* The Business of Software

A community discussing the business of software, from the smallest shareware operation to Microsoft. A part of Joel on Software.

This community works best when people use their real names. Please register for a free account.

Links:

» Business of Software FAQ
» The Business of Software Conference (held every fall, usually in Boston)
» Forum guidelines (Please read before posting!)

Moderators:

Andy Brice
Successful Software

Doug Nebeker ("Doug")

Jonathan Matthews
Creator of DeepTrawl, CloudTrawl, and LeapDoc

Nicholas Hebb
BreezeTree Software

Bob Walsh
host, Startup Success Podcast author of The Web Startup Success Guide and Micro-ISV: From Vision To Reality

Patrick McKenzie
Bingo Card Creator

Really Strange Malware Report from Google/Firefox

1. Got an email from a user saying one of my site's is generating firefox warning that it's infected with badware/malware

2. Tested site myself:
- Visited in firefox - no warning
- Check in Google results - no warning
- Check in Google webmaster tools - no warning
- Check files on site - no infection

3. Assume customer's copy of firefox is FUBAR, email him

4. Hours later, get email from Google (sent to generic site addresses rather than my webmaster tools account) saying site has badware

5. Visit site in firefox - now I get the badware warning

Details page of warning: (note it says it there is NO evidence of malware in last 90 days)
==== START QUOTE ====
What is the current listing status for scriptrocket.com?

    Site is listed as suspicious - visiting this website may harm your computer.

What happened when Google visited this site?

    Google has not visited this site within the past 90 days. Suspicious activity was detected over 90 days ago, but no data is available for the past 90 days.

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, scriptrocket.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

    No, this site has not hosted malicious software over the past 90 days.

How did this happen?

    In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.

Next steps:

    * Return to the previous page.
    * If you are the owner of this website, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google's Webmaster Help Centre.
==== END QUOTE ===

6. Check the site files again - no evidence of badware infection

7. Log-in to Google's webmaster tools - check diagnostics/malware for the site - IT SAYS THE SITE IS CLEAN!

(which BTW means that I can't request a malware review in webmaster tools, because according to webmaster tools there's nothing to review).

8. So in other words, one part of Google is saying the site is infected (the warning in firefox)  but webmaster tools says the site is clean

(FWIW: I'm 99% sure the site is clean).

Help?
S. Tanna Send private email
Thursday, September 02, 2010
 
 
This is the relevant part of what I get:

#####
What happened when Google visited this site?

    Of the 3 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-02, and the last time suspicious content was found on this site was on 2010-09-02.

    Malicious software is hosted on 4 domain(s), including neat-tube.com/, you-search.in/, bhannu.com/.

    3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including you-search.in/, bhannu.com/, helios-krefeld.de/.

    This site was hosted on 2 network(s) including AS20738 (AS20738), AS5413 (AS5413).

####

Basically, it looks like your site was hacked.
Nicholas Hebb Send private email
Thursday, September 02, 2010
 
 
I'm now getting that message in firefox as well.

And webmaster tools, now says there was a problem with the site (it simply says it's a "General problem" for the 3 URLs)... but webmaster tools didn't notify me, only shows the message when I drill down to the diagnostics/malware page - and still doesn't offer the option to request a review.
S. Tanna Send private email
Thursday, September 02, 2010
 
 
You need to keep on top of your site and fix this stuff within 24 hrs when it happens. If you have a low traffic site that google visits 2x a year and it visits when there is a hack, you are screwed.
Scott Send private email
Thursday, September 02, 2010
 
 
Actually, once you get the malware removed you can request a scan through Google Webmaster Tools. They will remove the warnings if you are clean, so you aren't necessarily screwed until the next crawl.

That said, if you have wordpress or another CMS installed on your site, you should upgrade to the latest as this is usually the cause of the malware infection.
Jason Forrest Send private email
Thursday, September 02, 2010
 
 
> Actually, once you get the malware removed you can request a scan through Google Webmaster Tools

That's the whole point:  I can't,

Because although half of Google thinks the site is infected, it's like the other half doesn't.

The option to re-crawl/scan the site isn't there!

...Unless that is that they've moved it, and cunningly concealed it in a new, hidden, and totally unexpected place... like a bunch of Vogons hiding information about plans to demolish the Earth.
S. Tanna Send private email
Thursday, September 02, 2010
 
 
Sorry, that was more of a reply to Scott.

In my experience, Google Webmaster Tools takes a while to properly show the malware problem and allow a re-scan.

In the meantime, you can go here to get more information (just in case you haven't already seen it):

http://stopbadware.org/home/reportsearch

You can also request an independent review there, provided you follow the guidelines, etc.
Jason Forrest Send private email
Thursday, September 02, 2010
 
 
I'm not sure I understand. Is your site totally blocked in GWT? If not, have you tried changing all the file dates, updating the page dates in the XML site map, then re-submitting the site map? That typically causes a re-crawl. Also, there is a Fetch as Googlebot tool under Labs that you could try.
Nicholas Hebb Send private email
Thursday, September 02, 2010
 
 
I had this problem with a friends site that I run for him. It was hacked. The method they use is to modify the .htaccess. This results in every 404 for the site getting sent to a site hosting one of those anti virus applications that is actually a horrible virus.

After clearing out the .htaccess I logged into Webmaster tools and google lifted the red warning within 12 hours. If you access your site via FTP, then switch to secure FTP, as otherwise the same problem will happen again as with standard FTP the password is sent without encryption as this will be how they broke initially. The web host I use is now offering an FTP Lock facility as it's such a major problem.
Andrew Gibson Send private email
Friday, September 03, 2010
 
 
moronica Send private email
Monday, September 06, 2010
 
 

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics
 
Powered by FogBugz