Help! My site is infected with Malware!

In a Hurry? Click Here to Download the PDF Version

I got an email that stopped me in my tracks the other day. It had a wonderfully intriguing title: Malware notification regarding ChristianPF.com.

Apparently what had happened was that someone hacked into my forums and added a line of code that infected readers with malicious software when they visited the site – not cool.

Google, of course, doesn’t like this so they put up a big warning to anyone coming to my site from the search engines that looks a little like this:

As you can guess, it isn’t exactly the best performing landing page.

The email I got from Google

Thankfully Google gave me a heads up in a form of an email, but they also notified me via Webmaster Tools as well.

Dear site owner or webmaster of christianpf.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting
http://www.google.com/support/webmasters/bin/answer.py?answer=45432
and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Identifying the problem

If your site is infected and you ever get a similar email to what I got, I would suggest heading over to Webmaster Tools and checking into the messages they sent you there. For me, those messages contained more details about the specifics of the malware.

The messages gave me a specific line of code to search for on my site and by doing a right click, view source code on my site I was able to see where the code was showing up.

In my case the issue was on a vBulletin forum, so once I updated to the newest version of the software it took care of removing the malicious line of code.

What to do when you fix the problem?

Once you get the malware issue resolved, you can resubmit your site to Google for them to check it over again (you should have a link within your email notification and/or your webmaster tools notification). I just submitted this today, so I don’t really know how long it takes – hopefully it goes pretty quick!

Lessons Learned

1. Submit your blog to Google webmaster tools and check it regularly. I did get an email from them, but if I would have missed it I could have gotten a notification from Webmaster tools – which actually gave more detail about the specific issue.

2. Always keep your software up to date. Often times when you let your software get a few updates behind it becomes vulnerable to hackers. This was the cause of my problem, I skipped on about 4-5 updates. Don’t do this!

3. Consider hiring someone smarter than you. In this case I was able to find the malicious code, but if the hackers would have hidden it a little better I would have been out of luck. Using a site like CodeGarage is great because not only do they automatically backup your wordpress blogs, but they also monitor it for hacking – and will fix the issues if they arise.