Welcome to WebmasterWorld Guest from

Message Too Old, No Replies

Anyone seeing a huge increase in unflagged malware links?



5:44 am on Jan 1, 2010 (gmt 0)

10+ Year Member

I have a Google alert set up to send me mentions of my news site.

In the last couple of weeks, I've been getting a ton of alerts for sites that mention and scrape some of our news and then have these convoluted urls after a three letter php file (like bxh.pkp, ikk.php) that, if clicked, redirects the visitor to one of those fake virus scan, drive-by download sites.

Visiting one of the sites, I saw it was an American Legion site that obviously wouldn't be covering news in our genre. Digging deeper on another message board I was informed that these backdoors have been uploaded unwittingly to a lot of sites.

When I did a search on the relevant search term, I found a lot of references to our site's content being used as a lure to these malware links. Neither AVG's linkscanner nor Google's malware detection passed on any warnings.

Has anyone else seen this behaviour lately?


1:59 am on Jan 8, 2010 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member

Ken, I experience very little loss of functionality on the vast majority of web sites I visit. As I said, Flash is the only real one but then I just find another site (not so much for security as that I hate Flash sites). Anything else, if I really need it I can turn it on again if I need it - even Flash should I be so inclined.

I know of a web server that was probably compromised through FTP but it wasn't from the work station that managed the server, just an exploitable flaw in the FTP server itself. Quite simply, the software hadn't been upgraded. Back doors were planted on the server and the rest was managed through that.

The problem with managed servers is that in many cases only the standard server software and utilities are available. There is no facility to add specialist software. Apart from that I agree: if you can find a really good company that knows what it's doing (which I suspect is relatively rare) and don't need specialised software running on it then it's better than the average web designer managing it. But people will do what they want regardless. :(

I don't think "sloppy" companies are going to fade soon. There are far too many who are in it for the bucks, who dump knowledgeable staff at the hint of a recession - or for any other excuse come to that. Build high, sell wide.

And, of course, there are those hosting companies who welcome criminals with open arms until they are forced to close down, move elsewhere and begin again...


3:42 am on Jan 8, 2010 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member

Dstiles, I use the Flashblock extension to disable flash (they don't even download) until I push the play button that replaces the flash object. Abount 90% of the time I never activate the flash object because they are ads, but when I want an object to play there is no impediment. Flashblock is just about my favorite Firefox add-on I like it even better than the Firefox add-on I maintain. I also disable Java as I almost never (like maybe a couple times a year) have a need for it. I do leave JavaScript enabled I just don't want to lose that functionality.

In regards to managed web hosting, yes there are some trade offs. Like you pointed out I can't install specialized software or Apache modules. I have to accept what my web host has approved unless I go to a dedicated server. This hasn't impeded me too often with my website development as they have installed the most critical Apache modules. You are right that the sloppy companies aren't going anywhere very fast. I've been with my current web host for over ten years and I feel very lucky to have found them.


11:57 pm on Jan 9, 2010 (gmt 0)

5+ Year Member

To disable JavaScript in Internet Explorer, go to Tools > Internet Options > Security. Set the Internet Zone to High. You can also click Custom Level and set a few options even more restrictive.

You can disable Flash and some other things at Tools > Manage Add-Ons.

I mention these because most of the previous discussion was about Firefox+NoScript.

ianevans, you can report the sites that are using your content as a lure to malware at [google.com...] . (Only report sites/pages that you are certain are malware-infected. That is not a place to report a site merely for scraping.) Then at least those pages will be flagged as harmful in Google and users will preferentially go to your site for the same content when/if your site and the other appear in the same SERP.


10:59 pm on Jan 10, 2010 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member

The problem with disabling things in MSIE is the problem of having to do odd things to re-enable them sometimes. If there is an Ask Me option then that would be favourite, I suppose. With NoScript it's a quick right-click or button click to re-enable selectively.


10:28 pm on Jan 11, 2010 (gmt 0)

5+ Year Member

I mostly used IE until IE8 came out. It crashed multiple times a day. I couldn't resolve the problem by revising settings. I waited through a few months of MS Updates in case it was something that MS would fix promptly. That didn't happen, so I gave up and switched to Firefox, transferring over all my bookmarks and settings, etc.

One of the unexpected benefits was the one-click enable/disable feature of NoScript that you mentioned, which truly is a lot easier than IE because it can en/disable script, iframes, PDF, and other active content with a single click.

Having installed and become used to about a dozen FF add-ons that now I don't want to have to give up, it's unlikely I'd ever go back to IE unless FF enters a period of similar unusability.

But it's still just as important for IE users to have active content disabled in IE when visiting new sites, even if the interface for adjusting the settings is clunky.

All the settings can be found (possibly with some digging) in the tabs at Tools > Internet Options or Tools > Manage Add-Ons or other menu items in the Tools or Safety menus. When you want to allow active content, you add the site to the "Trusted Sites" zone where the permissions aren't so restrictive. That's the process that FF+NoScript does much more easily.

With so many exploits being JavaScript-based, or iframe-contained, or (lately) relying on maliciously crafted PDF files, or on auto-redirects to malicious sites, it's important to have all those things turned Off most of the time. There's no good reason to have them enabled for all sites all the time.

It is far more efficient to install a virus on a server direct from the botnet

However, the Gumblar/Martuz attack discovered that it is extremely efficient to infect lots of PCs, and, as a side-effect to its other purposes, steal whatever FTP passwords are found there, and send them to the botnet, which uses them to log into the corresponding websites and upload the viruses that way.


12:08 am on Jan 12, 2010 (gmt 0)

WebmasterWorld Senior Member dstiles is a WebmasterWorld Top Contributor of All Time 5+ Year Member

I think the hassle of turning on/off IE's switches is a pretty good guarantee that they will not be altered, especially by the vast numbers of MSIE users who can barely manage the internet anyway. And those who do know what they are doing are more careful about how they do it anyway. :(

I concede it's efficient to grab FTP, SSH etc codes and pass them back to the botnet but I would expect the quantity of exploitable holes through that method to be orders of magnitude fewer than direct virus injection into a server.

It also depends on the security awareness of the server manager. It would not be possible on most of my customers' accounts to even get as far as attempting to log into the FTPES servers let alone succeed and upload suitable files to a sensitive area (eg root). It all depends on the type of site, though, and (if used) what kind of web site management software is in use. Since most of the bot accesses are automated anything that is non-standard is likely to at least slow them down a bit; although obviously this is not something to rely upon. :)


9:54 am on Jan 18, 2010 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member

Please, visit your control panel and check "Scheduled Tasks". Some of these trojans just aren't very sophisticated, they don't "hide" at all, they just use your computers own properties to make sure that whatever is cleaned or removed can be re-installed quickly. Scheduled Tasks is one such seldomly checked opening.
This 37 message thread spans 2 pages: 37

Featured Threads

Hot Threads This Week

Hot Threads This Month