Hello BWB Community,
Today we received an email from Google letting us know that our Adwords account has been suspended because they have detected suspicious activitiy on our Website. It seems that Google has an issue with two pages on our Website. I have checked our Google Webmaster Tools account and it complains about the following:
http://www.customfitonline.com/portfolio/portfolio.htm
http://www.customfitonline.com/portfolio/web-development.htm?c=ppc&s=gaw&r=whistler&kw=whistler_web_design
Our Safebrowsing report can be found here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://www.customfitonline.com/portfolio/portfolio.htm
Our UnmaskParasites report can be found here:
http://www.unmaskparasites.com/security-report/?page=http://www.customfitonline.com/portfolio/portfolio.htm
Before posting is request for help, I have read and followed this article: http://badwarebusters.org/main/itemview/1283.
The portfolio.htm file was last updated by us on Jan 30th, 2009. The web-development.htm file was last updated by us on April 20th, 2009. According to the timestamps on both these files, they have not been updated since the dates I just noted.
I have reviewed our .htaccess and it only contains 301 entries we have added and is otherwise clean. We do not in any way use SQL. I have examined the source code of the two pages noted above, the folders that contain these files, and both the internal and external Javascripts these pages call on. I am unable to find any references to the script exploits or domains that Google notes in the Safebrowsing report.
I have called my Hosting company to see it they have had any reports of exploits on their servers, none are reported. And according to a Clearinghouse search, our Website is not listed.
When browsing customfitonline.com in Chrome, all pages are viewable except those under the Portfolio section, which is odd because the rest of the pages on our site, share a common template, Javascript references, and external links. We are at a loss as to why Google would have an issue with our two pages. I have completed all the standard checks, and have looked for the common exploit techniques. The only other thing I would note is that this is a FrontPage enabled Website and I have checked all of FP’s extension files for exploit. I have also reviewed all of the external Webiste links on these pages to see if they are flagged, I understand our Website can be flagged if we link to other bad Websites.
We are hoping that this community might be able to help us understand what we may have missed or shed some light on Google’s complaint. Many thank you’s in advance.
Robert
Custom Fit Online Solutions
Hello :-),
Jaal Scan ID # 11173-520 output
Malicious code detected on line of 376 of http://www.customfitonline.com/portfolio/web-development.htm
starts with
cr ipt src="h tt p://153 6 0.hit t ail.c om/ m>Please look at the copy of the page on the server, if you cannot locate this code, it is probably being injected at runtime, when a user is requesting the page. It might be useful to then wipe out the hosting directory and check for malware, on the server and in the backend database. You can also ask for help from your hosting provider. Please check out other pages too.
If you have any specific issues feel free to ask for help.
Also, I am collecting info from people affected by attacks like this, if it would be possible for you to share your experience, could you kindly shoot me a mail at a.banerje e @ j a a lcheck .com (please remove the spaces). We also provide vulnerability identification and mitigation services to help websites from being infected in the first place.
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
http://www.jaalcheck.com
Jaal: Protecting the Internet, one website at a time™
Dr. Anirban,
Thank you for your quick response.
The external Javascript snippet you refered to was added to our Website by us. HitTail is a keyword analytics tools that helps us tracks in greater details how visitors are reaching our Website. Has this company been reported as malicious? When searching online malware databases, hittail.com did not show as bad.
It’s strange though that only the portfolio & web-development pages were flagged, as this external javascript snippet was added to ALL of our pages in 2008 is still present.
We can easily enough remove this snippet, although we would value your thoughts on this further. Thank you much.
Robert
Dear Robert,
We have observed xxxx.hittail.com as being flagged for suspicious activity. One external reference can be found at http://www.bluetack.co.uk/ and adblockrules.com which is a reasonably noteworthy place to show up.
The scan was an automated result, I will try to take a look at the code.
Best
-A
We have manually reviewed your site and have found no infectious malscripts. We reviewed each link, each javascript file, each external src tag and have found nothing malicious.
It is our belief that when Google reviews your site again it will be cleared. It would be interesting to see what it was about the hittail scripts that Google found linked to googleanalytlcs.net, gomorescan.com and beladen.net
This site is no longer listed as suspicious.
What is the current listing status for www.customfitonline.com/portfolio?
This site is not currently listed as suspicious. Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-05-07, and the last time suspicious content was found on this site was on 2009-05-06.
I checked my Webmaster Tools account this morning and the warnings are gone. How strange that Google has a problem with Hittail. Even stranger is that we had the Hittail script on all pages of our site but Google only flagged the Portfolio section.
Thank you Dr. Anirban for finding this for us, and thank you to everyone else who followed up for us.
Robert
Custom Fit Online Solutions
In order to “dodge” the Google and other vendors malware scanning tools, many malware distribution sites have random infections or even page specific infections put in place.
Since we’ve already established that there is something fishy with hittail – which might be their own work or it might be that they themselves have become infected – it doesn’t seem so unrealistic at all.
I’m glad the site is back in action.
Hi there. Mike Levin here, the creator of HitTail. Well I’m certainly upset that our system is suspected, but we have many customers using AdWords, and have not heard of any similar reports. All our servers are checking out clean. I’ll keep my eyes peeled, but hopefully as you pointed out by only one page being flagged even though HitTail was on every page, that there’s something else going on here. I’m not sure how sophisticated their warning system is, but it is very possible that they are detecting the interaction of two tracking systems sharing the same global variable names, which creates opportunities for cross-site-scripting attacks (XSS). Let’s hope it was just a bad chemistry thing between our and some other tracking system which can be easily remedied if identified. Anway, I’m keeping my eyes peeled, and thanks for alerting us to this issue.
Dear Mike,
We had tried to contact hittail and the mother company with regards to the issue. Would it be possible to converse offline about this incident. My email is a.ban er jee @ stop the hack er.com (please remove the spaces).
Best,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
http://www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
