The first step in dealing with a hacked site is to go through everything. Often hackers will open up backdoors so they can easily reinfect your site after you debug it the first time. Some sneakier hacks will actually cloak the hacked pages so only first time visitors are impacted and you won't see the hack on your repeat visit.
Once you are 100% sure that everything is clean, lok at what is triggering the malware warning sign. These warning pop-ups can be generated by Google for people clicking through the serps or they could be generated by anti-virus programs.
How much time has passed since you made sure everything is 100% clean and secure?
The feedback I'm getting from my users is that they cannot get rid of the screen appearing constantly, and they are likely to have accessed the site directly.
I'm quite certain it's clean. I did a thorough search of the files I copied over, and the majority of files were deleted and reuploaded from the offline development site.
We came back online on the 17th December. Since we've been getting killed in pageviews and visits according to google analytics :( The site has been online for about 5 years (with one domain name change this September) so I thought we were well established, but it looks like pages are dropping off google.
You should first determine specifically which software does produce the warning. Then, submit a review request to the appropriate database maintainer.
|I'm quite certain it's clean. |
Make doubly sure that any local machines that access the server are clean.
|The feedback I'm getting from my users is that they cannot get rid of the screen appearing constantly, and they are likely to have accessed the site directly. |
If the visitors are accessing the site directly... ie, not through Google... that rules out that the warning screen is due to cloaked malware (of the sort that would be visible only to Googlebot or to visitors coming in through Google).
The report page should be identifying itself... and it's got to come from some kind of a monitoring service (or perhaps an ISP) that your users are using.
If checking your site directly suggests it's clean, then it's probably some kind of community-reported warning. Norton Safe Web, eg, comes to mind as one security product that has a user-feedback component. Malwarebytes also refers to various blacklists in deciding which sites to block.
If you did have a malware problem at one point, then you've probably got some reports on a list somewhere that need to be cleaned up. It's not necessarily a question of further removing malware... it may be a question of getting your domain or IP removed from the blacklists.
Norton makes it fairly easy, as I remember, for site owners to contact them. What you've got to do is to ask your users for the source and url of the report page they are seeing, and to handle it either via email or a phone call.
Are you seeing the attack notice site in the SERPS? Do you see the warning when you visit the site using FF or Chrome?
This happened to me once, too. Russians used a hidden back door in a very popular piece of forum software I was running to plant their nefarious payload. I eventually found the security hole (the company used it for "maintenance" and has since removed it from current versions of the software) and fixed it, but by then the damage was done. My site went from 50,000 uniques per day to 2,000.
I limped along like that for quite a while, and couldn't figure out why Google wasn't removing the flag. I did everything I could -- filed online appeals through Webmaster Tools, moved the whole site to a new domain, even a new host. Nothing worked.
Eventually I found out the problem -- There was a SECOND payload hidden in the site. Either the first people who hit the backdoor planted two malware services in the server, or two different groups did. I thought I'd caught everything getting rid of the first infection, and thought Google was seeing ghosts. But it turned out that it was a super-stealthy, very clever piece of code hiding in there that continued to cause the positive malware reports.
I eventually got rid of it, and the site has a clean bill of health from Google now. But the road to recovery has been very long and slow, and that site is still only at about half of the traffic it once had.
Moral of the story: In spite of what you think, Google's false positives may not be so false after all.
The question is whether this is a Google message or a third-party message. As I'm reading Marked's comment, "they [my users] are likely to have accessed the site directly", it doesn't sound like the message is coming from Google any more.
So, we need feedback from Marked... where is the message appearing... in Google serps? ...or in the browsers of visitors coming in from elsewhere?
@artefaqs: That sounds a lot like what happened to me too. The forum for the forum software announced this huge security hole, I'm afraid that hackers took advantage of those sites that didn't fix it up immediately, but I can't be sure. I'm not an expert by any means, but I tried to clean my site thoroughly. I deleted all of the files apart from avatars, and other uploads, and I scanned those directories for any suspicious files. I can't be 100% sure, but I know I was thorough and haven't found any evidence to suggest there's anything malicious still going on.
When my site was infected I saw the message in the SERPs myself, and it's not there any longer, nor anything in web master tools.
I'm getting my site screened by Norton at the moment. When I checked the site with their tool, it said there was in info on the site.
In my google analytics, I compared the timeframe between when I cleared the hack until now with the same period last month. Traffic has decreased 49%, with the % of search engine traffic falling from 75% to 62%, with direct referrals taking a much smaller hit than any other source of traffic. Even one year ago over the same xmas period search traffic accounted for 83%.
