homepage Welcome to WebmasterWorld Guest from 54.197.111.87
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

    
"This Site may be Compromised" message - what to do?
HLTc




msg:4456261
 6:22 am on May 22, 2012 (gmt 0)

When i search my domain name in Google it says this under my listing. As is typical for Google they then have a bunch of vague, unhelpful, generalized suggestions telling you that you broke a specific rule but they can't and wont tell you what it is. "Just figure it out yourself".

I spent the last 45 minutes poking around Webmaster Tools for Google and noticed there was also a message "Suspected hacking attempt on www.yourdomain.com" in my messages area of that system.

Inside that message was again just a bunch of vague, unhelpful suggestions and a final suggestion to ask Google to "reconsider" after I "clean things up" . Great. Thanks. They did provide one URL as an example of a violation page, and when I load it, its a discussion forum post with 5 replies on it. Nothing on the page looks odd.

Pointless.

How do I address these concerns which are pretty serious, if Google never bothers to provide sufficient support to explain the specific problem for the specific site?

I want that "This site may be compromised" link gone from my listings.

 

tedster




msg:4456275
 6:57 am on May 22, 2012 (gmt 0)

Well, you certainly do need to address the problem - for your human visitors' sake as well as for Google, Bing etc.

But you've got to be able to see exactly where the problem is, first and foremost - and then fix it and also seal up the security hole that allowed your pages to be hacked. When you visit your website with anti-virus protection active, doesn't it "light up"?

Here's a previous discussion [webmasterworld.com] that may
give you some pointers about getting the message removed.
It's a few years old, so maybe there are some things other
members can help with. But first, you've got to clean up
the problem.

Sand




msg:4456406
 1:46 pm on May 22, 2012 (gmt 0)

I would use a user agent switcher plugin. There are many available for Firefox. Change your user agent to Googlebot, and see how your site looks. Chances are good you'll see whatever it is they're warning you about pretty quickly.

armondhammer




msg:4456407
 1:47 pm on May 22, 2012 (gmt 0)

I can pass along what I'm seeing a lot of right now, and it may help.

There are a number of sites in my industry that are using a cloaked redirect to rank. If you use an user agent switcher on your browser and "pretend" to be googlebot you will see either vastly different content, or other cloaked links. It's the first place I'd start, since it's a tactic that seems to be scaling right now.

[edited by: tedster at 1:57 am (utc) on May 23, 2012]

goodroi




msg:4456426
 2:21 pm on May 22, 2012 (gmt 0)

I would not look at the site using a browser. Smart hackers can make the site look normal to trick inexperienced webmasters. Start looking through the actual code and see what has been added. Don't stop looking if you find one hack. Smarter hackers typically will build in multiple backdoors once they have hacked your site so they can re-infect after you have cleaned it.

Hackers are similar to real life burglars. There will always be burglars in real life because they are attracted to the easy money. Since you can make money online with hacking there will likely always be hackers. Being upset with Google is like yelling at the police when your building security was defeated. It is not the responsibility of the police to lock your doors and turn on the building security system for you. Likewise it is not Google's responsibility to secure your website. We all need to accept responsibility over our own website.

HLTc




msg:4456514
 5:31 pm on May 22, 2012 (gmt 0)

So the assumption is that Google is correct? When I ran the google analyze and google health on my site, both say that the site is in perfect health, and has "done nothing in the last 90 days" to warrant any concerns about compromise. This is why I am confused. They also suggested using "Fetch as Google" to see any cloaked content. So I did. and all google did was show me a line item of the HTML page that I fetched. No way to actually view it "as google". I swear im not this stupid ... but I am not able to figure this stuff out intuitively. I have grown so accustomed to Apples intuitiveness that I expect things to flow naturally I guess. When they don't I get confused now. I fetched the page "as google". Then what? I assume thats the same as changing my user agent (which I also dont know how to do).

Mod's note: Removed instructions on how to reach infected site.
.

[edited by: Robert_Charlton at 7:37 pm (utc) on May 22, 2012]

netmeg




msg:4456521
 5:48 pm on May 22, 2012 (gmt 0)

Ok, first of all, we don't post links to our sites here, even the way you did it.

But that said - I pulled it up and my desktop virus detection (AVG) went off and said malware.

So yea, I think Google is correct. And if you can't find where the hack has taken place, then you need to ask or hire someone who can.

martinibuster




msg:4456536
 6:10 pm on May 22, 2012 (gmt 0)

Here's some advice that might be helpful. Look at your source code for any given page, particularly the ones that set off your antivirus. The do a text search for iframe. That may be the code that is causing your issues. Sometimes the iframe is placed only in the home page. Sometimes it is everywhere.

If you discover the iframe then patch your software to the latest version, including any and all software on a dedicated server (like your control panel/Plesk). Change your admin and FTP passwords, too. Create passwords that are difficult to guess.

Be sure to have AVG installed because it's pretty good at catching these on websites.

Good luck!

jimbeetle




msg:4456590
 8:26 pm on May 22, 2012 (gmt 0)

Also, if your antivirus software didn't go ding-ding-ding as netmeg's did then I would make sure it's completely updated. Then be sure to scrub your local machine with your AV software and a good malware detector as many of these exploits start with a downloaded keylogger.

HLTc




msg:4457202
 3:45 am on May 24, 2012 (gmt 0)

This is so confusing but you guys are super super helpful. Thank you for the input so far.

1) I have the latest greatest ,and most updated "Norton Internet Security" desktop and web antivirus - with updated subscription and latest update software installed on my laptop, and absolutely nobody, including myself, has ever seen a "Malware" alert while browsing my site. My site is a social networking site with tens of thousands of people chatting it up in the forums and not a single guy has mentioned anything like this. I am confused why the first page, from the first guy here set off an alarm.

