I recently received notice from Google that the adwords campaign I run for my online business has been suspended because they believe I "may" be a source for badware to visitors. As a result, people that try to get to my website through Firefox and Google, are greeted with a warning that my site might be an attack site. Fair enough. I have read through the suggestions at stopbadware.org to try and solve the problem. Along with my site’s host provider, I have scanned the site and read through the html of the potential problem pages as listed by Google’s diagnostics. We can’t find anything malicious. I am going to submit my site for review again (Fri 11/21/08), this time directly to stopbadware.org. Hopefully, I will hear from them early next week. My question is this, if I fail the review process again, then what? I acknowledge that there may be something wrong with my site that we simply are unable to find, but my host provider and myself certainly have given it our best effort. In the meantime, anyone who comes across my site through Firefox or Google (and perhaps other avenues), will undoubtedly be turned off by the warning pop up. I know I would be. What’s a struggling web merchant to do?
Yes, Google has given me the following feedback…
- Sample pages that may be distributing malware: http://mygreencloset.com/
- http://www.mygreencloset.com
- http://www.mygreencloset.com/
- http://www.mygreencloset.com/home.php?cat=249
- http://www.mygreencloset.com/home.php?cat=258
- http://www.mygreencloset.com/home.php?cat=268
- http://www.mygreencloset.com/xcart/home.php?cat=249
- http://www.mygreencloset.com/xcart/home.php?cat=267
- http://www.mygreencloset.com/xcart/home.php?cat=268
What is the current listing status for mygreencloset.com?
Site is listed as suspicious – visiting this web site may harm your computer. Part of this site was listed for suspicious activity 2 time(s) over the past 90 days.What happened when Google visited this site?
Of the 9 pages we tested on the site over the past 90 days, 8 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2008-11-21, and the last time suspicious content was found on this site was on 2008-11-20. Malicious software includes 8 adware(s). Successful infection resulted in an average of 0 new processes on the target machine. Malicious software is hosted on 2 domain(s), including 89.28.13.0, antivirusdefense.com. 2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including clicksoverview.com, 89.28.13.0.Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, mygreencloset.com did not appear to function as an intermediary for the infection of any sites.Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.Hope this helps.
Well whatever google was seeing on your site I cannot find.
Take for example http://www.mygreencloset.com/home.php?cat=258
Content linked from that page:
http://www.mygreencloset.com/skin1/images/favicon.ico
http://www.mygreencloset.com/skin1/images/favicon.ico
http://www.mygreencloset.com/skin1/common.js
http://www.mygreencloset.com/skin1/browser_identificator.js
http://www.mygreencloset.com/skin1/skin1.css
http://www.mygreencloset.com
http://www.mygreencloset.com/skin1/images/logo.jpg
http://www.mygreencloset.com/skin1/images/Trees.jpg
http://www.mygreencloset.com/pages.php?pageid=10
http://www.mygreencloset.com/pages.php?pageid=10
http://www.mygreencloset.com/cart.php
http://www.mygreencloset.com/home.php
http://www.mygreencloset.com/home.php?cat=249
http://www.mygreencloset.com/home.php?cat=258
http://www.mygreencloset.com/home.php?cat=265
http://www.mygreencloset.com/pages.php?pageid=6
http://www.mygreencloset.com/skin1/images/spacer.gif
http://www.mygreencloset.com/pages.php?pageid=3
http://www.mygreencloset.com/home.php
http://www.mygreencloset.com/home.php?cat=258
http://www.mygreencloset.com/home.php?cat=271
http://www.mygreencloset.com/images/T/vista%20navy%20230.jpg
http://www.mygreencloset.com/home.php?cat=272
http://www.mygreencloset.com/images/T/High%20Plain%20Pants%20Brown%20230-01.jpg
http://www.mygreencloset.com/home.php?cat=271
http://www.mygreencloset.com/home.php?cat=272
http://www.mygreencloset.com/home.php?cat=267
http://www.mygreencloset.com/image.php?id=258&type=C
http://www.mygreencloset.com/home.php?cat=271
http://www.mygreencloset.com/home.php?cat=272
http://www.mygreencloset.com/skin1/images/spacer.gif
http://www.mygreencloset.com/skin1/images/spacer.gif
http://www.mygreencloset.com/skin1/images/arrow.jpg
http://www.mygreencloset.com/pages.php?pageid=3
http://www.mygreencloset.com/pages.php?pageid=4
http://www.mygreencloset.com/help.php?section=contactus&mode=update
http://www.mygreencloset.com/giftcert.php
http://www.mygreencloset.com/pages.php?pageid=5
http://www.mygreencloset.com/skin1/images/arrow.jpg
http://www.mygreencloset.com/register.php
http://www.mygreencloset.com/pages.php?pageid=2
http://www.mygreencloset.com/help.php?section=Password_Recovery
http://www.mygreencloset.com/skin1/images/arrow.jpg
http://www.mygreencloset.com/pages.php?pageid=10
http://www.mygreencloset.com/pages.php?pageid=7
http://www.mygreencloset.com/pages.php?pageid=8
http://www.mygreencloset.com/pages.php?pageid=9
http://www.mygreencloset.com/home.php?cat=267
http://www.mygreencloset.com/skin1/images/arrow.jpg
javascript: document.subscribeform.submit();
javascript: document.subscribeform.submit();
http://www.mygreencloset.com/skin1/images/go_menu.gif
http://www.mygreencloset.com/skin1/images/rule-14.jpg
http://www.mygreencloset.com/help.php?section=business
http://www.authorize.net/
http://www.mygreencloset.com//VERIFY.AUTHORIZE.NET/anetseal/seal.js
http://www.credit-card-logos.com/images/multiple_credit-card-logos-1/credit_card_logos_visa_mc_amex_discover_paypal_sm.gif
http://www.mygreencloset.com//smarticon.geotrust.com/si.js
http://www.google-analytics.com/urchin.js
Nothing sus there…. no iframes that I can see from the source or obfuscated code. No suspicious javascript either. Same for the other pages.
Whatever may have been no longer is….I would hold tight for the results of the evaluation which should clear your site.
Thanks Baz for the thorough check.
Hopefully the second review of my site that is pending with stopbadware.org will come up clean. I submitted my request late on Friday, so hopefully I will hear something before Thanksgiving. The Google review had a decent turn around of around 24 hours. I just hope I get a better result on my second try. If stopbadware says I’m clean, will Google and Firefox automatically cease to label my site as a possible threat to visitors?
Hi,
Your website redirects search engine traffic to a fake antivirus site (the most popular exploit this week). You won’t see anything unless you click on search engine results. You can see the redirection chain in this report:http://www.unmaskparasites.com/security-report/?page=www.mygreencloset.com
You should remove the malicious redirect rules from your .htaccess file. Then make sure to check your own computer for viruses and spyware. Then change all passwords.
Denis
http://www.UnmaskParasites.com
Denis,
Thanks a million Denis, you were right. My host provider found some code hidden in the .htaccess file. He said it was uploaded via ftp. I have changed all of my passwords again just to be sure (this is about the third time in the last five days). I think I’m getting close, but I won’t consider myself out of the woods until the review of my site through stopbadware.org comes back clean and visitors stop getting the Attack Site warning from Google and Firefox.