Welcome to WebmasterWorld Guest from 54.224.68.56

This page requires javascript to function properly. It seems that your browser does not have Javascript enabled. Please enable Javascript and press the Reload/Refresh button on your browser.

Forum Moderators: phranque

Message Too Old, No Replies

Malware found on site - blocked by Google

drooh

4:46 pm on Oct 29, 2012 (gmt 0)

Preferred Member

joined:June 19, 2006
posts:476
votes: 0

Ok, so a client came to us saying he had an issue with his site being blocked by google. We changed his hosting over to host gator which gave him new nameservers. His site is a joomla site and I looked over the code for hidden malicous content but I didnt find anything.

When you search for his site in google and then click on it you get a red warning that the site is malicious. But if you just type in the address everything is fine.

Im really puzzled what is happening, any ideas?

[The Google error page says: [domain] contains malware. Your computer might catch a virus if yo visit this site]

The name of the site is (removed).net but it shows (removed).ru on the error screen.

[edited by: Webwork at 12:29 am (utc) on Oct 30, 2012]. Removed specifics

[edited by: ergophobe at 1:36 pm (utc) on Oct 30, 2012]
[edit reason] replaced screenshot with verbal description - don't want anyone accidentally followin [/edit]

ergophobe

1:44 pm on Oct 30, 2012 (gmt 0)

Moderator

ergophobe is a WebmasterWorld Top Contributor of All Time

joined:Apr 25, 2002
posts:8492
votes: 224

You can use the Sucuri Site Check (http://sitecheck.sucuri.net) to find out what the various authorities are reporting.

From there, you need to start with some detective work. When you say you couldn't find anything, how did you go about that? I would download a default distro of Joomla or, even better if you have it, a known safe backup of the site, and run a diff to find out what's different.

While you're at it, check the whois data for both domains.

phranque

2:47 pm on Oct 30, 2012 (gmt 0)

Administrator

phranque is a WebmasterWorld Top Contributor of All Time

joined:Aug 10, 2004
posts:10888
votes: 72

you should examine your .htaccess file for anything suspicious, especially if it is testing the HTTP USER_AGENT or REFERER strings.
also try "fetch as googlebot" in GWT and examine the source code for anything that may look like unusual or unknown javascript code.

lucy24

12:18 am on Oct 31, 2012 (gmt 0)

Senior Member from US

lucy24 is a WebmasterWorld Top Contributor of All Time

joined:Apr 9, 2011
posts:13841
votes: 485

If you didn't find anything, keep looking.

Same thing happened recently to an unimpeachable site that I know slightly. At first they simply assumed minor hacking to scare them into buying some unneeded security software. The culprit ended up being a Russian site with contact info in Lithuania; I remember looking them up and thinking that RIPE's verification criteria were due for an overhaul.

It was educational for a reason you may not even have thought of: I was surprised at how many browsers independently use g###'s security verification. The "may harm your computer" text doesn't only show up in SERPs* but as advance warning in the browser itself.

* Gosh. I had no idea this acronym was invented by anyone in particular ;)