This Site May Harm Your Computer

[Michael Tracey]

okay I've got that underneath the search results on Google for my website AFRICHEF.com
I haven't got a clue as to how I can establish whether or not this is indeed true.

I know that it is possible for hackers to place malware on your site without your knowledge.

However I haven't got the slightest clue as to how to establish whether or not Google's message is correct.
And if it is correct I have no idea as to how to rectify it. I know that you can go to Google and request a reexamination of the site, but that's pointless until I establish whether or not something needs to be done on the site.

I would be really grateful if someone could give me advice as to how to proceed from here

Thanks

Michael

[yuyuan]

Hi Michael,

From my experience, Google's message is usually correct. I encountered this problem twice: Once for my website and the other one happened to one of my clients' site.

Here's what I did:

1) I logged into Google Webmaster Tool to find out which file Google suspects that it is containing malware.

2) Then I went to FTP and deleted the file. (I tried deleted and uploaded a saved version of the file from my hard disk but the malware still exists. I guess we need to remove the file completely from the server)

3) I sent a ticket through Google Webmaster tool to request for reexamination.

4) After 5 days, I logged into Webmaster tool again and found that my website is ok.

Hope this helps.

[rlscott2]

I had the same problem and followed a similar process as yuyuan. Because I have 2 hosting accounts I pointed the nameservers for my domain to the 2nd hosting account and installed a clean copy of my web-site there. I contacted Google thru Webmaster Tools and the web-site was back to normal in about 24 hours.

[Michael Tracey]

Hi Guys

Thanks for the suggestions

I must be blind or in a state of panic, I can't find out where Google lists the file causing the problem & it's rather a large site insofar as content sites go

If someone could tell me how to find where Google lists the suspected files I could have a look at them and possibly replace them

It must have been some hacking exploit because I haven't updated anything for ar least a month

Michael

[The Skint IM]

Have PM'ed you because I dont have enough posts to link to the code being flagged

[Jassa]

Hello Michael,

Hope you're well on the way to getting it sorted. This is one place to start:

http://www.google.com/support/webmas...answer=45432#2

When mine was hacked I found this thread from Google blog had useful info:

Google Online Security Blog: Safe Browsing Diagnostic To The Rescue

...especially in a post near the bottom where myshortpencil said:

"It turns out that Google did provide the link to request a review of the presence of malware in the Webmaster Tools. It turned up about 24 hours after my site was blacklisted.

The best website explaining how to fix your website is How to remove "This site may harm your computer" from Google search results

And the site that found all the malware on my site was Dasient Web Anti-Malware (WAM)

The second best was Website Security Check - Unmask Parasites

(I did not actually try sites he gives as he posted after I'd sorted mine out)

Also, have you contacted your hosting and told them? I'm with hostgator and they immediately went and 'did something' to remove malware - they were really helpful actually.

After you've dealt with the main problem you need to go through all folders and files - it took me 2 full days but so glad I did it as the hackers had hidden folders and files inside my folders containing viagra etc. pages. They'd also deleted the bottom half of a number of pages of small sites I hardly ever visit (can't quite understand why they do that?!) - and on a number of those pages they'd put their own links in, again going to spammy sites ...so you really DO want to check everything once you've sorted the main problem out with google.

Google removed the dreaded tag from search engine listings with a day or so.

I'm not sure how true this is but I think I might have made it easy for hackers to get in by not having an index file in ALL folders... I'd offered a free download on a forum and the download was from a folder that just had zips but no index page, so of course if they typed in the url without the zip last bit, they would be able to see all the zips listed in there and be able to go up the levels to all of my sites. I know they did this because I found a page they had made where they were selling my zips!!

And last thing is to change your hosting password frequently, using a really strong one, something like:
%e-{]+_U.!8rT6^

All the best to you and hope you get it sorted quickly

[Easy Cash]

Usually Google will send you an email indicating that your site has been hacked.

You need to go through your whole site and find the code that has been added by the hacker.

Best thing you can do is replace your whole site.

[Jassa]

Easy Cash, you're probably right about the best thing being to replace your site (a big job though if you have many addon domains... )

You reminded me of something good to know, that Google sends out the malware email to the following email addresses, so it's good to make sure that you've made at least one of those addresses for each of your sites:

abuse@
admin@
administrator@
contact@
info@
postmaster@
support@
webmaster@

Also, good thing to remember to do regular site backups.


The Skint IM, can you say how you managed to find the code being flagged - It'd be a really useful thing to know...

[Michael Tracey]

OK, I've found the inserted code
<i frame src="http://web-analyser..info/2/in cgi P4" width="0" height="0"

Now how do I check for infected pages and remove the code without compromising my machine?

Next question "I think I should take the site offline how" do I do this?
Any help appreciated

Michael

PS Google lists 320 pages on the site with 6? infected, yesterday

[Jassa]

Michael, I don't know if I have understood you correctly, but do you mean you don't know how to delete the code?

You need to either go to your ftp program (or cpanel - whichever you use to upload your website) and delete the file or whole folder where it is on the web (you don't want to download it to your computer), and then re-upload the original clean version that you have on your computer - if that is what you meant.