2) Why, when we run the "Google Safe browsing" tool (http://www.google.com/safebrowsing/diagnostic?site=www.domain.com) does it say:

What is the current listing status for www.#*$!xx.com?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 5 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-03-31, and suspicious content was never found on this site within the past 90 days.

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, www.hssss#*$!.com did not appear to function as an intermediary for the infection of any sites

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

-----

When we ran the site at "unmask parasites" website it said the same thing.

-----

When we ran it at sucuri site check it says:

Sucuri
web site: sfwefwefwk.com
status: Verified Clean
web trust: Not Blacklisted
*Cached results from more than 2 days ago.

Security report (No threats found):
check Blacklisted: No
checkMalware: No
checkMalicious javascript: No
checkMalicious iFrames: No
checkDrive-By Downloads: No
check Anomaly detection: No
check IE-only attacks: No
checkSuspicious redirections: No
checkSpam:No

HLTc




msg:4457224
 5:59 am on May 24, 2012 (gmt 0)

Well its gone. And I didnt even do anything to fix anything. Now when I search my URL, the notice that the site may be risky, is gone in Google results.

onepointone




msg:4457231
 6:35 am on May 24, 2012 (gmt 0)

Maybe your host/server was hacked at one point. Then the host fixed the problem? They should tell you if you ask.

I would expect real time checks to be the most reliable vs. some "Site may be Compromised" message which might date from...?

Maybe ask some friends to check the site for you too?

nomis5




msg:4457353
 12:53 pm on May 24, 2012 (gmt 0)

Norton? Just because you pay for something doesn't mean it's better.

My experience is use AVG.

StoutFiles




msg:4457377
 1:55 pm on May 24, 2012 (gmt 0)

Routinely do full backups of your site, once per month. Save 6 months worth. If something happens, all you have to do is wipe everything, change passwords, and upload the backup.

There is also software to compare files and point out the differences, assuming hackers hide code in large files. Compare possibly hacked files with your clean backups.

netmeg




msg:4457406
 2:49 pm on May 24, 2012 (gmt 0)

It's always possible it was a false positive, and once the antivirus checkers were updated, it no longer tripped the alarm. I dunno.

HLTc




msg:4458408
 4:40 pm on May 27, 2012 (gmt 0)

This site is great. You are all super helpful. Thank you!

Robert Charlton




msg:4458530
 7:27 am on May 28, 2012 (gmt 0)

Sounds like the problem has been fixed, but it's worth emphasizing here that how you access the site may determine whether you encounter the malware.

It's possible that the malware has been been installed in such a way that it's only served up via Google (or access via Google), and it may not be seen via direct access (say via a link) at all. This is sneakier than having the malware sitting on your site all the time.

See this recent blog post by Matt Cutts on how to detect and guard against hacking....

Example email to a hacked site
http://www.mattcutts.com/blog/example-email-to-a-hacked-site/ [mattcutts.com]

MrSavage




msg:4463672
 7:45 pm on Jun 10, 2012 (gmt 0)

A word of caution because someone mentioned the securi scanner results. I'll say this because those results are essentially a joke. I can tell you from first hand experience that those results from the free scanner are misleading. There is no way I would trust the results in thinking that my site is clean. I learned this the hard way. Hacks and malware go much deeper than that scanner does. If you're going to base a reconsideration or removal from badware, don't do it based on a clean result from the securi free scan tool. You're getting half the picture from that.

MrSavage




msg:4475941
 11:44 pm on Jul 15, 2012 (gmt 0)

Just a quick follow up. I have been dealing with this issue on one of my sites. Thankfully it's not a main site otherwise this would have been a disaster. The problem is with this type of message on your site, you can't submit to the normal sources to get your site out of the dog house.

I was dealing with a hacked wordpress installation which was chalked full of hacked files. It was a mess.

The only option was to contact Google directly which meant having to add my site to a webmasters account. I submitted a request. This request took a lot longer than any other requests I've made in the past. During this time I got one, maybe two more notices in webmaster tools saying my site had malware. I checked the urls they listed and they were cleaned off my site because of my malware removing. They were counting issues which I didn't see any longer on my site. However yesterday I got a notice saying they have read my reconsideration request. I checked the Google results and the notice is off my site now. Bottom line is this can take a bit of time to get removed. I think the malware was on there for quite some time which may have impacted how long it took in Google deciding to remove the notice. Having this on a money making site with a loyal following might end up being a kiss of death.

netmeg




msg:4475951
 12:48 am on Jul 16, 2012 (gmt 0)

One thing I did shortly after I started using WordPress myself and for clients was to hunt down two or three reliable people or outfits that could clean up WordPress hacks on short notice if it ever became necessary. And as soon as I did that, one of my clients got hacked and I had to use one. Do the due diligence for your CMS and have it at your fingertips in your contact list. Finding someone with experience who can clean up quickly makes all the difference. (You can also opt for hosting that includes it, but that isn't always cheap)

If I had clients on Drupal or Joomla or any of the others, I'd go find people to do that too.

martinibuster




msg:4475954
 1:25 am on Jul 16, 2012 (gmt 0)

And check your source code yourself. Open up several browsers, and select view source. Then check for iframes and other pieces of code that you did not insert. Also download important parts of your site and review the code. Do not rely on third party sites to verify if it is clean or not.

AVG is great for catching these kinds of threats. But AVG can also be a resource hog.

Robert Charlton




msg:4475974
 6:52 am on Jul 16, 2012 (gmt 0)

Again, in the case of cloaked hacks, you may need to view as Googlebot, or access the site via Google, to see the hacks.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google SEO News and Discussion
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved