Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

  • Part 1: Google ‘This Site May Be Compromised’
  • Part 1: Google ‘This Site May Be hacked’
  • Part 2: Google ‘This site May harm your computer’
  • Part 2: Google ‘Visiting this site may harm your computer’
  • Part 3: Bing ‘The link to this site is disabled because it might download malicious
    software that can harm your computer’

The first two warnings, “This Site May be Compromised” or “This Site May be Hacked” are actually the same thing. Google used to say “Compromised” but recently switched to using the term “Hacked”. It was likely to avoid confusion with nontechnical webmasters. This is how the warning shows up on Google:

google-warning-this-site-maybe-hacked

What this warning means?

This warning means that Google detected some suspicious links or pages in your site that are not malware related in a way that would infect your users, but they still should not be there.

We see this often on websites that got hacked with hidden spam pages to sell things like Viagra products or casino ads. We also see it often on sites that have been defaced or had phishing pages added to them. Those pages are generally not linked from the main site, and are often used in email spam campaigns.

For example, a bad guy hacks into a site and creates a folder called “/bankofamerica/signup”. He then emails thousands of people with links to this site, pointing them to that URL he created with the Bank of American phishing campaign. That page is not linked and only the people that got the email would know it is there. And the same applies to the spam pages.

This is the official explanation from Google about the warning:

To protect the safety of our users, we show this warning message for search results that we believe may have been hacked or otherwise compromised. If a site has been hacked, it typically means that a third party has taken control of the site without the owner’s permission. Hackers may change the content of a page, add new links on a page, or add new pages to the site. The intent can include phishing (tricking users into sharing personal and credit card information) or spamming (violating search engine quality guidelines to rank pages more highly than they should rank).

This warning is also not present on Google’s SafeBrowsing API, so the only way to find out that your site has this flag is to search on Google for your own site. If you search for “site:mysite.com” it should show if you have this warning or not.

SiteCheck

Because this type of warning is not passed to Google’s SafeBrowsing API, our free SiteCheck will not list it under the “Blacklist” checks. It may still detect the spam or defacement added to the site, but it will not flag the blacklist status.

Note: Our team will still be able to clean it up under any of our plans, despite SiteCheck not flagging it.

Clean up

The first step is to actually get your site cleaned and the malicious pages removed. We have many guides that explain how to clean your site and you can follow any one of them:

These are just some examples for WordPress. Once your site is cleaned, and you verified (at least on SiteCheck), you should be safe to request the review on Google’s end. It will take a few days before they reply with the final verdict.

Conclusion

And that’s it for the PART I. If you have additional questions, or other blacklist warnings that you want explained, let us know.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • http://www.autogearhead.com/ M Jati Munggaran

    Awesome! Thanks for sharing :D

  • http://www.frivjogo.info/ Friv Jogos

    What can you give me a specific picture of what is best in the mentioned problems, the updating.

  • Andrew

    This was very useful to read. Our site currently has the “hacked” status. We’ve resolved the issue and have submitted the review request to Google who say it may take several weeks to respond but you say a few days. Which is more realistic or are we at the whim of Google here?

  • LUIS

    ME INTERESA MUCHO ESTE TEXTO, PUES PODRIAMOS ESTAR EN RIESGO Y NO SABERLO