Website giving malware warning on google

jameshayes

Hey guys,

my site: jademetal.ie is giving a malware warning but I designed it myself and I know there is no (known) malware there, any insights?

TIA!

Graham

Did you checkout your site in Google webmaster tools?

Does you site use any advertising networks? Do your pages have any other 3rd party javascript?

mark8511

Hi

I had the same problem months ago, here is something you can do to solve this problem.

I will try to explain step by step here:

1. Open your google webmaster tool ( If you already had added your website to google webmaster tool, I t great - If not then please verify your website with google webmaster tool).

2. In google webmaster tool you will be able to see which file contains the threat and what is that.

3. Now If it is there, then remove that from your website.

4. Now use the option to review your website again and write to gogole that you have removed the threat from your website and request for re crawl your website.

Once its done and website is re crawled, then either google chrome or google search will not show this warning.

Hope this will help.

yoyo

mark8511 wrote: »

Hi

I had the same problem months ago, here is something you can do to solve this problem.

I will try to explain step by step here:

1. Open your google webmaster tool ( If you already had added your website to google webmaster tool, I t great - If not then please verify your website with google webmaster tool).

2. In google webmaster tool you will be able to see which file contains the threat and what is that.

3. Now If it is there, then remove that from your website.

4. Now use the option to review your website again and write to gogole that you have removed the threat from your website and request for re crawl your website.

Once its done and website is re crawled, then either google chrome or google search will not show this warning.

Hope this will help.

If your website was compromised it's likely more than just the files that Google lists are compromised. Generally all sorts of hidden backdoors will be added that Google cannot find, but will make it easy for hackers to re-infect the site at some point. If you use a CMS a rebuild or restoration of a recent backup (yes its good practice to keep regular backups of your sites ) is the only guarantee to avoiding the issue from happening again.
Also all site passwords, FTP account passwords, Website control panel passwords would need changing. Your ISP may also be able to help (from their logs) with how your site became infected in the first place, so do contact them if the infection happened recently.
Also keeping your CMS and plugins/extensions up to date and using strong passwords is also advisable.

Nick

mark8511

yoyo wrote: »

If your website was compromised it's likely more than just the files that Google lists are compromised. Generally all sorts of hidden backdoors will be added that Google cannot find, but will make it easy for hackers to re-infect the site at some point. If you use a CMS a rebuild or restoration of a recent backup (yes its good practice to keep regular backups of your sites ) is the only guarantee to avoiding the issue from happening again.
Also all site passwords, FTP account passwords, Website control panel passwords would need changing. Your ISP may also be able to help (from their logs) with how your site became infected in the first place, so do contact them if the infection happened recently.
Also keeping your CMS and plugins/extensions up to date and using strong passwords is also advisable.

Nick

Thanks great advise, as my website was in wordpress and i was asked to change the user name and passwords, re install the admin files and not to put my admin name as admin.

on my site malware was mainly in js files.

tricky D

Check also for rogue .htaccess files with dodgy redirects in them. They could be in any and/or many directories.

jameshayes

Thanks for the replies lads - I actually had a back up copy that I know is sound so I restored the site to that.

Webmaster Tools said there was malware on a number of pages, I wonder if anyone would have a minute to look at the code and see if they can spot it from index.html

<meta name="description" content="Jade Metal Ltd is a specialist metal fabrication and manufacturing company with a wealth of experience in working with stainless steel, aluminium, mild steel, brass and copper.">
<meta name="keywords" content="Metal Fabrication, Metal, Stainless Steel, Iron Gates, Security Door, aluminium welding, welding, engineering, copper, Jade Metal, Steel Work, Railing">
<html><a href="https://plus.google.com/114364218857339979358&quot; rel="publisher">Google+</a>

<style type="text/css">
<!--
.style4 {
font-size: medium
}
-->
</style>
<!-- InstanceBegin template="/Templates/main_template.dwt" codeOutsideHTMLIsLocked="false" -->
<head>
<!-- InstanceBeginEditable name="doctitle" -->
<title>Jade Metal Ltd, Specialists in Metal Fabrication, Ireland</title>
<!-- InstanceEndEditable -->
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css">
<!--
body {
background-color: #0A0A0A;
}
-->
</style>
<link href="site_layout.css" rel="stylesheet" type="text/css">
<link href="sitelayout_content.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.style1 {
color: #FFFFFF;
font-size: medium;
font-family: Verdana;
}
.style3 {
color: #FFFFFF;
font-size: small;
font-family: Verdana;
}
-->
</style>
<!-- InstanceBeginEditable name="head" -->
<meta name="description" content="Jade Metal Ltd is a specialist metal fabrication and manufacturing company with a wealth of experience in working with stainless steel, aluminium, mild steel, brass and copper.">
<meta name="keywords" content="Metal Fabrication, Metal, Stainless Steel, Iron Gates, Security Door, aluminium welding, welding, engineering, copper, Jade Metal, Steel Work, Railing">
<!-- InstanceEndEditable -->
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push();
_gaq.push();

