I deleted a unfamiliar .htaccess file. Is that it? Please help! Thank you very much!
Here is my error message from http://www.google.com/safebrowsing/diagnostic?site=http://www.uoftpharmacy.com
What is the current listing status for uoftpharmacy.com?
Site is listed as suspicious – visiting this web site may harm your computer. Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.What happened when Google visited this site?
Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-02-12, and the last time suspicious content was found on this site was on 2010-02-12. Malicious software includes 3 exploit(s). Malicious software is hosted on 2 domain(s), including system-inj.com/, system-unic.com/. 1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including system-unic.com/. This site was hosted on 1 network(s) including AS11798 (BLUEHOST).Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, uoftpharmacy.com did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.Thanks again!
Looks like your site is clean now.
Have you requested another review? I see the last time Google checked your site (2-12-2010) they found it to be suspicious.
If you haven’t you may want to now.
Post back here if you have any further questions or updates please.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thank you very much. the warning has been taken off my site. However, when I search for uoftpharmacy.com in google, I come up with ads for viagra… (ups.uoftpharmacy.com), and the parent site doesn’t show up at all. But I know I’ve taken care of the ad problem by removing the malware or whatever it was implanted on the site, and have set appropriate keywords in the meta tags. Is the only thing I can do to wait for google bot to recrawl my website?
It looks like you have (had?) multiple issues. You may have cleared one that was causing your site to be flagged by Google, but it may have been unrelated to the viagra stuff.
Use unmaskparasites.com and web-sniffer.net to check the individual pages to see the spammy content. Edit: I thought the original pages had been replaced, but it looks like different content is being served, depending upon the user agent. With web-sniffer.net, using Googlebot or web-sniffer as the user agent, you see the viagra content. With the other normal browser user agents it looks like you get normal content.
You can see the same issue when using Rex Swain’s HTTP Viewer and changing the user agent to Googlebot.
Site:ups .uoftpharmacy .com
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=q2P&num=100&q=site%3Aups.uoftpharmacy.com&aq=f&aqi=&oq==
You may want to use the following resources as a guide to thoroughly review your site.
How to prevent your site from getting hacked. How to repair a damaged site. Website security precautions
http://25yearsofprogramming.com/blog/20070705.htm
Tips for Cleaning & Securing your Website
http://www.stopbadware.org/home/security
@dumbadum
The issue discovered by Kaleh is called cloaking: hackers made your site serve spammy content for search engines and normal content for normal web surfers.
Most likely it is done via .htaccess conditional rules that check the User-Agent string of incoming requests and re-rout search engine bots to spammy content.
It can also be done by inserting a php code into your WordPress files (most likely encrypted) that checks User-Agent and displays different content for search engines.
Did you check the .htaccess file in the ups part of your site? If not, you should do it.
Then check all WordPress files for integrity. WordPress 2.9.2 has just been released so you can simply upgrade to this new version to make sure all the core WordPress files are original. Then check your theme files.
More about finding backdoor scripts in WordPress:
http://ottodestruct.com/blog/2009/hacked-wordpress-backdoors/
Then scan your server for new and suspicious files and directories (the spammy content).
Finally, to prevent the problem recurrences, you should identify the security hole that was used to hack your site.
Start with scanning you computer for malware and then change all site passwords.
Note: storing new passwords in FTP clients that don’t provide master key encryption is a very insecure practice.
P.S. Please share your findings here to help other webmasters with similar problems.
P.P.S. “pdw2010 .uoftpharmacy .com” is also affected
Denis – www.UnmaskParasites.com
Thanks for all the info. Here’s an update:
It was not a .htaccess issue this time. The first time potentially was, since there was a strange .htaccess file in the public_html folder. I also removed a javascript file in the same folder which google webmaster tools pointed out as being suspicious. At the same time I looked into the .htaccess file (and any other file that ended in htaccess) for ups.uoftpharmacy.com, but it only had the standard .htaccess with two lines pointing to wordpress:
<del>-</del>———————————————
’# BEGIN WordPress
’# END WordPress
<del>-</del>————————————-
Now my second problem was the cloaking issue. My host support technician was not very helpful, since they explained to me that it was actually an error on google’s end, and that I should contact them to be re-index….
however, he did point me to their support article on how to make a website more secure.
I went through the files for ups.uoftpharmacy.com and deleted stuff that were not obviously pharmacy school related or wordpress related, and stuff that had file names such as old cache.php or something similar.
I upgraded my wordpress, then inspected the uploads, plugins and themes folder. Since I recognized every file that belonged to the current theme, and have compared the coding with the original ones I hand coded, I concluded my theme file was OK. So I deleted the other themes I was not using.
For the plugins, I removed all the inactive plugins and upgraded the ones requiring upgrade.
I inspected the uploads folder and found everything satisfactory.
I found it unnecessary to have php.ini and fastphp.ini in the ups folder, so I deleted those (please let me know if they are actually useful…. the subdomain seems to run OK without them). Also deleted fastphp.ini from the public_html folder (again, please let me know if that’s actually useful). I saved a copy of both on my computer in case there were essential files.
Then according to the support arcticle written by my host, I turned global variables (forgot the exact wording of that particular variable) and display_error to off in php.ini
So now ups.uoftpharmacy.com searches fine on google.
This leads me to conclude that the php.ini file was fine, since pdw2010.uoftpharmacy.com still is being cloaked.
Unfortunately, I do not have access to the wordpress that runs that particular section of the website. But I’ve emailed the webmaster for that section, and hopefully he will upgrade and so on.
My computer gets scanned nightly for viruses (has been clean for the past year), and I also scanned with Trend Micro House Call (came out clean), so I am 99% sure that it is not something that came from my computer.
I tried to figure out if anyone was accessing the cpanel without authorization, unfortunately I accidentally logged out before I could get the IP address, so that’s something I’ll try in a week or so.
Finally, I changed the password to everything
I will update again once the other webmaster contacts me about the pdw2010 portion of the website.
Thank you so much for your help!
