Hi
Two of my websites (naskeo.com and biogaz-energie-renouvelable.info) were attacked by the “gumblar” virus (now transformed into “martuz”). I did everything to clean them up : changed passwords, checked jpgs, pdfs and all for viruses, and cleaned up my htmls.
It worked for the biogaz-enr.info website, since it is no longer idnewed as malware by Google. However it takes a while for naskeo.com. Could anyone tell me why?
Another issue is that I checked my website here : http://stopbadware.org/home/reportsearch
and when I click on report I get a 404 error. Could someone explain what’s going on?
Thanks!
We are aware of the some of the reports giving a 404 error page and I have been told that stopbadware.org is looking into the issue. However we do not have an ETA on a fix.
I can see the naskeo.com site occuring as two different entries in the diagnostics. You may want to try to add the site naskeo.com and www.naskeo.com and request a new review.
There’s no indication that the review process is not functioning at present. Some sites however take a little longer to properly process and if many sites are queued, it may take a little longer for the sites to be visited.
It looks like naskeo .com has cleared, but www .naskeo .com has not.
http://www.google.com/safebrowsing/diagnostic?site=naskeo.com
What is the current listing status for naskeo.com?
This site is not currently listed as suspicious.
http://www.google.com/safebrowsing/diagnostic?site=www.naskeo.com
What is the current listing status for www.naskeo.com?
Site is listed as suspicious – visiting this web site may harm your computer.
Check the www versions of any pages and make corrections, if necessary. If you don’t already have both the www and non-www versions of the site listed through Webmaster tools, you will want to add the missing version, verify it and request a review again.
As far as the 404 error … I reported that yesterday, regarding another site, and they are aware. However, unless you had already requested a review through Stopbadware, you won’t find any additional information there, as they add sites to the Clearinghouse based upon updating their list from Google’s list. The first thing they would do is get Google to scan the site again and Stopbadware wouldn’t have additional information until later in the process, if they found it necessary to do a manual review.
I didn’t add http://naskeo.com to the diagnosis tools but I will. It’s strange because on Mozilla the naskeo.com website works but not the www one…….
Thank you very much!
This might not be so strange afterall.
Google’s Chrome Browser, and the Mozilla Firefox browser are both basing part of their browsing security on the Google Safe Browsing API which is using the results of the detections. – So while one site is no longer suspected, the suspicious flag of the alternate site access is being carried to the two browsers and all other software products utilizing the Google Safe Browsing API.
Hopefully this will clear up as soon as you’ve added the other site and requested a new review.
A small precision on my side : I don’t know if by “the other website” you mean “http://naskeo.com” or the “www.biogaz-energie-renouvelable.info”. The latter was checked by google independantly (well, still on the same webmaster tools account – mine), and even if it was listed as suspicious for a day or two, after having removed badware from its html, it is now back.
The www.naskeo.com one is still listed as suspicious though (despite me checking everything). However http://naskeo.com is not – which is odd because it is the same site. (and I didn’t even know it exsited untill recently when I typed by mistake just naskeo in my firefox browser and it worked!)
I did add http://naskeo.com to the Google webmaster tools and it said (excuse my French):
Vue d’ensemble
Vue d’ensemble
naskeo.com
www.biogas-renewable-energy.info www.biogaz-energie-renouvelable.info www.naskeo.com
Indexation
Requêtes les plus fréquentes »
Exploration de la page d’accueil :
Le robot Googlebot est parvenu à accéder à votre page d’accueil. Plus d’informations.
État de l’index :
Des sections de ce site distribuent peut-être des programmes malveillants. Les utilisateurs de Google verront apparaître une page d’avertissement lorsqu’ils tenteront de visiter ces pages. Pour plus d’informations sur les problèmes détectés, visitez la page de diagnostic générée par la fonction de navigation sécurisée Google pour votre site. Aide
Chargement…
Aide
- Exemples de pages qui distribuent peut-être des programmes malveillants : http://www.naskeo.com/sitemap.html
- http://www.naskeo.com/bilan_carbone.html
- http://www.naskeo.com/actualites_blog.html
- http://www.naskeo.com/company_careers.html
- http://www.naskeo.com/news_press_book.html
- http://www.naskeo.com/company_adress
So it looks up still in www.naskeo.com.
Now on this page : http://www.google.com/safebrowsing/diagnostic?site=www.naskeo.com they said that the last time they found a badware was on the 17th of may, and visited then on the 23rd of May (but didn’t say they find anything on the 23).
I’m a bit puzzled. Crossing fingers though.
The Gumblar/Martuz infection has been seen infecting your script files as well. You did check that there’s no script files that contained the obfuscated code?
Otherwise, I did view and skimmed the html of a few of the mentioned pages without finding any suspicious content.
Hello Cometcom1
Yes I have checked my java scripts.
Here they are btw :
http://naskeo.com/js/slideshow/slideshow.css
http://naskeo.com/js/slideshow/naskeo_slide.js
http://naskeo.com/js/naskeo_global.js
I am a bit in panick since we’re still showing as bad website by google, we’re losing visitors (hence customers), backlinks, everything.
Did you check the error pages – 404 500 and whatever you have – these are being targeted as well and might not be part of the usual place to look.
You know what, I think you did lead me towards a good path there. I did realise something. I had rebuilt my website a while ago (it was in full php) now it’s in html. So in order not to lose this php content (“you never know”), I kept on storing in it in my ftp! Somehow Google still indexed it. I’m quite willing to bet (90% sure) that this Gumblar virus must have infected php as well (since I read somewhere it did). I don’t think I have the infected php folder somewhere still, but I’m quite willing to believe it was infected.
Now, in my Google webmaster tools, it seems that it still stores it in its cache – since I have some URL errors – saying it can’t find my php ones (normal since I deleted them recently).
So I’m going to proceed to a manual request to Google to forget about them and see what happens.
I do hope the martuz.cn domain is now dead as well, since I read that the gumblar one was.
Thanks for your help ! Cheers! I’ll let you posted as soon as our website is healthy!
As noted earlier, StopBadware had a bug that was brought to our attention over the weekend and which we fixed this morning. Clicking search results in the StopBadware Clearinghouse should no longer lead to a 404 error.
Hello
I did use your diagnosis tools that now works. Excellent job!
I’m also happy to announce that my website works now, yay! It was a simple matter of Google having cached some old php pages from our old website before it was refurbished, and that must have gotten infected, that I removed but were still cached. So I told Google to forget them and now it works!! Hooray!
Thank you very much for your help I appreciate it, and I do hope that both gumblar.cn and martuz.cn are now dead.
Unfortunately gumblar, martuz are still very active, and a new site identified only by its IP is now being used.
But, I’m glad that you found the problem and that you’re back in the search index.
Thank you for verifying the diagnostics tool.