homepage Welcome to WebmasterWorld Guest from 54.227.222.235
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Malware found on site - blocked by Google
drooh




msg:4513428
 4:46 pm on Oct 29, 2012 (gmt 0)

Ok, so a client came to us saying he had an issue with his site being blocked by google. We changed his hosting over to host gator which gave him new nameservers. His site is a joomla site and I looked over the code for hidden malicous content but I didnt find anything.

When you search for his site in google and then click on it you get a red warning that the site is malicious. But if you just type in the address everything is fine.

Im really puzzled what is happening, any ideas?

[The Google error page says: [domain] contains malware. Your computer might catch a virus if yo visit this site]

The name of the site is (removed).net but it shows (removed).ru on the error screen.

[edited by: Webwork at 12:29 am (utc) on Oct 30, 2012]. Removed specifics

[edited by: ergophobe at 1:36 pm (utc) on Oct 30, 2012]
[edit reason] replaced screenshot with verbal description - don't want anyone accidentally followin [/edit]

 

ergophobe




msg:4513766
 1:44 pm on Oct 30, 2012 (gmt 0)

You can use the Sucuri Site Check (http://sitecheck.sucuri.net) to find out what the various authorities are reporting.

From there, you need to start with some detective work. When you say you couldn't find anything, how did you go about that? I would download a default distro of Joomla or, even better if you have it, a known safe backup of the site, and run a diff to find out what's different.

While you're at it, check the whois data for both domains.

phranque




msg:4513803
 2:47 pm on Oct 30, 2012 (gmt 0)

you should examine your .htaccess file for anything suspicious, especially if it is testing the HTTP USER_AGENT or REFERER strings.
also try "fetch as googlebot" in GWT and examine the source code for anything that may look like unusual or unknown javascript code.

lucy24




msg:4513987
 12:18 am on Oct 31, 2012 (gmt 0)

If you didn't find anything, keep looking.

Same thing happened recently to an unimpeachable site that I know slightly. At first they simply assumed minor hacking to scare them into buying some unneeded security software. The culprit ended up being a Russian site with contact info in Lithuania; I remember looking them up and thinking that RIPE's verification criteria were due for an overhaul.

It was educational for a reason you may not even have thought of: I was surprised at how many browsers independently use g###'s security verification. The "may harm your computer" text doesn't only show up in SERPs* but as advance warning in the browser itself.


* Gosh. I had no idea this acronym was invented by anyone in particular ;)

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved