Professional Documents
Culture Documents
http://25yearsofprogramming.com/blog/20071223.htm
An open source source for C, C++, OWL, BASIC, MDB, XLS, DOT, and more...
Home Projects Sitemap Search Blog Forum+Chat About Us Privacy Terms of Use Feedback FAQ Images Services Payments Humor Music
If you are looking for information about a similar but not identical warning from Internet Explorer, see Notes at the bottom of this page.
Google puts this warning flag in its search results for pages where its automated web crawler was attacked by viruses or spyware when it visited the page. The purpose of the warning is to help protect web surfers who are using Google search results, by steering them away from malicious pages. Yahoo provides similar warnings on its result pages. The warning is not a punishment or penalty, and it does not mean that Google, Yahoo, or StopBadware think you designed your site to be malicious. They all know that the overwhelming majority of webmasters do not create malicious pages on purpose and that you probably didn't, either. However, they don't want to send their customers to dangerous pages, so they require that your site be cleaned before they will start referring people to it again.
Here are reasons why your website can be flagged with the "This site may harm your computer" warning in Google search results: 1. Your site was hacked. This is by far the most common reason. If someone can trick your server into allowing them to modify files in your site, they can insert malicious code into your web pages or database tables, or they can alter your
1 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
.htaccess or your HTML or JavaScript code so your site automatically redirects visitors to a malicious site. 2. A site other than yours got hacked, but it is affecting the content on your pages. Let's say your pages have normally harmless iframes or JavaScript that are pulled into a visitor's browser from the other website by using the property (in the HTML code) "src=http://othersite", or they use PHP code that resides on another website but is included into your pages before being served, with a PHP include(). If the other website gets hacked, your pages can turn dangerous, too, if the content that the other site was supposed to be sending out to your pages (advertisements, hit counters, top 10 lists ...) gets replaced by viruses, spyware, or other bad things. Whenever you use content from another website on your pages, you are dependent on that other site staying clean. 3. Your pages trigger the loading of Flash .swf files that are scripted to do malicious things. Flash advertising is a common problem area. StopBadware provides a description of what they consider to be malicious website behavior. The Firefox 3+ and Chrome browsers use data from the Google Safe Browsing Service to warn users about suspected malicious sites. When your site is flagged in Google search results, Firefox users receive a warning that says, "Reported Attack Site!", and they are blocked from going there. Internet Explorer does not use the Google service. It uses a Microsoft database. If Firefox gives a warning but Internet Explorer does not, it does not mean that the site is safe in either browser. It just means there is different data in the two databases. The Google database is nearly 100% accurate. If Google says your site has become harmful, it is safest to assume they are correct. False positives are rare.
The first idea that occurs to many webmasters is to do an AV scan on the site, but in many cases that will not find the problem. The next sections explain why.
2 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
their browser fetches the code referred to by the src= property, and then they get a virus alert. If you scan your site with an antivirus program and it finds no viruses, that does not mean the site is clean.
3 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
So the most thorough way to examine the site is to learn what to look for and then inspect your source files manually.
1. In any Google search box, enter: site:yoursite.com 2. Note which pages have the warning flag. Usually, it's all of them, but sometimes it's only one section, such as the forum or blog, which tells you where to focus most of your attention. 3. Click the search results link for one of your flagged pages. Instead of going to your site, it will take you to a Google "interstitial" warning page. 4. On that page, follow the link to the "Safe Browsing diagnostic page" and study it. Another way to get to the Safe Browsing diagnostic page directly (you can check any website this way) is by entering this URL into your browser address bar. Replace EXAMPLE.COM with the address of the website you want to check: http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM If needed, here is a detailed guide for understanding the diagnostic page. 5. Go to Webmaster Tools at Google Webmaster Central. If you don't have an account there, create one. It's free. They show the badware status of your site, help information, and a partial list of the pages they consider suspicious. The "fetch as Googlebot" feature allows you to test whether your site is "cloaking" malicious content (serving different content to Googlebot than it does to everybody else). 6. Look up your site in the StopBadware Clearinghouse database. 7. If Symantec's Norton Safe Web has found malware, their report shows the locations (filenames) of the threats more completely than the Google and StopBadware reports. 8. Scan pages of your website at Unmask Parasites to find hidden iframes and other content that comes to your pages from external sites. To see for yourself the iframes or other malicious content in your source code, without possibly exposing yourself to viruses by first requesting the page with your browser, you can use the source code viewer at Web-Sniffer, or at Redleg's File Viewer which usefully
4 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
highlights iframes and other potentially malicious code. 9. After you've determined some of the text strings, such as malicious domain names, that you need to find in your website files, this PHP script can be customized to help find them. 10. Do a web search on each of the domain names and IP addresses mentioned in your Google Safe Browsing Diagnostic report as being the sources or intermediaries of the malware on your pages. Some of these website names and IP addresses are associated with specific types of attacks. For example, if the domains mentioned are gumblar or martuz, it is certain that a virus on the PC of one of your site administrators stole the FTP login information and used it to hack the site, so you must do virus scans. On the other hand, if the domain is beladen, you are facing a server-wide compromise, not just an ordinary attack on your one website, so you must notify your webhost. These domain names can give you clues about what is wrong and save you a lot of time if your search is successful. Now that you have preliminary information about which pages are affected and what seems to be wrong with them, you can start searching for bad code. Some of it might have been identified already in the steps above.
Whenever possible, view and search the source code of your pages, on your server. This allows you to see ALL the code, even if it is only put on the pages sometimes. Explanation: Some exploits put malicious code on pages only under certain conditions such as if the visitor is using Internet Explorer or if they came to your site from a Yahoo or Google search results page. Your particular viewing might not meet those conditions (such as if you're using Firefox or you went directly to the site without going through a search engine). If you examine pages with your browser's View Source command, you can think the page is clean even though at other times, or when other people view it, it's not. Examining the source code on your server lets you see all the code that's there.
5 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
Malicious code is often inserted into web page files by robots (programs) using very simple rules for where to put it. Common locations are: At the very top of the file. Just before or after the <body> or </body> tags. At the very bottom of the file, after the </html> tag. If your pages normally validate at W3C, go there and check your badware-flagged pages. Any errors you get might point directly to where the bad code is.
6 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
These are useful search strings, whether you are searching one file at a time or all files at once: <iframe src= http:// unescape eval Can quickly discover malicious links, which are often in iframes. Finds occurrences of iframes and JavaScript because they both use this property. The equals sign might be encoded as = or %3D or %3d. Searching for just src would find all of them. Finds references to remote websites. A JavaScript function often found in malicious code. Another JavaScript function often found in malicious code.
Make sure all instances of src= and http:// refer to files on your site or to external sites you know and trust. Some common trusted sites that are not a problem are: pagead2.googlesyndication.com (if you use AdSense) www.google-analytics.com (Google Analytics). However, make sure it is not gooqle-analytics with the second G really being a Q. That is a spoof/malware site, and not ok. Other look-alikes of the google-analytics name are common, so check the spelling carefully.
7 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
JavaScript references to external sites look like this. If you don't recognize remotesite.com, the code is suspicious. This code calls and runs a JS script that is hosted on a website that isn't yours. After a visitor loads your page, their browser fetches this JavaScript from the other site and runs it: <script language="JavaScript" src="http://remotesite.com/path/file.js"> </script>
Search all the files that have any part in your web pages: .html, .htm, .php, .asp, .aspx, .inc (include files), .cfm, .css (style sheets). Inspect .js JavaScript and any other script files (including ones that you know originally came from a trusted source such as an Ajax library), watching for obfuscated code as described above. Some exploits try to do as little damage to the site as possible other than adding one little malicious JavaScript function into an otherwise normal .js file, to make it go undetected for as long as possible and be difficult to find. If you find nothing in your text files, it might be necessary to search your database for malicious code, which will be discussed later.
Examine user-generated content on your site for malicious uploads or attachments posted by visitors or spambots. To be efficient, start with posts from a few days before the site first got flagged. Or start at the end and work backwards.
