Google flagged our site as a security risk – what now?!

Factual Questions
1

Google searches of our pages now lead to the : “This site may harm your computer/ Warning - visiting this web site may harm your computer!” page.

I called our host (NetworkSolutions) who can’t find anything wrong with the site. I’ve also checked various pages’ content via Dreamweaver, and see no new code.

Now what? I’m about to throw a chair across the room. Google’s pages tell me to look at Webmaster Tools. But aside from displaying the same vague warning about the site, it tells me nothing about what to do/where to look/. They pretty much say “here is what badware is and where it can come from, but nothing about WHY they flagged the site as possibly malicious. Ok, there goes the chair across the room.

Any suggestions about where to turn next?

Thanks,

ChairlessRhythm

2

If you are looking at your pages with Dreamweaver, I doubt you are actually looking at the raw HTML. Do you have an up-to-date and fully patched version of Dreamweaver? Sometimes design tools introduce security problems with the code they generate or include from libraries.

3

[QUOTE=mks57]
If you are looking at your pages with Dreamweaver, I doubt you are actually looking at the raw HTML.
[/QUOTE]

:eek: Really? Oh, that bytes. I work almost exclusively in code view, and thought that was displaying everything available per file. Someone could have gotten in and hidden code from DW’s eyes? ETA: when looking at files and structure, I also use FireFTP as it’s somewhat quicker and simpler to use than DW’s file tab. I see non-displayed lock files, but nothing else that doesn’t show up in DW.

It’s MX2004, and as updated as I can make it.

4

In the code view you are able to see all the html, javascript, etc in dreamweaver.

Are you loading in any external javascript files? How about playing any flash videos?
(see: http://www.adobe.com/support/security/bulletins/apsb08-01.html )

Are you allowing users to upload anything to your site? Is it possible an external javascript file was uploaded which may contain some nasty code? Are you opening any popups to other sites? Displaying any ads such as javascript calls to build an ad or flash ads?

5

[QUOTE=lexi]
In the code view you are able to see all the html, javascript, etc in dreamweaver.

Are you loading in any external javascript files? How about playing any flash videos?
(see: http://www.adobe.com/support/security/bulletins/apsb08-01.html )

Are you allowing users to upload anything to your site? Is it possible an external javascript file was uploaded which may contain some nasty code? Are you opening any popups to other sites? Displaying any ads such as javascript calls to build an ad or flash ads?
[/QUOTE]

First, whew vis-à-vis code view, thanks.

Second, Nope City.

No external javascript files. We have a very small bit of javascript on the site, mainly a rotating image (not an annoying one, but it cycles through portfolio pieces in one or two areas).

No flash videos.

The only place for someone to upload a file is in a directory that is password protected via the site management control panel. Not only is it a fairly complex password (not word-based, mix of caps, and special characters), but even if it was a weak password, Google wouldn’t have broken in to a restricted area to check up on it.

No popups or links to external sites.

No third party code of any kind (that we put up) to advertise or lead off-site.

We don’t do seek any business over the Web. The site is there mainly to have something of a Web presence, so if a potential client (i.e., one that receive our bid) wants to look us up, they can get more information about us. That’s why the site is fairly simple (though, as an editorial and design firm, it has a high level of polish).

There is one potential weakness, but I can’t tell if this is what’s getting Google’s goat. We have a basic ‘contact us’ form that accepts name, organization, comments, etc., that on submission (if (isset($_POST[‘submitted’])) sends us an email (mail (“ash@domain.com”,$subject, $body, “FROM: $from”);. A few of the fields’ strings are stripslashed, but there is no SSL certificate or other encryption going on. I’ve checked that area’s code, and don’t see anything I didn’t put there.

Which brings me back to treading fairly close to pit-worthy comments. If Google wants to flag our site, fine. But other than Go Fish, how the heck is someone supposed to know what tripped their filter?! Is there anything in their Webmaster tools that points in the right direction? ARRRRRHHHGGGGHHH!!!

6

There’s no way for the users to put anything into the site? I.e. register a username and leave a comment that is viewable? Google wouldn’t care if there was an email form since anything malicious would only matter to the person reading the emails, not a website visitor.

The problem with user data is that they can insert anything they want to into the webpage if you don’t actively protect against it. For instance, the SDMB would be a security risk if I could write:

<script>…do something annoying via Javascript</script>

And instead of appearing as plain text in my post, it was inserted into the webpage as invisible code.

The same thing can happen if you allow ads to be displayed on your website. There’s always the chance that one of them contains some code that does bad things.

Essentially, if there’s any part of the website that isn’t 100% static, you should make sure that there’s no way for someone to compromise it.

7

Is Google seeing the same site you are? IOW has DNS been hijacked? Or, has someone forgotten to renew your address?

8

Go look at the tools on www.dnsstuff.com and www.mxtoolbox.com and see if they can point you to any problems with your domain name.

(MX Toolbox is strictly for email, but if your domain ended up on a blacklist Google might be taking that into account)

9

What is the site? Everytime I run across this message on a Google search, I go to our public library and try the site and so far, the virus detector on the library computer goes wild.

Google doesn’t ban you for small things, when you see that warning it’s a major virus type thing. There are tons of sites Google lets slide, (like diabling the back button etc) and Javascript really isn’t malicious.

That form you described is a simple PHP form and everyone has that, so you have something else on there. Could be your webhost, some of them offer less costly options which allow the web host to do things with your site.

