ASK Sucuri: Why does my site keep getting reinfected?

If you have any question about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: Why does my site keep getting hacked / reinfected?

A lot of our new customers only get in contact with us after trying to clean up their sites manually a lot of times without success. A common first question is “I cleaned my site 3 times already and it keeps getting reinfected and blacklisted. What can I do? Can you guys clean it up for good?”

Based on our experience, these are the 4 main causes of reinfections on web sites:

  1. A backdoor is still present in your site. Even though you removed the visible malware, you might still have hidden backdoors in there that the attackers are using to compromise your site. Sometimes even a “clean” backup might still have a backdoor in there. During our clean ups, we always search and remove the hidden backdoors (even when they don’t show up in our scanner).
  2. Stolen FTP/SSH/Admin passwords. This is very common, specially via FTP and compromised desktops. Are you changing your passwords? Is your desktop secure? Even if your desktop is secure, are you using FTP on an insecure wireless (or wired) network? The recommendation is to change all your passwords and scan your desktop for viruses.
  3. Vulnerability in your site. Are you using an outdated CMS? Maybe your WordPress or Joomla or forum is not updated? Make sure to update them asap to avoid reinfections.
  4. Same account infections. If you have other sites in the same FTP account and they are compromised (or infected), the malware can spread back to the site you just fixed. Do you have more sites in the same FTP account? This is specially common on shared servers, but also happens on dedicated servers.

There are also other reasons for reinfections, like when your web hosting company is compromised, causing those “mass infections” we blog about sometimes. But that is outside your power, and there is nothing much you can do about, except switching hosts.

Have a question or a comment? Make sure to ask below :)

Ask Sucuri: What is the most common type of malware out there?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here.

Question: What is the most common type of malware (on web sites) that you find?

Unfortunately the answer to this question changes every few months. For the months of February and March (2011), we scanned more than 200,000 web sites (211,520 to be more precise) and almost half of those sites had some type of malware (A high percentage of users scanning sites via our scanners are already infected or suspect some type of funny business with their web property).

To be exact, 90,870 (around 42%) had some type of malware. This is the breakdown (some may have more than 1 issue identified, so the numbers may not add up):

Read More

Ask Sucuri: How long it takes for a site to be removed from Google’s blacklist?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean, however, it is still blacklisted by Google. How long until they remove us?

This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, for the last few months we started to time how long it takes from when the review submission is requested, until the site is removed by Google. We have now timed more than 500 blacklist removals so I think we have some good numbers to back us up.

heree are the results:
Read More