So your site got hacked. Google identified some malware on it and put “This site may harm your computer” notice next to your site listings in SERPs.
It happens so often today that you don’t even need to be too surprised: no panic, just take action.
Steps to take:
- Remove the Malware (check the source code of your pages);
- Change your FTP-passwords;
- Contact your hosting provider to let them know they possibly have some secure leak and make sure they have taken some action (that’s also a good way to make sure your hosting provider is worth the money you are paying);
- Check your site with blacklistdoctor.com (re-branded as Dasient.com) or unmaskparasites.com to get an idea about which files are infected
- Browse your site using various user agents and possibly proxy servers to make sure all is working fine;
- Request a malware review via Webmaster Tools.
More reading:
Dealing With “This Site May Harm Your Computer” Notice: http://bit.ly/Ft9Os
[Reply]
RT @AnueSystems: RT @FSecure: How to take action if your site has been hacked. http://bit.ly/Ft9Os
[Reply]
RT @FSecure: How to take action if your site has been hacked. http://bit.ly/Ft9Os
[Reply]
Hi Ann,
Good practical post. Another super important step is to scan your personal computer for any nasty surprises in case your password(s) have been compromised. When writing the reconsideration request to the google team, take the time to note the prevention you’ve taken, step by step.
[Reply]
@Ran - the request a review for Malware isn’t the same as the reconsideration request - there is no option to enter additional information, it is basically just a request for a rescan of your site. I wrote about the effects on your SEO only a couple of weeks ago at http://www.vertical-leap.co.uk/blog/this-site-may-harm-your-computer-google-warning-message-and-seo-effects/
[Reply]
Ran is correct. So far this year 88% of websites hacked have been from a virus on a PC with FTP access to the hacked site.
The virus works in a variety of ways.
First, it knows where common FTP programs store their usernames and passwords. Many of them don’t encrypt the login credentials so finding the file, reading it and sending the stolen login credentials to a server is no big task.
When the server gets the login information it downloads the website to it’s server, infects the code, then re-uploads it or sometimes it just simply infects just the index files; .php, .html, .htm, etc.
The second way the virus works is by installing a keyboard logger. This will catch the login credentials of the people who were told not to have their FTP software store the information.
The third way is the virus “sniffs” the outbound FTP traffic and since FTP transmits all data, including username and password, in plain text, it’s easy for the virus to see and steal the credentials.
The fourth way is that the virus injects it’s infectious code into the data stream of the FTP traffic as it’s leaving the PC. This method leaves no clues in the log files on the web server because the FTP traffic is only coming from a valid IP - that of the website owner/designer/master.
Typically the only way to clean this virus is install a different anti-virus program than what is currently installed because the virus has learned how to evade detection of the currently installed anti-virus program.
By installing a new anti-virus program, you can find the virus and remove it.
Many have had good success with AVG, Avast, Avira or Malwarebytes. If you’re already using one of these, use one of the other ones as it has to be different or you may not find and remove the virus.
[Reply]
I’d chime in with extra points as people often do not know where the source of infection lies.
* Seek help in google website owner’s help forum for hacked sites / sites with malware warning or stopbadware org’s forum
*Check your site with blacklistdoctor dot com or unmaskparasites dot com to get an idea about which files are infected.
*Scan and clean your PC before you try accessing your site again with FTP to avoid getting into a loop.
-AD
[Reply]
Ann Smarty Reply:
September 12th, 2009 at 9:07 pm
Thanks, AD
Just added your tips to the post…
[Reply]
The second way the virus works is by installing a keyboard logger. This will catch the login credentials of the people who were told not to have their FTP software store the information.thanks a lot.
[Reply]
If you have been infected, after all the above steps, it shall be wise to change FTP passwords immediately after FTP access. You may check your FTP logs to ensure that attempts for login has not originated from suspicious IPs that are not yours.
Another means of infection could be through a vulnerable code that is already hosted. It could even be the web application that you use. So it would be good to identify the infected files and check the web logs for suspicious activity (well, this is a tedious task). Search the web for vulnerabilities in the web application that you are using and apply updates as required.
[Reply]
very nice post Many of them don’t encrypt the login credentials so finding the file, reading it and sending the stolen login credentials to a server is no big task.
[Reply]
The only way to clean this virus is install a different anti-virus program than what is currently installed because the virus has learned how to evade detection of the currently installed anti-virus program.
[Reply]
Amazing post…thanks a lot for this informative post.Really a nice post.
[Reply]
I’m seeing the same thing. I’m guessing it’s a google problem.thanks a lot.
[Reply]
The virus works is by installing a keyboard logger. This will catch the login credentials of the people who were told not to have their FTP software store the information.
[Reply]
The only way to clean this virus is install a different anti-virus program than what is currently installed because the virus has learned how to evade detection of the currently installed anti-virus program.
[Reply]
Let’s become a friend: ) Thanks
[Reply]
Hi Ann,
Thanks for the great post! This is Ameet from Dasient, the creators of the blacklistdoctor.com tool you referenced in step 4. We have re-branded the BlacklistDoctor tool under the Dasient name, so feel free to scan your site for malware on the dasient.com.
We also provide some resources for learning more about how and why malware attacks occur on our website, for anyone interested in learning more.
Finally, you may consider signing up for monitoring of your website using our free blacklist monitoring or premium malware monitoring services.
Thanks,
Ameet
[Reply]
Ann Smarty Reply:
September 14th, 2009 at 12:52 pm
Thanks, I added it to the post
[Reply]
The virus works is by installing a keyboard logger. This will catch the login credentials of the people who were told not to have their FTP software store the information.very informative post thanks.
[Reply]
It could even be the web application that you use. So it would be good to identify the infected files thanks a lot.
[Reply]
It could even be the web application that you use. So it would be good to identify the infected files and check the web logs for suspicious activity (well, this is a tedious task).
[Reply]
I’ve seen a lot of Ran mentioned recently - viruses that are geared to scrape login data from your FTP programs and then run amok.
Thanks for the online checking tools - not seen those before!
[Reply]
Thanks for information about which steps taken if this error comes. I bookmark this post.
[Reply]
Good post about which steps taken when site got hacked. Thanks for helpful information.
[Reply]