All you are doing is deleting the online copy of your site (which is infected) and replacing it with a new clean one from your computer.

Honestly, I do not know who you host with but that is one really good place to start, tell the Support what has happened and ask them how to go about cleaning it all up. I think probably it is in their own interests as well.

[Easy Cash]

Quote:

Originally Posted by Michael Tracey

OK, I've found the inserted code
<i frame src="http://web-analyser..info/2/in cgi P4" width="0" height="0"

Now how do I check for infected pages and remove the code without compromising my machine?

Next question "I think I should take the site offline how" do I do this?
Any help appreciated

Michael

PS Google lists 320 pages on the site with 6? infected, yesterday

Oh Yeah - the old iframe code. It's a sneaky one that one.

First thing you should do is find out how they got access to your webpage.

They have obviously downloaded it - added their code and then uploaded it.

This means they have your password.

How did they get your password?

Do you have virus software?

If not - you could be in for a long ride trying to get rid of the hacker.

Either - your password to your website was not very secure or they have access to your computer with a keylogger virus.

Once you find all this out you can then find the code in every webpage by do ing a search and then deleting the code and upload it to your site.

But - you should change your web host password first! and make sure you have no virus on your computer.

[ecdavis]

Michael,

First, very sorry to hear of your problem. I, too, have been had my sites taken over and found their google listings accomanied by the warning message.

In my case, my sites were taken over by the hacker gaining access to my harddrive through a trojan or some other malware. The only way I was able to resolve it was to completely reformat my harddrive and reinstall all software. I also went through each page of my sites and deleted every trace of hacker code.

Hackers gain access to your sites either through server vulnerability or through a back door to your harddrive. You need to figure out which it is--server or your pc. If the problem doesn't resolve and you feel you can rule out your host as the doorway to your sites, then you may need to reformat and install a good anti-virus protection such as Trend Micro (what I use) and a fire wall such as the free Zone Alarm (also what I use.).

I wish you the best with wth this.

Take care,
Evan Davis

[Mohammad Afaq]

If you have an antivirus that protects your computer from malware you should go ahead but if you don't then I recommend getting the trial version of Kaspersky or Bit Defender (google them) and that will do the trick.

[SageSound]

Quote:

Originally Posted by Jassa

Easy Cash, you're probably right about the best thing being to replace your site (a big job though if you have many addon domains... )

Add-on domains are separate sites for all intents and purposes.

Don't confuse your hosting account's directory layout with your "site". Addon domains are facilitated by some slight-of-hand that they have Apache do to incoming page requests. As far as Apache knows, they're completely independent sites.

Now, if someone managed to hack into the site on your main domain, then it's possible that they could have run down thru your entire file tree and messed up a whole bunch of stuff.

But, not putting index.html files in a folder will only lead to people copying your files OUT. It normally won't enable them to put stuff IN. To do that, they have to take advantage of "exploits" in whatever scripts you're running. Or you may have left 777 permissions on a folder somewhere that they figured out how to exploit.

-David

[SageSound]

Quote:

Originally Posted by mohammad111

If you have an antivirus that protects your computer from malware you should go ahead but if you don't then I recommend getting the trial version of Kaspersky or Bit Defender (google them) and that will do the trick.

apples and oranges.

The problem is that someone injected some script code into files on his server. In this case, it appears to be loading an IFRAME that could contain whatever they want to deliver. This is causing problems to OTHER VISITORS when they view pages on his SITE.

Him running an anti-virus software on his local computer won't do diddly for you if you visit his site and your machine ends up getting corrupted!

@Evan Davis: it sounds like you're hosting your site on your home computer. There's no way someone can mess up a site you have at, say, HostGator, by hacking into your home computer's hard drive. More likely they managed to install a keylogger on your machine and grabbed the data thataway.

-David

[Michael Tracey]

As far as a keylogger is concerned I have and use AVG, Search and Destroy and

Malwarebytes Anti Malwear,

Michael

[Michael Tracey]

I'd like to thank everybody who has responded to this thread

Michael

[ecdavis]

Quote:

Originally Posted by SageSound

apples and oranges.
@Evan Davis: it sounds like you're hosting your site on your home computer. There's no way someone can mess up a site you have at, say, HostGator, by hacking into your home computer's hard drive. More likely they managed to install a keylogger on your machine and grabbed the data thataway.
-David

Right you are! My sites were hacked through my home computer. There was a keylogger or some other sort of malware that would "phone home," as it were, on my pc. I had to reformat the hard drive, and that solved the problem. That and running Trend Micro and Zone Alarm. Most of my sites are now on Hostgator, but the problem was not with any of the hosting companies; the problem was that the hacker had access to my sites through my home computer.

Evan

[The Skint IM]

Hi Michael,

Did you get your website fixed? PM me if not and I will help out.

Also just a note everyone - every time I have dealt with hacked website's it's been because of the pc that updates the website having a virus/rootkit and this is grabbing the FTP login details. If you use outsourcing to create or update your websites it is possible its the outsourcees pc that is infected and grabbing your ftp details each time they update for you.