Tweet
Help! Forum Has Been Comprimised!
Hello all and thanks in advance for any help!
I recently received a PM from one of my forum members stating the following:
"I logged onto the website today and my firewall came up with a warning that this site is unsafe and listed several different viruses and malware...
Just letting you know!!!"
The next day I received an email from Google stating the following:
Dear site owner or webmaster of (my forum name),
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
http://(my forum name) .net/
http://www.(my forum name) .net/
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A...
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser
If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security
Once you've secured your site, you can request that the warning be removed by visiting
and requesting a review. If your site is no longer harmful to users, we will remove the warning.
Sincerely,
Google Search Quality Team
Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
The good thing about this was that the only page with issues was my home page not my actual forum according to their email.
I did a little more research on google.com/webmasters/tools/siteoverview and found out the following:
Unfortunately, Google has discovered harmful code on your site. Google users will see a warning page when they attempt to visit pages within this site.
What is the current listing status for (My Forum Name).net?
Problematic URLs on http://www. (My Forum Name).net/
URL: http://www. (My Forum Name).net/openx/www/delivery/spcjs.php?id=1&block=1&blockcampaign=1
Last checked: November 12, 2011
I went and disabled all the modules on my home page with banners being served by openx.
I then received two more messages from members stating the following:
"FYI WARNING!!! I just got this alert to this page [JS/IFrameAT Trojan] signing off and going to cleaner"
"Firefox is detecting (My Forum Name) as an attack site... it has installed a file named blogger.htm in my temporary Internet files. Microsoft security detects as exploit:us/blacole.a"
I don't know what to do at this point and am looking for any help possible! Thanks!
I recently received a PM from one of my forum members stating the following:
"I logged onto the website today and my firewall came up with a warning that this site is unsafe and listed several different viruses and malware...
Just letting you know!!!"
The next day I received an email from Google stating the following:
Dear site owner or webmaster of (my forum name),
We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.
Below are some example URLs on your site which can cause users to be infected (space inserted to prevent accidental clicking in case your mail client auto-links URLs):
http://(my forum name) .net/
http://www.(my forum name) .net/
Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A...
We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:
1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser
If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites:
http://www.stopbadware.org/home/security
Once you've secured your site, you can request that the warning be removed by visiting
and requesting a review. If your site is no longer harmful to users, we will remove the warning.
Sincerely,
Google Search Quality Team
Note: if you have an account in Google's Webmaster Tools, you can verify the authenticity of this message by logging into https://www.google.com/webmasters/tools/siteoverview and going to the Message Center, where a warning will appear shortly.
The good thing about this was that the only page with issues was my home page not my actual forum according to their email.
I did a little more research on google.com/webmasters/tools/siteoverview and found out the following:
Unfortunately, Google has discovered harmful code on your site. Google users will see a warning page when they attempt to visit pages within this site.
What is the current listing status for (My Forum Name).net?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
Of the 75 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-11-12, and the last time suspicious content was found on this site was on 2011-11-12.Malicious software includes 4 scripting exploit(s), 3 trojan(s). Successful infection resulted in an average of 4 new process(es) on the target machine.
Malicious software is hosted on 1 domain(s), including bselavarsio.serveblog.net/.
This site was hosted on 1 network(s) including AS26496 (PAH).
Malicious software is hosted on 1 domain(s), including bselavarsio.serveblog.net/.
This site was hosted on 1 network(s) including AS26496 (PAH).
Problematic URLs on http://www. (My Forum Name).net/
URL: http://www. (My Forum Name).net/openx/www/delivery/spcjs.php?id=1&block=1&blockcampaign=1
Last checked: November 12, 2011
I went and disabled all the modules on my home page with banners being served by openx.
I then received two more messages from members stating the following:
"FYI WARNING!!! I just got this alert to this page [JS/IFrameAT Trojan] signing off and going to cleaner"
"Firefox is detecting (My Forum Name) as an attack site... it has installed a file named blogger.htm in my temporary Internet files. Microsoft security detects as exploit:us/blacole.a"
I don't know what to do at this point and am looking for any help possible! Thanks!
Comment