Jump to content

Q: Warning, Viewing This Site May Harm Your Computer?


jbach

Recommended Posts

Hi

when recently trying to view my site I get the message 'Warning, viewing this site may harm your computer'

 

And suggest my site is infected with malware.

 

Has anyone experienced this?

 

Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this?

 

I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome.

Link to comment
Share on other sites

First of all, you should submit a ticket and ask the techs to see if the site has been compromised.

Then, change password to your cpanel.

 

After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it.

Link to comment
Share on other sites

First of all, you should submit a ticket and ask the techs to see if the site has been compromised.

Then, change password to your cpanel.

 

After that I would begin trying to find where the malware is by downloading a home directory backup and backups of the databases if you use any. When the backups are downloaded to your local computer, run them through your antivirus and see if it finds it.

 

 

ok thanks

Link to comment
Share on other sites

ok thanks

 

 

Ok, when trying to login to my cpanel

ht*p://www.bitstream.ca/cpanel

I seem to be redirected here

ht*p://www.bitstream.ca:2082/unprotected/redirect.html

 

and still get the same security warning.....

Link to comment
Share on other sites

'Warning, viewing this site may harm your computer'

Is that the exact warning message? If not, can you post the exact wording and punctuation?

 

And in what form are you seeing the message: in Google (or Yahoo) search results, or on an actual HTML page in your browser window, or as a popup window in your browser?

 

If it's a warning underneath your site's links in search engine search results, the site has probably been compromised. If it's a page in your browser window (FF3 or IE8 only, not IE7 or lower or FF2 or lower) it's also likely a real compromise. If it's a popup window, it's most likely the result of a malware infection on your PC, especially if it says you should get "Antivirus XP" or any other antivirus program. That type of malware is called "rogue antivirus". Don't let it scan your computer; don't visit any website it says you should, and don't let it download anything.

Link to comment
Share on other sites

apparently some iframes were inserted somehow (comments or???) that contained malicious code.

 

Viewing my site and checking http traffic I noticed some suspicious calls to domains with a '.cn' domain ...

 

Not sure if it was part of the 'hack' but when I check my browser cache after going to my site I also notice a crossdomain.xml file with wide open security settings...doesn't seem right to me!

 

I believe my site has been submitted to Google for verification but haven't hard back yet....frustrating as I NEED my site for portfolio and business stuff.

Link to comment
Share on other sites

The bad iframes are definitely there. I tried to download and examine your home page, but my AV quarantines the file immediately, so I can't look at it. The threat is called Mal_Hifrm-3 by Trend Micro.

 

If you submitted to Google to have the warnings removed, they won't be removing them until the iframes are gone.

 

You'll need to remove the bad code manually, then find out how it got injected so the security hole can be closed. One of your page listings in Google SERPs mentions MovableType. The reason I tried to view your site was to see if you're actually using it. If so, this might be useful: http://secunia.com/advisories/search/?search=movable+type

 

Often the way malware gets into a site is through outdated scripts.

 

Another way that's increasingly common lately is by malware on the webmaster's PC stealing FTP passwords, so do a thorough antivirus and antispyware scan, just in case.

Edited by SteveW
Link to comment
Share on other sites

Yeah thanks Steve

I signed up for a free malware scan of my site by a new firm started by some ex google employees, http://wam.dasient.com/

 

There is still an iframe and some funky javascript code.

 

I will need to rebuild my blog from scratch but for me the larger issue is being on Google's 'blacklist', and having all my portfolio urls pointing to my site, thus potentially losing many work opportunities.

 

 

Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped...

Link to comment
Share on other sites

This is becoming the most common form of site defacement these days. In the past hackers would love to leave a note on someone's home page saying "Hacked by". Today the attackers are using the exploited sites to further infect of windows based pc's.

 

We have been doing quite a bit of research into this and will be publishing a report in the next few days with some ways to prevent this and other attacks. I was told years ago, the safest thing to do to protect your data is to unplug your computer from the internet.

Link to comment
Share on other sites

When you request hxxp://yoursite.ca/ without specifying a page, your server looks to see which page to serve. It looks for index.html, index.htm, index.php... Whichever one it finds first, it serves.

 

Whichever page you want it to serve when no page is specified in the request needs to have one of those names.

 

What is the name of your "under construction" page? The solution is probably to simply rename it to index.html.

 

This isn't related to the site compromise or Google diagnostics. It's how Apache is configured to work. People can only request files from your server. If they don't specify one, Apache uses its own judgment, based on its configuration, about which one to send.

 

-----

 

If you were using an old MT version, and weren't using any other third-party scripts, a security vulneratility in MT would be the likely suspect for how the hack occurred. If you don't plan to use MT anymore, be sure to uninstall it: remove the program itself from the server. This is because even if it's not being used, the security hole exists as long as the program files are there. You can optionally delete its folder, too.

 

Also from what Thomas said, ensure that cgi-bin (and all folders) contain no files put there by the hack, and ensure that your .htaccess, if you have one, doesn't contain any code redirecting visitors to sites other than yours.

 

Would luv to know what these hackers hope to gain, and more importantly, how they can be stopped...

They make money by installing Windows exploits on visitors' PCs, stealing information, and using it in identity theft schemes and things like that. It's big business.

 

What website owners can do to stop them is:

Use strong, long, random passwords and never reuse passwords in more than one place.

Keep all website scripts (MT, WordPress, etc.) up to the latest versions. When a new version comes out, install it within one day, if at all possible.

Keep your PC free of viruses. This is more important now than ever. A virus on your PC can lead to your remote website getting hacked.

 

Has anyone experienced this?

About 10,000 websites a day experience this.

Edited by SteveW
Link to comment
Share on other sites

Hi

when recently trying to view my site I get the message 'Warning, viewing this site may harm your computer'

 

And suggest my site is infected with malware.

 

Has anyone experienced this?

 

Should I remove my site temporarily until this is resolved and, if so, what is the easiest way to do this?

 

I need my site for portfolio and business so I can't afford to have it compromised for any length of time...any feedback welcome.

 

I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help!

Link to comment
Share on other sites

I have the same problem with my website and received a Malware notification from Google. I opened a support ticket and need help!

 

Very quick response from tch support - thanks!

 

It appears there were iframes to jumbobestrate.cn/ and shopmoviefestival.cn/ - malware sites.

Link to comment
Share on other sites

While I never used MT, make sure there is no MT folder, nothing in the cgi-bin folder and there are no redirects in the htaccess file.

 

Still trying to remove the redirect....been a while since I've done this..where do I find the .htaccess file? Is it invisible by default?

Edited by jbach
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...