help - getting "Warning - visiting this web site may harm your computer!"

[pixel41]

Hi, I'm getting a "Warning - visiting this web site may harm your computer!" when I Google quite a few of my hosted sites. I am also now blocked from them at work (we use BlueCoat and it's telling me it's categorized as "Malicious)

DB-PrecisionProducts.com
CS-DS.org
PaperclipCampaign.com

Is anyone else seeing this?

Google's explanation says :
What happened when Google visited this site?

Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-06-12, and the last time suspicious content was found on this site was on 2009-06-12.
Malicious software is hosted on 2 domain(s), including bro.tw/, rnw.kz/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including rnw.kz/.

This site was hosted on 1 network(s) including AS16557 (COLOSOLUTIONS).



Any ideas or help would be appreciated.

[jmcgee]

Is this a database driven website? (i.e. is data stored only in static html pages or do you pull data from mysql or mssql using php or asp?)

This happened to me a few months ago when my MSSQL database got hit with a script attack. Basically via unprotected forms, a user or bot was able to inject < script > tags directly into the database tables which in turn showed up in the html back to the browser and generated the warning from google.

Jason

[levseltzer]

I am getting the same thing on several of my sites, but it is just the "gumblar" (or derivative) exploit/virus/malware, which is described in another thread.

Question: After cleaning up some of my client sites, visitors STILL get this warning. I've gone to the home page and confirmed that the virus (e.g. the script tags) are not there, but they still get the warning when opening the homepage! I had one client clean out their FireFox cache, but they still had the same warning. Is there a "cache" or "memory" somewhere else that needs to be emptied out to tell everyone that the site is now clean?

[jmcgee]

If you are talking about the Google warning in the search results, there is no cache, but you can request them re-check the sites that have the warning. I had to do this once I cleaned mine. If you click on the warning, and follow that link, there should be another link that google provides the "owner" of the website with more information and the steps you can take to request them recheck the site. Good Luck.

[info-me]

Yes, you can request a re-visit at Google Webmaster Tools.
https://www.google.com/webmasters/tools/

I had to do this for two sites, after cleaning them thoroughly, and they were de-listed in about 12 hours.

[garyrm]

I received 3 emails from google. One yesterday and 2 today for 3 of my sites. My virus scanner reported the HTML: IFrame-EJ[Trj] Trojan. I simply ftp'd fresh set of pages.

How does this happen and can it be prevented?

[Danl]

http://25yearsofprogramming.com/blog/20071223.htm

That link should help.

[datmed]

If you follow his link Dan thinks your stupid.

Quote:

Originally Posted by Danl

http://25yearsofprogramming.com/blog/20071223.htm

That link should help.

I know your working on it, but please fix the problem.

[levseltzer]

My client says that they are opening the site directly in firefox - not searching for it via google. Firefox then gives a Malware warning. I don't get this warning in my version of firefox (or in MSIE or in safari) and there is no malware on the page (any longer). Is it possible that firefox is doing a lookup to some other location to determine if the page is safe or not?

[Silverbug]

what antivirus software are they running? there might be a website scanner component installed which is causing this page to be displayed.

[lux_nova]

levseltzer:

Yes, they are probably on FF3 with security enabled.

Type this into the URL:
http://www.google.com/safebrowsing/d...YOURDOMAIN.COM

Code:

http://www.google.com/safebrowsing/diagnostic?site=YOURDOMAIN.COM

Replace YOURDOMAIN.COM as appropriate. If google shows that the site is flagged, then as far as I know, the latest version of Safari and FF (default settings with security options enabled) should also show a big red annoying pop-up.

[levseltzer]

Great. At least I now know that there is a connection between FF3 and Google, which would easily explain the error. I have requested the evaluation in google to get the malware flag removed.

[fessman]

4 of my clients' hosted sites have also gotten hacked in the past 3 days. I've looked over the code and gone through the steps on the previous link (25yearsofprogramming.com), but I don't see how they could be getting in. Is it possible one or more of the servers have been hacked or have a rootkit?

[PinkyBrain]

All of my domains are affected. Most of my domains have just a plain index.html file, no other scripts or db running.

This is the 3rd time that I'll need to go do a mass search & replace to remove the malware. I don't understand how it is happening. Is Vortech not running antivirus scan?

[dvanburen]

Quote:

Originally Posted by PinkyBrain

All of my domains are affected. Most of my domains have just a plain index.html file, no other scripts or db running.

This is the 3rd time that I'll need to go do a mass search & replace to remove the malware. I don't understand how it is happening. Is Vortech not running antivirus scan?

We do, it's not a virus. Every single hack has been via FTP with valid credentials.