homepage Welcome to WebmasterWorld Guest from 54.204.77.26
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

    
Attack site warning message
peewhy




msg:3960291
 2:40 pm on Jul 27, 2009 (gmt 0)

I've been asked to look at a website that has the following message on the 'contact us' page. Could this be from a free script they have added - or something more sinister?

This web site at www.example.com has been reported as an attack site and has been blocked based on your security preferences.

[edited by: incrediBILL at 5:43 pm (utc) on July 27, 2009]
[edit reason] exemplified URLs [/edit]

 

wyweb




msg:3960295
 2:46 pm on Jul 27, 2009 (gmt 0)

They published this on their own website about their own website? They're warning people about their own site?

peewhy




msg:3960330
 3:11 pm on Jul 27, 2009 (gmt 0)

No, it appears to come from Google. Here's part of the message

Site is listed as suspicious - visiting this website may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 1 pages that we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time that Google visited this site was on 2009-07-10, and the last time that suspicious content was found on this site was on 2009-07-10.

Malicious software is hosted on 3 domain(s), including (specifics removed).

3 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including (specifics removed).

This site was hosted on 1 network(s) including AS16557 (COLOSOLUTIONS).

[edited by: encyclo at 4:33 pm (utc) on July 27, 2009]
[edit reason] removed specific references to malware sites [/edit]

wyweb




msg:3960341
 3:26 pm on Jul 27, 2009 (gmt 0)

I've been asked to look at a website...

I believe I'd have to decline.

SanDiegoPaul




msg:3960346
 3:34 pm on Jul 27, 2009 (gmt 0)

Somebody reported to me that my company's website gave their browser a similar message. I never have a problem visiting it and don't know what caused it.

Actually it happened more than once-I got an email from a prospective client ~from~ my website complaining of the same thing once.

encyclo




msg:3960376
 4:42 pm on Jul 27, 2009 (gmt 0)

This kind of warning from Google happens because their crawler has detected that the site (or at least the specific page) has been compromised. It is extremely rare to get a false positive, so you must take the warning seriously.

It could just be the contact form which was hacked, but depending on other factors (such as any CMS script you are using or if passwords or other details are stored on the server) the entire server could be hacked too.

At the very least, you must take the contact form offline as soon as possible, and ideally you should review the entire site content and revert to a known backup on a different server.

peewhy




msg:3960387
 4:48 pm on Jul 27, 2009 (gmt 0)

Encydo

Thanks for this.

I suspected that it relates to some sort of script. It also shows this text;

"You can learn more about malware and how to protect yourself at StopBadware.org. "

Unfortunately the site owner is a friend of one of my existing clients so I need to look after them!

I'll suggest completely cleaning the site.

SanDiegoPaul




msg:3960415
 5:31 pm on Jul 27, 2009 (gmt 0)

Encyclo, my site doesn't even HAVE a form to fill out. What else do I need to look at? It's hosted by a well known company.

encyclo




msg:3960634
 10:45 pm on Jul 27, 2009 (gmt 0)

There can be any number of server-side scripts which, if not updated, can cause problems. Do you have any content-management system or blog script installed? If you don't, another possibility is that your FTP credentials have been compromised - there is a worm variant going the rounds which infects your local machine and steals FTP passwords from programs such as FileZilla (used for FTP transfer). So, check your local machine too.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved