Just Host Web Hosting Help
Google Flagged My Site as Malware
What is the warning?
Google puts this warning flag in its search results for pages where its automated web crawler was attacked by viruses or spyware when it visited the page. The purpose of the warning is to help protect less savy web surfers who are using Google search results by steering them away from malicious pages.
The warning is not a punishment or penalty and nor does it mean that Google, Yahoo, FireFox, or StopBadware think you designed a malicious site. They all know that the overwhelming majority of webmasters do not create malicious pages on purpose. But, they also don't want to send their customers to dangerous pages, all that is needed is some cleanup before they start referring visitors again.
Why is my site flagged?
Here are reasons why your website can be flagged with the "This site may harm your computer" warning in Google search results:
StopBadware and Google describe the criteria they use to determine whether a website is contributing to the badware problem.
- Your site was hacked. This is the most common reason for the badware flag. If someone can trick your server into allowing them to modify files in your site, they can insert malicious code into your web pages or database tables, or they can alter your .htaccess or your HTML or JavaScript code so your site automatically redirects visitors to a malicious site.
- A site other than yours got hacked, but it is affecting the content on your pages. Let's say your pages have normally harmless iframes or JavaScript that are pulled into a visitor's browser from the other website by using the property (in the HTML code) "src=http://othersite", or they use PHP code that resides on another website but is included into your pages before being served, with a PHP include(). If the other website gets hacked, your pages can turn dangerous, too, if the content that the other site was supposed to be sending out (advertisements, hit counters, top 10 lists ...) gets replaced by viruses, spyware, or other bad things. Whenever you use content from another website on your pages, you are dependent on that other site staying clean.
- Your pages trigger the loading of Flash .swf files that are scripted to do malicious things or that are out of date and exploitable. Flash advertising is a common problem area.
- (Your site contains an outlink to another site that has badware on it.) This was once a major reason for being flagged. That might not be true anymore, but it is still worthwhile to check your outlinks to make sure you are not linking to malicious sites, or to a site that got hacked and has turned malicious.
The Firefox 3.x and Chrome browsers use data from the Google Safe Browsing Service to warn users about suspected malicious sites. If your site is flagged in Google search results, Firefox 3 users are getting a warning that says, "Reported Attack Site!" and they are blocked from going there.
How to search your pages for malicious code
Discover which pages are flagged for malware and get clues about why they are flagged
Now that you have preliminary information about which pages are affected and what seems to be wrong with them, you can start searching for bad code.
- In any Google search box, enter:
site:yoursite.com- Note which pages have the warning flag. Usually, it is http://www.stopbadware.org/home/guidelines#website all of them, but sometimes it's only one section such as the forum or blog which tells you where to focus most of your attention.
- Click the search results link for one of your flagged pages. Instead of going to your site, it will take you to a Google "interstitial" warning page.
- On that page, follow the link to the "Safe Browsing diagnostic page" and study it. Another way to get to the Safe Browsing diagnostic page directly (you can check any website this way) is by entering this URL into your browser address bar. Replace
EXAMPLE.COMwith the address of the website you want to check:http://www.google.com/safebrowsing/diagnostic?site=EXAMPLE.COM- Go to Webmaster Tools at Google Webmaster Central. If you don't have an account there, create one. It's free. They show the badware status of your site, help information, and a partial list of the pages they consider suspicious.
- Look up your site in the StopBadware Clearinghouse database.
- If Symantec's Norton Safe Web has found Malware, their report shows the locations (filenames) of the threats more completely than the Google and StopBadware reports.
- Scan pages of your website at UnmaskParasites to find hidden iframes.
- Scan pages of your website at Dasient.
- Do a web search on each of the domain names and IP addresses mentioned in your Google Safe Browsing Diagnostic report as being the sources or intermediaries of the malware on your pages. Some of these website names and IP addresses are associated with specific types of attacks. For example, if the domains mentioned are gumblar or martuz, it is certain that a virus on the PC of one of your site administrators stole the FTP login information and used it to hack the site, so you must do virus scans. On the other hand, if the domain is beladen, you are facing a server-wide compromise, not just an ordinary attack on your one website, so you must notify your webhost. These domain names can give you good clues about what is wrong and save you a lot of time if your search is successful.
Search your source code for badware
Whenever possible, view and search the source code of your pages on your server. This allows you to see ALL the code, even if it is only put on the pages sometimes.
Explanation: Some exploits put malicious code on pages only under certain conditions such as if the visitor is using Internet Explorer or if they came to your site from a Yahoo or Google search results page. Your particular viewing might not meet those conditions (such as if you're using Firefox or you went directly to the site without going through a search engine). If you examine pages with your browser's View Source command, you can think the page is clean even though at other times, or when other people view it, it's not.
Examining the source code on your server lets you see all the code that's there.