homepage Welcome to WebmasterWorld Guest from 107.21.187.131
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
google detected malware
hamids54




msg:4455698
 10:13 pm on May 20, 2012 (gmt 0)

Hi,

google detected malware on my server.google warns my users not clicking my website . server is linux.admin server says
they scanned server with clamscan maldet scan and couldn't find any.also they used siteadvisor.com .siteadvisor shows my site is clean.

my first question is what is best scanner for detecting such malwares? why admin server could not find it but google did it?

 

phranque




msg:4455727
 12:13 am on May 21, 2012 (gmt 0)

did you try fetch as googlebot?

hamids54




msg:4455733
 12:33 am on May 21, 2012 (gmt 0)

I found out by google webmaster that google blocked my website bc of finding a script on my server.admin server removed it.I requested google
to review my website.I am waiting.

No I don`t know about fetch.I didn`t tried it.

I want to prevent future infection .

which antiviruses can detect such malwares perfectly.

martinibuster




msg:4455779
 1:47 am on May 21, 2012 (gmt 0)

You can't put an antivirus on your server to protect you. The issue is software on your server that is out of date and has vulnerabilities. It can be anything from Plesk, WordPress, Joomla, vBulletin, etc. The best that can be done is to make sure everything installed on your server is up to date.

Additional tasks can be to download your site and review key pages like the home page for iframes that you didn't put there. If the site has PHP includes then take a peek at some of the top level pages (like headers and footers) to see if there have been any changes there.

Good luck!

hamids54




msg:4455801
 5:18 am on May 21, 2012 (gmt 0)

this site is a dynamic website.5 years ago was created by a
web developer.from the time until now he has not worked with this website . and now he doesn`t work again.this site now has 850k visitors per month. I know there are many vulnerabilities. should I ask a security team to check up my website or another web developer ?

hamids54




msg:4456105
 7:55 pm on May 21, 2012 (gmt 0)

detecting badwares before google detect them

I had infected with a malware recently.I will try to protect my
website by the tips google mentions
[support.google.com...]

but I want to detect badwares before google detect them.before I was infected with last attack I was using AVG scan it didn`t detected .after I awared server manager scaned with clamscan maldet scan it didn`t detect also. it seems Google must be using some other scanner that's picking something up that we aren't.now my question is:

I want to have best scanner for detecting malwares. which one is best?

martinibuster




msg:4456122
 8:57 pm on May 21, 2012 (gmt 0)

There is nothing to scan. This isn't something that you can scan for, as I explained to you already. I will try to explain it to you again. Sites don't get infected with malware the way computers get infected. Sites have vulnerabilities.

Think of your website as if it were your home and hackers as if they are thieves. In order to get into your home thieves look for vulnerabilities. Typical vulnerabilities will be doors that do not lock properly and windows that are wide open.

Similarly, the software that you use to create your site dynamically will have open windows and locks that are easy to open. They are points of entry to your website files in a manner that allows the public to manipulate your website. These entry points, open windows, are not viruses. They are simply entry points to your site. This is nothing you can scan for.

Take a look at your code. It's possible that the developer used off the shelf software, like a CMS framework. Identify what that code is, whether joomla or whatever and then find someone to patch it for you, to update it to the latest version.

Once your site has been broken into and the site files altered, your antivirus on your desktop will alert you that a virus or trojan was trying to load onto your desktop or laptop. But by that time it's pretty much game over. Google will know about it and within a few days the dreaded "infected site" note in the SERPs. Until you patch the vulnerability, i.e. get a better lock, the hacking is going to continue because it's very likely an automated attack.

Google is just one of many issues to resolve after a hacking attack. Go to McAfee Siteadvisor and websense because they're likely blocking your site, too.

hamids54




msg:4456249
 5:50 am on May 22, 2012 (gmt 0)

Thanks martinibuster

I see. my first duty is finding someone to patch the vulnerabilities as
you said.

martinibuster




msg:4456272
 6:46 am on May 22, 2012 (gmt 0)

Updating software can be a pain. But not always. It might not be as difficult as it might first appear. If by looking at your code, the includes, and the style sheets you are able to determine what software the developer used, then patching it can be relatively simple. Most software packages have details on how to patch their programs on their support pages. Sometimes it's automated, sometimes it's a matter of selecting a file, finding a section of code, then adding more code before or after that piece of code. Or else replacing that code with another piece of code.

Good luck! :)

hamids54




msg:4457238
 7:09 am on May 24, 2012 (gmt 0)

I consulated a code expert (php expert).he believes it is better to consulate with a security team to protect me.

how I can find a good security team.

martinibuster




msg:4457240
 7:21 am on May 24, 2012 (gmt 0)

1. What is a security team?

2. What will a so-called security team do except review the code?

3. Shouldn't a PHP expert be able to identify vulnerable code?

You maay try to you review your code as I suggested to find what may be out of date.

