Help! My site is infected with Malware!

I got an email that stopped me in my tracks the other day. It had a wonderfully intriguing title: Malware notification regarding ChristianPF.com.

Apparently what had happened was that someone hacked into my forums and added a line of code that infected readers with malicious software when they visited the site – not cool.

Google, of course, doesn’t like this so they put up a big warning to anyone coming to my site from the search engines that looks a little like this:

malware notification warning

As you can guess, it isn’t exactly the best performing landing page.

The email I got from Google

Thankfully Google gave me a heads up in a form of an email, but they also notified me via Webmaster Tools as well.

Dear site owner or webmaster of christianpf.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Identifying the problem

If your site is infected and you ever get a similar email to what I got, I would suggest heading over to Webmaster Tools and checking into the messages they sent you there. For me, those messages contained more details about the specifics of the malware.

The messages gave me a specific line of code to search for on my site and by doing a right click, view source code on my site I was able to see where the code was showing up.

In my case the issue was on a vBulletin forum, so once I updated to the newest version of the software it took care of removing the malicious line of code.

What to do when you fix the problem?

Once you get the malware issue resolved, you can resubmit your site to Google for them to check it over again (you should have a link within your email notification and/or your webmaster tools notification). I just submitted this today, so I don’t really know how long it takes – hopefully it goes pretty quick!

Lessons Learned

1. Submit your blog to Google webmaster tools and check it regularly. I did get an email from them, but if I would have missed it I could have gotten a notification from Webmaster tools – which actually gave more detail about the specific issue.

2. Always keep your software up to date. Often times when you let your software get a few updates behind it becomes vulnerable to hackers. This was the cause of my problem, I skipped on about 4-5 updates. Don’t do this!

3. Consider hiring someone smarter than you. In this case I was able to find the malicious code, but if the hackers would have hidden it a little better I would have been out of luck. Using a site like CodeGarage is great because not only do they automatically backup your wordpress blogs, but they also monitor it for hacking – and will fix the issues if they arise.

 

    +Bob has been blogging since 2007 and earning a full time living from his blogs since early 2009. He enjoys fine dark chocolate, learning, foosball, loose-leaf tea, helping people succeed, anything God created, playing guitar, taking the scenic route, Philippians, and Chick-Fil-A.

    • http://twitter.com/awhitehatter awhitehttr

      I am sorry to hear this! Google should respond fairly quickly. I think your steps in the lessons learned are right on, it may also be worth your while to learn about the OWASP top 10. While heavy on the technical side, familiarizing yourself with the current threats to web applications and known remedies can help protect your site from future hacks.

      • Anonymous

        Thanks, and I actually checked today and it seems as if they have removed the Warning page – so that was quicker than I expected!

    • Kathy

      I went to a blog yesterday (not this one!) and BAM I got nailed with malware. What a nightmare, it completely took over my computer and I was stuck. I had no internet access and no executable file could launch. It was unbelievable. I am very blessed to own a second computer so I could research the fix on my other computer. It was not easy to rectify–it took two of us two hours. As I type this I am still scanning.

      I would like to warn the site owner, but no way am I going anywhere near their site. :o(

    • Darren Laudenbach

      Informative information about malware affected sites. Thanks
      for sharing.

      Regards,
      GMM
      http://www.godsmoneymatters.com