I don't know that you will get another notice in Webmaster Tools. You'll just see your traffic come back. I've seen that happen in just a couple days after the fix was done.

danielanaidu have you fixed the hole that caused the hack. Just by removing the iframes doen't mean the hacker won't be back to install the same again.

Please change all passwords run a malware scan on your computer, ask the host to look over the server for outdated software they installed, update all software that you installed on the server.

You have to find the hole or they will be back.

google responded this morning and it turns out the iframe was NOT the issue. i am still not sure what the issue was (my host is still working on it). in the meantime i had my host restore the site using a backup version from 9/22, since it appears the hack occurred on 9/24. i then resubmitted the site for review, and am waiting for another response from google.

it appears the hack occurred by ftp, so i have changed my password and will also be updatig my ftp allow/deny settings.

what software do you recommend for running a malware scan on my computer?

thanks for the advice, it's much appreciated!

Malwarebyes might be a good one to try. Each has there own but this one removed the dreaded avg2000 from my daughters computer.

On the ftp is the software updated.

hey here is an idea to see how many holes the server has. Hackerguardian has a free PCI server scan so you might just find if there is outdated software running that has know issues.

You can sign up for 5 free scans this might help.

maybe this will help someone else out there.

we finally found out what happened. the infection occured in the google analytics/urchin script at the bottom of some of my pages. i used to use FrontPage extensions, and some old pages still had some old frontpage code in them (the code had been removed from all new files). scanning tools could not see the infection in those old files.

to resolve the problem, i removed all the old files that still had frontpage code in them from my server, as well as all the frontpage folders in the root directory.

i am submitting my site once again to google for review. hopefully that will be the last of that!

Thanks for the details. There are some more malware diagnosis options here:

[webmasterworld.com...]

i have a question. my host says that if i change my ftp password, as well as change my password to access my account directly through the host, and then i also set up ftp.allow to only allow my IP address to ftp to my site, that i am covered against hackers.

is there anything that they have overlooked? is there any other way that someone could hack my site?

thanks.

It is most likely that the hack added different, malicious, code to the bottoms of your pages that looked like Google Analytics / Urchin code but wasn't. In other words, it would be fake code (for example, a script whose source is something like gooqle-analytics (notice the Q) or googleanalytcis), and it would be inaccurate to say that "the infection occured in the google analytics/urchin script".

Old FrontPage code in your static pages would not be hackable. Dynamic code like PHP or ASP can be. The hack apparently modified your static pages, but that was almost certainly not the avenue of the original entry. If the FrontPage Extensions were properly configured and the folder permissions also correct (usually the case), the FPE wouldn't be the weak spot, either.

If the host found malicious iframes and removed them for you, they did you a favor, but it did not address the question of how the pages were modified to contain iframes in the first place, so the hacker will simply put them back.

In your other thread here, you asked: "my host says that if i change my ftp password, as well as change my password to access my account directly through the host, and then i also set up ftp.allow to only allow my IP address to ftp to my site, that i am covered against hackers." Those are 3 security improvements you can do, but it does not in any way "cover you against hackers". It overlooks many aspects of server/site security, and there are lots of ways someone can hack your site.

It does not sound like you and your host have truly discovered how this happened, and it's unlikely this episode is really over.

Scan your PC with antivirus software other than the one you normally use. Then change your ftp password. (Do a web search on "gumblar"). If you use a wireless internet connection, use only encrypted SFTP to access your site.

If you use PHP or ASP or any other server side scripting language, you'll need to study how to code securely in that language.

If the bad code that is appearing on your pages (or the iframes or JS that loads the bad code from a remote site) cannot be found anywhere in your site, then your host will need to investigate the possibility of a server-wide compromise.

here is an update: the hackers came back! they somehow deleted my ftp allow and deny files and rehacked my site with the exact same malware. now i have to get my host to figure out how those files are getting deleted. will report again when i have more info.

if anyone has had a similar problem, i would appreciate some advices.

thanks.

Probably a remnant of the original backdoor still on the server. Those things take a LOT of removing. Many of the files have names very similar to real files.

Also, if the admin password hasn't been changed... Best to get away from the words admin and administrator anyway.

If the FTP server is IIS then there was an FTP patch issued a few days ago to fix a serious security hole. If that wasn't patched: Blooie!

If it's a non-IIS FTP server, some FTP servers have been known to have security holes, although I think most are fixed fairly quickly.

In the case I had several years ago I ended up stripping almost everything from the (IIS) server, including a lot I probably shouldn't have. :(

the admin password has been changed more than once. the host suggested running a keylogger detector. can anyone recommend a good one?

I had this problem too, got hacked and rankings came back pretty soon after the problem was rectified...

what about my PR? will i loose it because of the hacking?