Hello :-),
The sitemeter script that is being used contains references to specificclick.net.
Jaal Scan ID # 901622839019-372 output
Suspicious code detected on line 82 of schwarzerwaldrottweilers.com
starts with
<!—s29.sitem eter.com/js/cou nter.js?site=s29>
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Jaal: Protecting the Internet, one website at a time™
Do you think the sitemeter script caused google to post this?:
What is the current listing status for schwarzerwaldrottweilers.com?
Site is listed as suspicious – visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 6 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-11-24, and the last time suspicious content was found on this site was on 2009-11-24.
Malicious software includes 8 trojan(s), 2 worm(s). Successful infection resulted in an average of 16 new process(es) on the target machine.
Malicious software is hosted on 11 domain(s), including 89.138.243.0/, donnelscreekfarm.com/, ho-fashion.com/.
This site was hosted on 1 network(s) including AS26496 (PAH).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, schwarzerwaldrottweilers.com appeared to function as an intermediary for the infection of 11 site(s) including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 11 domain(s), including tillieiszler.blogspot.com/, ghadaghadadolbier.blogspot.com/, adansharlott.blogspot.com/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Thank you. This whole thing is terrible. I have two other clients who’s sites have also been blacklisted by google and I have no idea why. I can’t believe that google has the nerve to cause all of this trouble yet offers no answers as to how, when and where these problems can be fixed. “sigh” Oh… I deleted all the site pages and reloaded them so if the code looks different, that is why.
Hello,
Once you log in, select the site which is of interest from the left hand side of the the page, once you do that, if the site is blacklisted, you will see a red warning bar at the top of the page which says that the site has been detected as suspicious. Once you click the more details part in these you should be able to see the request a review button.
-A
Thank you. I just logged in and found it. I am receiving email from other clients whos sites are getting unsafe warnings and/or being blocked. Is this a random thing? Has my computer been compromised and if so, how do I find out I run Trend Micro Internet Security Pro and I keep it up to date but I have no idea if it’ll stop these kind of attacks if in fact they are coming from my computer. Can you help or do you know who can help? I’m going to post a new threat in a new post. Hopefully you can help with that as well. How are you finding the hacked scripts?
Cindy,
If the common thread between all your clients websites is that you access them on their behalf from your local machine then it is imperative that you scan your system with more than one AV. You can try out AVG/Avira/Malwarebytes in addition to the one you already possess.
We have scanning mechanisms in place which we can use to identify malicious portions of a website. Once identified we can remove these portions so that the site can be given a clean bill of health by search engines.
There is no surefire way to stop attacks like these. period. Hacker will always find ways to compromise operating systems and browsers and associated 3rd party installs. There will always be at vulnerabilities, minor or major on the hosting side.
You should try to make it as hard as possible for the bad guys. Keeping your system clean is a good first step. Next hardening the websites and following best practices for web app development and deployment can be a possibility to explore.
For the time being scan your computer, remove the scripts mentioned in the scan and request a review. Lets try to get the site back on its feet.
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Jaal: Protecting the Internet, one website at a time™
In addition to scanning and cleaning your local computer, as Anirban has suggested, you will also need to change all passwords. If you are modifying your clients’ sites from that computer, those passwords will need to be changed as well.
It will be best if you do not store the log in details in the client application, unless you are certain that the information is encrypted.
Do I need to change every password for all applications I have on my computer or just the ftp passwords for my clients sites?
I have no idea what you mean by not storing the log in details in the client application?
I did a scan of my computer with Malwarebytes and it found all of this below:
Malwarebytes’ Anti-Malware 1.41
Database version: 3234
Windows 5.1.2600 Service Pack 3
11/25/2009 8:05:38 PM
mbam-log-2009-11-25 (20-05-29).txt
Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 792717
Time elapsed: 3 hour(s), 22 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS.000\SYSTEM\JGAW400.DLL (Trojan.Hiloti) → No action taken.
C:\WINXP\bk20856.dat (KoobFace.Trace) → No action taken.
C:\WINXP\010112010146116101.xxe (KoobFace.Trace) → No action taken.
C:\WINXP\0101120101465150.xxe (KoobFace.Trace) → No action taken.
C:\WINXP\0101120101465255.xxe (KoobFace.Trace) → No action taken.
C:\WINXP\0101120101465649.xxe (KoobFace.Trace) → No action taken.
C:\WINXP\fdgg34353edfgdfdf (KoobFace.Trace) → No action taken.
C:\WINXP\010112010146101105.rx (Malware.Trace) → No action taken.
OK, I have scanned and scanned and scanned with both Trend Micro and Malwarebytes. My computer is clean. I have changed all passwords and removed that information from my FTP client. Is there anyone here that would be willing to scan these two sites to see if anything comes up? It would be greatly appreciated.
www.schwarzerwaldrottweilers.com
www.libulldogs.com
Thank you in advance.
