Something that will likely occur only once in your lifetime took place just a few moments ago (captured on the time.gov screen shot below). The official time was 12:34:56 7/8/9. For those of you who might be slow in realizing the pattern, the time was 1,2,3,4,5,6,7,8,9. Won’t happen again until 2109 (100 years from now!).
I wonder if Prince might offer up a “Tonight we’re going to party like its 1,2,3,4,5,6,7,8,9″.
If you are one of the many unfortunate victims of the recent rampant spread of iframe hacks and malware appearing on your site, we’re glad you’ve found us. We can help you in repairing all damage done to your site – both removing any malicious scripts and ultimately getting your site reviewed and reincluded with Google.
Although not a comprehensive list, we’re providing a list of domain names that these attacks appear to be directing unsuspecting visitors to your site to. As noted in this post’s title, do not visit these sites!!! These sites are not innocent sites like yours that might have been infected with one or more of these malicious scripts – these are the ‘bad guys’ sites that the scripts redirect users to in order to infect their computers with additional viruses or trojans.
Many recent reports show that the scripts are pulling the content from these malicious sites via port 8080 (:8080 at end of URL). This is likely an attempt by the original authors of the script (e.g. criminals) to circumvent firewall and anti-virus settings by pulling the malicious code via an internet port other than the standard port 80.
Image of Google's Reported Attack Site Display
Does this image look familiar? If your site has been identified by Google as a site distributing malware, this “Reported Attack Site — This website at www.[x].com has been reported as an attack site and has been blocked based on your security preferences” label has likely been applied to your site. Unfortunately, if you’re seeing this label, odds are all of your visitors (e.g. potential customers) are seeing it too! If they’re not seeing it because they’re running outdated browser software and/or don’t have the Google toolbar installed, then odds are their computers are being infected with a virus/trojan within seconds of visiting your site. Not a very good way to treat your customers.
Why has Google labeled my site as a “Reported Attack Site”? I’ve never uploaded a virus or malware to my site!
In some cases, third parties can add malicious code to legitimate sites, which would cause Google to show the warning message. Recently, several viruses/trojans that have been infecting user’s personal computers have been found to harvest stored user id and password information from the local machine – including FTP user id and password data for any sites that the user has access to. If you’re site has been identified as a reported attack site and you’re not intentionally distributing malware (yes, there are bad apples who would do this sort of thing on purpose), odds are your computer, or the computer of someone who has previously performed work on your website, has been compromised by one of these rogue programs.
Although the list of viruses propagating in this fashion is extremely likely to increase, the main programs causing a severe rise in infected sites have been identified as Gumbler and Nine-Ball. Once a user gets this virus, it spreads by inserting malicious content into webpages that the user has access to in order to infect other users. Security experts have estimated that as many as 60,000 websites have already been compromised in this manner. The infection on the website, most commonly a hidden iframe that directs the user’s browser to a rogue site in China or Russia, then takes advantage of vulnerabilities in unpatched system software such as Adobe Reader and Macromedia/Adobe Flash in order to infect the computers of anyone visiting the infected site. Thus the viral spread of the attack.
So what do I do now? I don’t want my customers to get infected or see “Reported Attack Site” every time they visit my site!
There are several steps that you should take IMMEDIATELY! Most importantly, change the user id and/or passwords of any FTP account, control panel access accounts (which are frequently ‘master’ ftp accounts as well) and any sort of content management software you might be using (e.g. WordPress, Joomla, etc.). While this means you’ll have to go through the painful tasks of digging out your hosting control panel access information, this simple step will prevent the compromised computer that caused the infection from doing any further damage. The next step is to remove the offending script from all pages that have been infected on your site. Since this process takes technical expertise that many online merchants may or may not possess, we offer a service to perform this step for you. Our malware detection and removal service will remove the malicious code from all pages on your site (discounts available for merchants/webmasters who have had multiple sites compromised). In addition to scanning all files on your website to determine which files have been infected and removing the harmful code from each page, our service includes assistance in formally requesting a review of your website by Google and reinclusion of your site to Google’s “good site” list. Finally, we’ll provide tips on how to avoid similar problems in the future. One of the most obvious, but often overlooked, is choosing not to store that new password you’ve just created right back in the same place that it was compromised before. Also, changing the password frequently, especially if you have 3rd parties performing work on your website, is definitely a “best practice”.
Remember, failing to remove this malicious content not only severly jeopardizes the success of your website, but even worse, assists the original creaters of this virus in further propagating the script and infecting all the loyal customers and visitors to your site!