I have requested more info from my users, but at this stage its looking like the message is appearing in the browsers from visitors.
I would imagine Google will wait for new data the gather from your visitors to show it's clean again, via chrome and the army of web beacons they deploy.
|If the visitors are accessing the site directly... ie, not through Google... that rules out that the warning screen is due to cloaked malware (of the sort that would be visible only to Googlebot or to visitors coming in through Google). |
That's not true because the browsers, like Firefox and Chrome, use the Google Safe Browsing API https://developers.google.com/safe-browsing/ and the website will pop an error when using those browsers no matter how you try to access it until it's removed from that list.
|That's not true because the browsers, like Firefox and Chrome, use the Google Safe Browsing API https://developers.google.com/safe-browsing/ and the website will pop an error when using those browsers no matter how you try to access it until it's removed from that list. |
That seems to be case, because the error screen I got through google and the screens my users posted were identical, and I bet you guys know exactly the screen I'm talking about.
Don't forget that most Anti Virus software comes with browser protection nowadays which might have individual blacklists or use other sources than Google. And there are also toolbars for "safe browsing".
Also - are you using OpenX or similar adserver - as they may be the issue. It was with our sites and took us a while to completely cleanse and turn off "preappend" facility - which is where the iframe code was placed by the hacker.
Good luck - it's a right pain in the ass and wastes a lot of time unfortunately!
There also appears to be a bug in Fire Fox's implementation of Google's safe browsing where they are not clearing the cache of malware sites. With a moderator's approval I'll post the Mozilla bug link.
@Marked - this happened to one of our domains and it was a third party browser toolbar that was cauing it and I believe Opera had a database of it's own that it accessed before the user hit the page.
If you check the settings for IE there's one that does just what you're descibing; it checks the page to be visited first against a dbase of sites then if it checks out to be clean the browser opens the page (I think it is on by default but can be disabled). It's been a while but I believe we had to submit requests to whoever maintains that dbase or another just like it - it was happening to us here as well as users.
Today, my analytics have shown me my visitors have jumped back up to normal, more than doubling what the level was 3 days ago. Fingers crossed that trend continues. That Norton website checker came back clean with no errors found whatsoever, so things are looking solved for me at this point, and I will keep an eye out for any reports of the screen by my members.
Thanks everyone for your replies :)
This is the Bugzilla@Mozilla bug report discussion mentioned above by Chrispcritters....
Bug 820283 - Sites stay marked as a malware or phishing even after removal from the SafeBrowsing DB
It's a fascinating discussion, and apparently not a simple problem. I recommend it as a read for anyone using software that needs to go through frequent updates, as it sheds some light on the process and considerations of diagnosing and fixing issues that don't show up for everyone.
I've encountered or observed analogous updating problems with Adobe, Microsoft, Google, Symantec, and Apple software, among many others. Last post now in the thread, comment #54, advising of current status, may not be comforting, as it looks at the issue from that of the software developer (as in part it must), but takes a very limited view of who actually is affected...
|...we have no intention to fix this for Firefox 17 given that we are a week away from releasing Firefox 18. Any users who cannot wait are welcome to use the latest Firefox 18 Beta build in the meantime. The current Beta is very close to what we will actually be releasing on January 8. |
Sorry, I know it's not ideal but this is the best solution we can offer at this time.
The link came up in a conversation I had with StopBadware in dealing with the lingering "attack site" seen in FireFox after a malware issue was resolved.
|We've filed bug 823667 as a workaround for FF17 (if it ends up being necessary, for instance a major web property is impacted). |
They are willing to consider a fix for FF17, but apparently only if a "major web property is impacted". Wonder what is defined as a major web property?
|Wonder what is defined as a major web property? |
Adobe Reader's download page (the one that ranks for "click here") was at one time affected. I'm sure that page is major, but it still took Norton a while to purge the system.
Possibly enough small web properties would cumulatively equal one major property.
At issue here also, I believe, is the question of holidays and time available to fix this... and that updates for Beta users are already in progress. Hard to tell from the discussion who actually makes the decision, but it seems to be a defined procedure.
Norton and McAfee site advisor have to be checked. I'm glad you made it through. But for future reference to those who come after you and read this discussion, Google is not the only entity on the web warning visitors off from hacked sites. Getting the clean bill of health from Google Webmaster Tools is only the FIRST step. It is not the only step you should be taking to recover your traffic. Both Norton and McAfee have procedures to follow to get off their hacked list. Those lists are propagated elsewhere and can lead to a drastic loss of traffic.