8 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
If you run affiliate ads or ads from advertising networks, you usually put the ads on the page by adding iframe or JavaScript code into the source code of your pages. Your visitor's browser fetches the ads directly from the advertiser site as part of the process of displaying your web page. There are a few advertising networks that intentionally do things in their code that StopBadware and Google consider badware behavior. Other ad networks fail (either consistently or accidentally) to fully screen the ads submitted by advertisers for distribution, so sometimes malicious ads get into their network. Make a list of the advertisers you are affiliated with. To find out if other publishers are experiencing the same problem as you with this network, do a web search on them or ask about them in a forum where there are people who might be up-to-date with which advertisers are currently causing problems. An example of a web search I have found useful is: advertiser badware OR StopBadware OR malware OR virus Bad ads can slip into even the big ad networks such as DoubleClick and MSN. When this happens at the biggest networks, it is usually resolved quickly. If you suspect bad ads might be your problem, the solution is to stop displaying the ads on your pages until the ad network problem is resolved. Report the problem to the network with as much detail as you can provide. An increasing amount of advertising is being served in Flash .swf files. These files can be flagged as badware, too. See the next section.
There have been numerous security vulnerabilities found in Flash. In addition, Flash scripting allows authors to embed badware behavior such as redirecting to a different website while the user is helpless to prevent it. Whether your Flash files serve third-party advertising or merely your own content, they will get flagged if Google determines they have malicious scripting or are otherwise a hazard to a visitor's PC. The easiest way to determine whether .swf files are the reason for your site being flagged is to remove the files as part of your initial site cleanup. After the badware flag is removed from your site, put the files back. If the flag returns, they're a problem. You can also try scanning your .swf files with the AdopsTools Online click checker, which gives you a report about the file's content. These links might help you investigate further:
9 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
InformationWeek explains (overview) why Flash can be dangerous How sleazy operators slipped malware Flash advertisements into an ad network Technical articles: Adobe article about creating more secure SWF web applications Adobe Flash CS3 Documentation on Flash Player Security aspects of Programming ActionScript 3.0. While you are investigating and fixing your site, you might want to keep Flash disabled in your browser in case you have a bad .swf file. In Internet Explorer, go to Tools > Manage Add-ons > Enable or Disable Add-ons > Add-ons that have been used by Internet Explorer. Disable two items: 1) Shockwave Flash Object and 2) Shockwave ActiveX Control (if present). For Firefox, there is a highly recommended plug-in called NoScript to block Flash, JavaScript, Java, and more.
Even if your advertisers normally use only legitimate methods, their ads might have been replaced with malicious code, which would start appearing on your pages instead of the usual ads. This is a danger anytime your pages pull some of their content from other sites. This is one case where the only way to detect the malicious code is to visit your site pages with your browser, to make sure all the ads are the legitimate ones you expect. If you are affected by the problems an advertising network is having, you won't be the only one, so a web search should turn up other similar reports.
If you use any code that includes content from a remote site, such as iframes or JavaScript with a property of "src=http://othersite.com", or PHP scripts that use include("http://othersite.com/file.php"), or the related include_once(), require(), and require_once(), there is always the danger that a problem at the other site could affect your pages.
If content for your site pages is stored in a Content Management System (CMS) database, it is possible that an SQL injection attack inserted malicious code into the database tables, and it is getting into your pages from there.
10 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
One way to search or visually inspect and clean the data in your database tables is with cPanel > phpMyAdmin. Another way that should sometimes be workable is to go to cPanel > Backups and download a backup of the database in sql.gz format which is a plain text file when it's decompressed. If your antivirus software allows you to keep the downloaded file (it might detect the malware and quarantine the file instantly), and if the database isn't huge, you can view the text in a text editor, search and replace the malicious code, and upload the cleaned database back to the server. The easiest way to clean the database is to restore it from a known-good backup. If you suspect SQL Injection, you can use the online hack attempt identifier to determine whether your site has been receiving attacks of that type. If you write your own database connection and query code, it is possible to prevent SQL Injection.
Examine your site configuration files such as Apache .htaccess and httpd.conf for code that sends your visitors to a malicious site. Look for lines containing the words Rewrite or Redirect with references to sites that aren't yours, and RewriteRule lines referring to google.com or yahoo.com. htaccess exploits often redirect only if the visitor came from a search engine. If your visitors report being redirected and you can't reproduce the behavior yourself, try going to your site from a Google search result. In your existing .htaccess files, search carefully and scroll all the way to the bottom of the file. Sometimes hundreds of blank lines are inserted before the malicious code. Look for new .htaccess files that might have been added to the site. Search all the folders inside /public_html and also the folder(s) above /public_html. You can test for, confirm, and study redirects as they happen with the Firefox add-on Live HTTP Headers.
JavaScript is another way your page can automatically redirect visitors to a different website. While examining the JavaScript in your site, look for code like the following. It can be in the JavaScript code in your pages, or, increasingly common, injected into your .js files that are called by your pages: window.location="http://unknownsite.com/" window.location.replace("http://unknownsite.com/")
An HTML meta-refresh is yet another way to automatically redirect visitors to a different website. Look for code like this within the <head></head> sections of your
11 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
documents: <meta http-equiv="refresh" content="0; url=http://unknownsite.com/"> <meta http-equiv="location" content="0;url=http://unknownsite.com/"> These examples redirect to the other page after 0 seconds.
If you have custom error pages that you created and that are stored within your website, you probably examined those files already in the previous steps. However, many websites don't have custom error documents. In that case, the server uses its default error documents which are stored outside your website. You can test those by provoking a server error and checking the page you receive: 1. 2. 3. 4. 5. Make sure your antivirus program is up to date. Turn off JavaScript so your browser won't execute any scripts. Using your browser, go to: http://yoursite.com/notarealpage.html You should get a "404 Not Found" error page. View its source code in your browser: IE7: Page > View Source FF : View > Page Source 6. Look for the same types of injected links and virus code that you searched for on your other pages earlier. If you find bad links or viruses on your server's default error pages, it is a sign that the server, not just your website, has been compromised. Continue to the next step, and notify your webhosting company.
A rootkit is a type of infection that installs malicious programs to partially replace the server's operating system. It performs ordinary operating system tasks just like the OS would, but it also performs whatever malicious activity it is programmed to do. Because it controls operating system tasks, it can hide itself. A server compromised with a rootkit-type infection cannot be trusted at all, not even to properly report on its own status or give accurate directory listings. If you have thoroughly investigated all the preceding possibilities and you are sure everything inside your site is clean, it is possible that areas of your server outside your website are compromised (such as the default error pages in the previous step), or the server itself might be infected with software such as a rootkit. It might be injecting malicious content onto your pages in real time, after the pages are read from disk and just before they are sent out. One possible indication of a compromised server is a situation where, even though your request wasn't redirected to some other malicious website (that is, you are getting a page from your site), the page you get in your browser is completely different -- every time, or just sometimes -- from the one that you know is on your server. For example,
12 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
the page on your server is completely clean, but when you request it with your browser or with wget, it's nothing but a page full of JavaScript, or a page with an iframe in it. One type of attack that works this way is called beladen. The behavior described above is not proof of a compromised server, however. For example, it is possible for the hacker to put new pages -- or even an entire website -inside your website and then use .htaccess rewrites or PHP code to serve those pages instead of the requested ones. In this case, the pages are actually in your site and there is no server-wide compromise. With any luck, the investigation you've done to this point would already have uncovered either the hidden files or the rewrite code that is causing them to be served. If you truly believe your server is compromised and you're on shared hosting, there is nothing you can do to repair the damage to the server. File a support ticket with your webhost and ask them to investigate. While you wait, you can: 1. Identify other sites hosted on your server (your neighbors): a. Do a web search on "reverse ip", and choose a lookup provider. Some are free. b. Do a Google site: search on your neighbors to see if they are flagged. c. If several are flagged, it's evidence of a server-wide problem, and it might help convince your host of the need to investigate. 2. Examine your site files. This time, search not for injected malicious code, but for security vulnerabilities in your code. Also research lists of known vulnerabilities in the third-party applications you use. Even if your entire server is compromised, there is always the possibility that a security hole in your site was what allowed it to happen. It would not necessarily modify the files inside your site. So, since you can't do much else, use the time to check your site for security holes before it goes live again on a freshly cleaned server. If you run a dedicated server, reformat the hard drive, reinstall and configure the operating system and server software, reinstall your site from known-good backups, --> fix the security vulnerability that allowed the compromise to occur <--, and start fresh. Server-wide compromises used to be rare. In 2009, with exploits such as beladen, the incidence is increasing. It is still almost the last thing you should suspect, but it's not as unlikely as it used to be. You might find the following articles useful if you suspect a server-wide compromise. The attacks discussed were from 2008, but their methods may have evolved into the more widespread attacks being seen today: cpanel.net information about the "Random JavaScript Toolkit". Discussion at cpanel.net forum about server diagnostics, possible repair methods. The Random JS Toolkit was not specific to cPanel, but cPanel discussed it the most. Registration (free) is required to read their forum. Register with the screen name you actually want (not your real full name). Unlike some forums, you cannot specify a different screen name after you join, nor change the one you joined with.