If by looking at your code, the includes, and the style sheets you are able to determine what software the developer used...


Often you can find what software is being used simply by Googling/Binging snippets.

[edited by: martinibuster at 8:17 am (utc) on May 24, 2012]

hamids54




msg:4457252
 7:46 am on May 24, 2012 (gmt 0)

I see

I try to ask another php expert to identify vulnerable code .the first web developer doesn`t reply my calls and emails.

hamids54




msg:4457793
 1:56 pm on May 25, 2012 (gmt 0)

someone checked my website up .he believes there are so many vulerabilities that it doesn`t worths to patch them and it should be better to hire new web developer to create again.

but the problem is bc i am very busy.. I have to close the sections of my website temporarily.

my question is must not a good server manager protect any website in spite of so many bugs ?

phranque




msg:4459247
 12:08 am on May 30, 2012 (gmt 0)

it depends whether you have hired your server manager to stand and guard your open front door 24/7 or if you have hired your server manger to drive by occasionally and check for damage.

Robert Charlton




msg:4459308
 6:34 am on May 30, 2012 (gmt 0)

Here's a recent blog post by Google's Matt Cutts on how to detect and guard against hacking....

Example email to a hacked site
http://www.mattcutts.com/blog/example-email-to-a-hacked-site/ [mattcutts.com]

Matt says...
Beyond clear-cut blackhat webspam, the second-biggest category of spam that Google deals with is hacked sites....

...The single best piece of advice I can give to prevent website hacking is "keep your web server software up-to-date and fully patched." That prevention is much better than the hassle of cleaning up a hack....

The post provides links to about a half a dozen resources that Google offers, but, as Matt points out, Google can provide only limited assistance to people with hacked sites. Certainly worth checking out.

From what you say, it sounds like you will want a tech person to rebuild and maintain your site, but you should check out the above resources yourself to get an overview. Part of what you will need to do will depend on how the site was accessed and hacked.

phranque




msg:4459331
 8:15 am on May 30, 2012 (gmt 0)

this thread is still relevant - How Hacked Servers Can Hurt Your Traffic:
http://www.webmasterworld.com/google/3802274.htm [webmasterworld.com]

bwnbwn




msg:4472611
 9:40 pm on Jul 4, 2012 (gmt 0)

I have a client that called me he said his website was redirecting to another website. It was discovered plesk was the hole. Plesk was patched but the server was still infected. It took some time but I found a sweet server scanner for finding what files the malware is located on the server and removing it.

[emsisoft.com...]

It has taken 5 or so hours to scan the server and this software has discovered 40+ files with different types of trojans malware loaded. Looks like some are used for spamming out emails such as UPS package notice, account problems notice in html formats, JS redirects and others. There are a 100 or so sites on the server and looks like most of them have a redirect JS installed so the hacker must have gotten administrator access. I have advised the client as soon as I complete the scan to change all passwords on everything.

I have contacted the host and requested a new server this one even though it looks like I might get them all is so infected it is just to risky to keep it. When I remove the crap it will probably break parts of the server anyway. He has a backups of all the sites at his office so I won't use a thing off the server and will set up IIS by hand, upload the sites and move on.

Looks like a long long 4th of July day for me. Even if I break the sites it is better they are broken than infect my visitors with this stuff.

Panthro




msg:4472652
 12:54 am on Jul 5, 2012 (gmt 0)

Ah yes, I just had a fun time with cleaning up a round of hacked WP sites. OP, I suggest you check any index files first for strange code that should not be there.

I'd be a little surprised if there's no one here that could take a security/cleanup gig, or at least recommend someone.

WeWatch




msg:4473021
 10:27 pm on Jul 5, 2012 (gmt 0)

Website malware is very different from malware on a PC or Mac. We find that most anti-virus programs can only detect about 40% of malicious files on a website.

If you have a good backup, you could just rename your main folder, ie., /public_html or /httpdocs or whatever you have and just put a _temp at the end.

Then restore your known uninfected files to the original folder name.

This will just be a temporary band-aid. You still have to find out how it was hacked.

If it's WordPress, it could be:

1. Outdated WordPress
2. Outdated plugin
3. Vulnerable plugin
4. Password was stolen (either WP, FTP or hosting account)

If it's some other CMS then the list above is basically the same.

Do you have your log files?

If so, do a search through the log file with an editor and look for any of the names of the infected files. See where the IP address resolves to with www.#*$!. If it's not one you recognize, then that could be the culprit.

If you find it was through FTP then someone with FTP access has a virus/trojan on their computer and it's stealing passwords.

If you don't have a good backup then you'll have to have someone else scan and clean the files for you.

But you have to still find out how it happened so you know how to prevent it. Otherwise, they'll be back...

Can you post more information about your site?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved