My site may be distributing malware

Malice

I'm having some trouble with my personal website at the moment. Recently it was brought to my attention that when the site is visited in Firefox, this warning pops up:


Now, I can disable this by going to Tools->Options-Security and unticking "Block reported attack sites" but obviously I can't expect visitors to do the same.

Stuff I've done so far:

I've added the site to Google Webmaster Tools and taken down the current version of the site and put up a holding page in its place. I also changed the FTP account password and ran virus and malware scanners on the machines that I know I used to connect to the FTP site. They came back clean.

The site was fine for about a week but then I noticed the warning came back again. I've gone through the set of files on the FTP site and the only one that is there is my holding page which is doing nothing special and definitely hasn't been modified. When I compare it to the local copy the files are identical. What is very strange is that the URLs that Google Webmaster Tools is flagging are for files that don't exist and definitely didn't exist when the site was last scanned. The diagnostic page reports the following:

Malicious software includes 3 scripting exploit(s), 1 trojan(s).

Malicious software is hosted on 10 domain(s), including all-way-protection3.com/, storyfold.info/, dragon4star.com/.

6 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including stratix.info/, weddingiephotos.com/, storyfold.info/.

I'm puzzled as to where the scripting exploits can be as, like I said above, the only file that's on the site is my holding page I've asked the hosting company if there is anything they can do at their end but they are insisting the problem is at my end. I've read a few online resources about this issue but as far as I can tell I'm not missing anything.

Any no doubt far more knowledgable Boardsies got any advice to offer?

probe

What is your site running on? eg Drupal, Wordpress, ? Or is it just html without a CMS?

Do you have a backup which would enable you to delete all the files on the server and send clean content from your backup to replace same?

Are you hosting it, or is the hosting outsourced?

Malice

probe wrote: »

What is your site running on? eg Drupal, Wordpress, ? Or is it just html without a CMS?

It's an ASP.NET site. I'm not using a CMS. All that's there at the moment is one .aspx page with a "down for maintenance" message.

probe wrote:

Do you have a backup which would enable you to delete all the files on the server and send clean content from your backup to replace same?

I have the site content backed up but I've already tried once before to restore the site and it was promptly flagged by Google again. As it stands I've deleted all files from the site as far as I can see. I'm using FileZilla to upload and delete files.

probe wrote:

Are you hosting it, or is the hosting outsourced?

It's hosted by a well-known hosting Irish company. As said in my first post, I've contacted them but they insist the problem is at my end. As you can imagine it's quite frustrating for me as I would have thought that removing the existing content, changing the FTP password, uploading clean content and then requesting a site review would have fixed it.

One thing that is very odd is that two of the URLs that are flagged as distributing malware refer to pages that were definitely not there when the site was last crawled by Google. Where that data came from I have no idea

Malice

Well it's been a week, Google has re-crawled the site and everything seems to be okay again. Fingers crossed it stays that way!