Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

Malware found on site - blocked by Google

4:46 pm on Oct 29, 2012 (gmt 0)

Preferred Member

10+ Year Member

joined:June 19, 2006
votes: 0

Ok, so a client came to us saying he had an issue with his site being blocked by google. We changed his hosting over to host gator which gave him new nameservers. His site is a joomla site and I looked over the code for hidden malicous content but I didnt find anything.

When you search for his site in google and then click on it you get a red warning that the site is malicious. But if you just type in the address everything is fine.

Im really puzzled what is happening, any ideas?

[The Google error page says: [domain] contains malware. Your computer might catch a virus if yo visit this site]

The name of the site is (removed).net but it shows (removed).ru on the error screen.

[edited by: Webwork at 12:29 am (utc) on Oct 30, 2012]. Removed specifics

[edited by: ergophobe at 1:36 pm (utc) on Oct 30, 2012]
[edit reason] replaced screenshot with verbal description - don't want anyone accidentally followin [/edit]

1:44 pm on Oct 30, 2012 (gmt 0)


WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
votes: 254

You can use the Sucuri Site Check (http://sitecheck.sucuri.net) to find out what the various authorities are reporting.

From there, you need to start with some detective work. When you say you couldn't find anything, how did you go about that? I would download a default distro of Joomla or, even better if you have it, a known safe backup of the site, and run a diff to find out what's different.

While you're at it, check the whois data for both domains.
2:47 pm on Oct 30, 2012 (gmt 0)


WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
votes: 126

you should examine your .htaccess file for anything suspicious, especially if it is testing the HTTP USER_AGENT or REFERER strings.
also try "fetch as googlebot" in GWT and examine the source code for anything that may look like unusual or unknown javascript code.
12:18 am on Oct 31, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
votes: 595

If you didn't find anything, keep looking.

Same thing happened recently to an unimpeachable site that I know slightly. At first they simply assumed minor hacking to scare them into buying some unneeded security software. The culprit ended up being a Russian site with contact info in Lithuania; I remember looking them up and thinking that RIPE's verification criteria were due for an overhaul.

It was educational for a reason you may not even have thought of: I was surprised at how many browsers independently use g###'s security verification. The "may harm your computer" text doesn't only show up in SERPs* but as advance warning in the browser itself.

* Gosh. I had no idea this acronym was invented by anyone in particular ;)