(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();

</script></head>
<body leftmargin="0" topmargin="0" marginwidth="0" marginheight="0">
<!-- ImageReady Slices (jade_280411.psd) -->
<div id="site_layout">
<table width="1024" height="769" border="0" align="center" cellpadding="0" cellspacing="0" id="Table_01">
<tr>
<td colspan="12">
<img src="images/jade_280411_01.jpg" width="1024" height="45" alt=""></td>
</tr>
<tr>
<td colspan="3" rowspan="2">
<img src="images/jade_280411_02.jpg" width="352" height="277" alt=""></td>
<td colspan="6">
<a href="index.html"><img src="images/jade_280411_03.jpg" alt="" width="321" height="231" border="0"></a></td>
<td colspan="3" rowspan="2"><img src="images/jade_280411_04.jpg" width="351" height="277" alt=""></td>
</tr>
<tr>
<td colspan="6">
<img src="images/jade_280411_05.jpg" width="321" height="46" alt=""></td>
</tr>
<tr>
<td colspan="2" rowspan="2">
<img src="images/jade_280411_06.jpg" width="293" height="137" alt=""></td>
<td>
<a href="index.html"><img src="images/jade_280411_07.jpg" alt="" width="59" height="61" border="0"></a></td>
<td rowspan="2">
<img src="images/jade_280411_08.jpg" width="65" height="137" alt=""></td>
<td>
<a href="gallery.html"><img src="images/jade_280411_09.jpg" alt="" width="60" height="61" border="0"></a></td>
<td rowspan="2">
<img src="images/jade_280411_10.jpg" width="64" height="137" alt=""></td>
<td>
<a href="about.html"><img src="images/jade_280411_11.jpg" alt="" width="58" height="61" border="0"></a></td>
<td rowspan="2">
<img src="images/jade_280411_12.jpg" width="64" height="137" alt=""></td>
<td colspan="2">
<a href="contact.html"><img src="images/jade_280411_13.jpg" alt="" width="61" height="61" border="0"></a></td>
<td colspan="2" rowspan="2">
<img src="images/jade_280411_14.jpg" width="300" height="137" alt=""></td>
</tr>
<tr>
<td>
<img src="images/jade_280411_15.jpg" width="59" height="76" alt=""></td>
<td>
<img src="images/jade_280411_16.jpg" width="60" height="76" alt=""></td>
<td>
<img src="images/jade_280411_17.jpg" width="58" height="76" alt=""></td>
<td colspan="2">
<img src="images/jade_280411_18.jpg" width="61" height="76" alt=""></td>
</tr>
<tr>
<td colspan="12"><!-- InstanceBeginEditable name="maincontent" -->
<div id="sitelayout_content">
<blockquote>
<p> </p>
<blockquote>
<hr>
<p align="justify" class="style1 style4">Jade Metal Ltd is a specialist metal fabrication and manufacturing company with a wealth of experience in working with stainless steel, aluminium, mild steel, brass and copper. We boast a large portfolio of work where we design and manufacture general engineering products along with highly specialised and individual work. Our team holds almost 200 years combined working experience and we hold an array of skills that cannot be matched.  <br>
</p>
<p align="justify" class="style1 style4">We are strategically located in Western Industrial Estate with access to the M50 only minutes away, although we are located in Dublin much of our work is carried out across the entire country. <br>
</p>
<p align="justify" class="style1 style4">Jade Metal Ltd has a ‘Hands on’ involvement by the owners Jimmy Hayes & Declan Hughes which ensures quality remains at the highest level and our customer needs remain paramount.  <br>
</p>
<p align="justify" class="style1 style4">We have earned the trust of many companies and clients over many years and have developed an excellent reputation for top quality design and dependable deliveries. We pride ourselves on getting the job done and doing it at the right cost.  </p> <hr>
</blockquote>
</blockquote>
</div>