13 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
People think of website addresses as text like http://website.com, but web addresses are really numbers called IP addresses. Before a browser can fetch a web page from a site, it must first send a query to a DNS Server to get the site's correct numeric address. Occasionally, someone manages to inject bad data into a DNS server so the IP address translations it returns are wrong. If someone tries to visit your website but their browser gets your IP address from a poisoned DNS server, they will be sent to a completely wrong website. That site might have malicious content, which could cause your site to be flagged for badware. When investigating your badware flag, this is a "way-out-there" scenario, rare and unlikely, but it has happened, so it's included here for completeness.
After you have found and resolved all the likely reasons your site got flagged, file a request for review in the Webmaster Tools section of Google Webmaster Central, or on the StopBadware Request for Review form. If they find that the malicious behavior is gone, the warning flag is usually removed within 1 to a few days even though their submission form says to allow longer. If you changed nothing on your site, but only submit the review request, the flag will not be removed. If you did nothing but delete the pages that were flagged, the flag will not be removed. The flag is removed after Google finds that the previously infected pages are still there, and clean.
StopBadware Tips for Cleaning & Securing Your Website has information about additional aspects of badware. It is in some areas more detailed, and in others less, than what I have presented here. If it turns out your site was hacked, see the step-by-step guide how to repair a hacked website and the several other articles that it links to. The malicious code (if any) that you find on your pages might not look very threatening at first glance, often because what you see is only a reference to additional code hosted on another website, but it can be very dangerous. To get an idea what the current crop of badware is like, see MPack Analysis (Overview of MPack and Russian Business Network), Massive MPACK Compromise (follow all 4 links at the bottom of that page, which provide additional detail about MPack and its effects), JavaScript that evades antivirus detection. If your site is serving this code, your
14 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
visitors' antivirus software (assuming they have any, which many do not) might not be able to protect them.
The most important ways to keep badware off your site are 1. Avoid getting hacked. 2. Keep to a minimum the amount of content served to your pages by outside (third party) websites. 3. Use only trusted advertising networks. If a network has been identified as the cause for badware flags, avoid it until you are sure the problem is resolved.
Comments, questions, and discussion welcome in the Forum. In case you're wondering, no this site has never been flagged. I have helped numerous webmasters get the warning removed, both in discussion forums and for hire.
Many people find this page while searching for information about a popup, claiming to be from IE7, that says: "Internet Explorer Warning - visiting this web site may harm your computer". Although the message is similar to the one from Google discussed in the article above, it is not related. It is also not from IE7. It is a popup generated by malware that is trying to infect your computer. Do not visit any website that it tries to make you visit, and do not download or run any program that it tries to "recommend". There is a bit more information in my article about high security in IE7. Also do a web search on rogue antivirus to find useful information and possibly screenshots that match the ones you are seeing, to help you identify it. I've recently learned that this page you are reading now is one of the ones these fake antivirus programs try to prevent you from visiting. Thank you for letting others know about this page by linking to it. Its address is: http://25yearsofprogramming.com/blog/20071223.htm
Ads by Google
Virus Scan
Google Browser
Anti Virus
15 of 16
10/2/2012 5:11 PM
How to remove "This site may harm your computer" from Google search r...
http://25yearsofprogramming.com/blog/20071223.htm
Copyright 2012 Steven Whitney. Last modified Sun 07/29/2012 10:53:28 -0700.
16 of 16
10/2/2012 5:11 PM