10

[QUOTE=Rhythmdvl]
Any suggestions about where to turn next?

Thanks,

ChairlessRhythm
[/QUOTE]

Email them and ask for clarification of why the flag was placed. Like others have said, google does not take such warnings lightly. Tell them you want to correct it but need more information as to what they are tagging you for.

11

The problem is that you are looking at your pages in Dreamweaver and that is not what is actually hosted on your site. To view the HTML that is actually delivered to users from your site, visit your website, right click and choose “View Source.” Then press Control-F and search for the word “sex” in the source. I imagine there is some stuff that you did not intend to find there.

You may have an easy to guess user and password combination for your account, or there may be a security risk somewhere else on your site.

My advice: take your site down immediately and put up a basic HTML page that says you are undergoing work until you can fix the problem. Your site is doing more harm than good as is.

12

Glad to see you took your site offline. When I visited it yesterday it wanted to install a fake MS plugin. I couldn’t post because I wasn’t registered, but I did today simply to respond to this topic. From the looks of what I found, you’re the victim of the whole IFRAME vulnerability going around.

Or at least that’s what Google thinks.

13

EEEEEEEEEEEEEEEEKKKKKKKKKKKKKKKK
Wow, first off, thank you so much for all your help.

I’d been back and forth with Network Solutions several times, they’ve elevated the issue a couple times and I’m waiting to hear back again.

When this first broke, the code on the main index page was clean (we checked a lot of other pages too, but never saw anything).

However, after seeing Mike V.’s post, I viewed source and found a slew of ungodly links (hey, whatever floats your boat, but when our main clients are UN organizations and the like, that’s bad!). It was well after one in the morning (other project), so I re-called NetSol, knocked off the page, and am waiting for the next step. They are having their engineers look over the site and logs to see if they can tell where/when the attack came. (It also showed up this time after getting the file via Dreamweaver and looking at the code. The Dreamweaver-doesn’t-display-all-the-code question scares me a bit, but I posted that to its own thread.

The passwords on the site are all fairly (?) secure. They’re seven to nine character non-standard acronyms (verses from obscure songs) of mixed case, a couple numbers, and a couple punctuation marks. There is one area/directory with a relatively weak password to get into the folder, but it no other pages link to it, and rechecking its code shows nothing.

Thanks ceebeegeebee (hey, I thought you closed down a couple years back :slight_smile: ) for taking the time to register/post! I really hope nothing happened to your system! I’ve been to the page a bunch of times since this happened, and haven’t seen anything act up. I’m running FF with adblock and script blocking, ZoneAlarm Pro and SpyBot teatimers in the background, scan nightly with an updated AVG, and neither recent SpyBot nor AdAware scans show anything. I’m about to start at Trend online scan. Anywhere else I should check/run or have I dodged a bullet?

I tried Googleing IFRAME vulnerability, but got such a wide range of hits I couldn’t find anything relevant. I’d really like to find out where the vulnerability was, and plug it up/delete that area of the site.

Network Solutions wants to sell me a service called Watchdog that, in addition to keeping tabs on uptime (not especially needed as we get very little traffic), it runs a ‘security scan’ to detect vulnerabilities. I know this is a bit closing-the-barn-doorish, but am wondering if it’s worth it to pay the $18 bucks a month any time we make major changes.

This has been so stressful here (especially as it’s on top of a client’s panicked influx of projects), but I’m very glad to have had something to go on … THANKS!!!

14

Because you said your source changed, I’d look first into seeing if you can get a developer make sure your code is secure.

It is possible that either through a web form related security hole, either through SQL Injection ( SQL injection - Wikipedia ) or unsanitized inputs in PHP or a cracked web server input, you could have had a whole that permitted someone to replace either your home page and/or one or more of the included files.

One of the most common is cross site scripting (and unsanitized inputs). Often people include another page via a variable on the main page. Eg. Website Hosting - Mysite.com

Index.php would have code like this:

fopen($_GET[‘page’]);
This is a huge security whole because it could be used to include code from someone else’s site to rewrite or delete your pages.

I haven’t heard anything about NS’s watchdog’s service, but I know I have seen similar free services - but I would first worry about whether or not your php code was secure.

15

There’s a story at The Register about this here:

If you go to http://www.securityfocus.com/ and search for IFrame you’ll find loads of detail.

Edit to add: The url is really “mass_web_attack” not “ass web attack” as the link shows.

16

[QUOTE=Rhythmdvl]
Thanks ceebeegeebee (hey, I thought you closed down a couple years back :slight_smile: )
[/QUOTE]

Worse than that… I died. ::sob:: Who knew I’d be hanging out here in my afterlife. Redemption, I 'spose.

And speaking of redemption, my post could use some. When I posted I was trying to be vague so as to not accidentally infect someone clicking willy-nilly around your site. I see now I left out a bit too much. My only problem now is I can’t remember the specifics outside of the redirect address! (Being dead is just like life, ironically enough).

The redirect was to golnanosat dot com (Be carefull!). I either got that from the info in the IE7 bar or somewhere else on your site, I honestly can’t remember, or go back and find it, sorry. All I do know is that Google doesn’t like that address as every mention of it is blocked (mostly) by Google and anything open on it talks about the iFrame injection problem big-time sites had earlier this month.

I’d bet anything that addy’s in one of the redirects you found.