<!-- InstanceEndEditable --></td>
</tr>
<tr>
<td> </td>
<td colspan="10"><div align="center">
<p class="style3">JADE METAL LTD, 201 HOLLY ROAD, WESTERN INDUSTRIAL ESTATE, NAAS ROAD, DUBLIN 12 --- INFO@JADEMETAL.IE --- 01 456 4700</p>
</div></td>
<td> </td>
</tr>
<tr>
<td>
<img src="images/spacer.gif" width="42" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="251" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="59" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="65" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="60" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="64" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="58" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="64" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="10" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="51" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="241" height="1" alt=""></td>
<td>
<img src="images/spacer.gif" width="59" height="1" alt=""></td>
</tr>
</table>
</div>
<div align="center">
<!-- End ImageReady Slices -->
</div>
</body>
<!-- InstanceEnd --></html>
</div>
</body>
<!-- InstanceEnd --></html>alt=""></td>
</tr>
</table>
</div>
<div align="center">
<!-- End ImageReady Slices -->
</div>
</body>
<!-- InstanceEnd --></html>

Graham

There's nothing there that leaps out to be honest. Can you be a bit more specific about what Google Webmaster Tools said?

jameshayes

Graham wrote: »

There's nothing there that leaps out to be honest. Can you be a bit more specific about what Google Webmaster Tools said?

thats what I thought... print screen from WMT

jameshayes

What is the current listing status for jademetal.ie?
Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.

What happened when Google visited this site?
Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2013-09-19, and the last time suspicious content was found on this site was on 2013-09-18.
This site was hosted on 1 network(s) including AS33182 (DIMENOC).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, jademetal.ie did not appear to function as an intermediary for the infection of any sites.

Graham

I see the last scan was on the 18th/19th so you may well have already addressed the problems. I also see that another scan is pending so Google may just not have picked up the changes/fix yet.

I just grabbed the html directly from your site and still cannot see anything that would cause alarm. No php anywhere (or mention of it) and the only javascript is the Google Analytics.

I'm guessing you're on a shared hosting package and this isn't your own dedicated server.

Can you FTP onto the server and see if there's any other files in the root (probably www directory) of your hosting account.

yoyo

mark8511 wrote: »

Thanks great advise, as my website was in wordpress and i was asked to change the user name and passwords, re install the admin files and not to put my admin name as admin.

on my site malware was mainly in js files.

Yep, that's all sound advice, particularly the re-downloading of the CMS and re-integrating the website. I would also check the database for any dodgy scripts, base64 encode/eval etc.
Not using "Admin" as the username will also protect against dictionary based attacks, if a weak password was being used. Strong passwords and non-standard admin names are definitely the way to go.

jameshayes wrote: »

Thanks for the replies lads - I actually had a back up copy that I know is sound so I restored the site to that.

Webmaster Tools said there was malware on a number of pages, I wonder if anyone would have a minute to look at the code and see if they can spot it from index.html

As mentioned above malware can be triggered from a compromised .htaccess file. Check the .htaccess file(s) within your sites folders for any suspicious entries. Your web host may be willing to help you do this as it's also in their interests to do so.
Make sure to use strong FTP/web control panel passwords. I'm assuming your site has no dynamic scripts due to Dreamweaver use, but if you do use any PHP etc. code (contact forms, blog pages etc.) make sure they are safe, updating them if applicable

Nick

jameshayes

I think I'm in the clear now, but my work is still blocking the page due to security issues for some reason?

Graham

No warnings from here anymore, looks like you might have caught it.

If you're going through a local proxy server, it may not have updated its blacklists yet.

yoyo

Graham wrote: »

No warnings from here anymore, looks like you might have caught it.

If you're going through a local proxy server, it may not have updated its blacklists yet.

It's worth checking the folders via FTP for any unknown files/scripts which could still be there. Also the .htaccess should be checked. Even cleaning the html files up will not do much if the hackers have placed a backdoor on the site.
The malware attacks aren't usually that easy to fix . I've had to do it before due to people using bad directory permissions, weak passwords etc.. It can take a good while to properly clean up, particularly CMS sites.

Nick

ChRoMe

yoyo wrote: »

It's worth checking the folders via FTP for any unknown files/scripts which could still be there. Also the .htaccess should be checked. Even cleaning the html files up will not do much if the hackers have placed a backdoor on the site.
The malware attacks aren't usually that easy to fix . I've had to do it before due to people using bad directory permissions, weak passwords etc.. It can take a good while to properly clean up, particularly CMS sites.

Nick

If a site or box has been compromised I've always been of the view that you must nuke it and start from a known clean copy otherwise you can never be really sure.

druidhill

I would suspect a weak FTP password - note this may or may not be out of your control i.e. your hosting provider.