Infinite URL generation via combinations of filters, sorting, or session IDs. | Web server or CMS configuration error. | Configure robots.txt, use canonical tags and parameters in Search Console. |
FAQ
How can I check if Googlebot sees different content on my site than regular users?
Use the URL inspection tool in Google Search Console or check the request via terminal by spoofing the HTTP User-Agent header to the Googlebot identifier and the Referrer to a search engine address. If the server returns spam instead of a standard 404 error, the site has been compromised using cloaking technology.
Why shouldn't I just set a 301 redirect for all unknown URLs to the homepage?
Search engines treat mass redirects of unrelated pages to the homepage as Soft-404s. This does not pass page authority, hinders spam de-indexing, and may trigger sanctions for manipulating search algorithms.
What tools help detect the source of page injection in the file system or database?
An effective solution involves manual analysis of server logs for anomalous POST requests, File Integrity Monitoring (FIM) systems, and built-in database audit mechanisms. For example, enterprise platforms like UnityBase have a built-in Audit Trail that logs all changes at the data model level.
Data sources
- Google Search Central: Spam policies: hacked content and cloaking
- Google Search Central: Security issues report: hacked content
- ENISA Threat Landscape 2025
- Cisco Cybersecurity Readiness Index 2025
- NIST: Artificial Intelligence Risk Management Framework (AI RMF 1.0)
- FCC First Caller ID Authentication Report and Order