Safe Browsing Diagnostic To The Rescue

Thursday, May 15, 2008 1:49 PM



We've been protecting Google users from malicious web pages since 2006 by showing warning labels in Google's search results and by publishing the data via the Safe Browsing API to client programs such as Firefox and Google Desktop Search. To create our data, we've built a large-scale infrastructure to automatically determine if web pages pose a risk to users. This system has proven to be highly accurate, but we've noted that it can sometimes be difficult for webmasters and users to verify our results, as attackers often use sophisticated obfuscation techniques or inject malicious payloads only under certain conditions. With that in mind, we've developed a Safe Browsing diagnostic page that will provide detailed information about our automatic investigations and findings.

The Safe Browsing diagnostic page of a site is structured into four different categories:

  1. What is the current listing status for [the site in question]?

    We display the current listing status of a site and also information on how often a site or parts of it were listed in the past.

  2. What happened when Google visited this site?

    This section includes information on when we analyzed the page, when it was last malicious, what kind of malware we encountered and so fourth.   To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries.

  3. Has this site acted as an intermediary resulting in further distribution of malware?

    Here we provide information if this site has facilitated the distribution of malicious software in the past. This could be an advertising network or statistics site that accidentally participated in the distribution of malicious software.

  4. Has this site hosted malware?

    Here we provide information if the the site has hosted malicious software in the past. We also provide information on the victim sites that initiated the distribution of malicious software.


All information we show is historical over the last ninety days but does not go further into the past.   Initially, we are making the Safe Browsing diagnostic page available in two ways.  We are adding a link on the interstitial page a user sees after clicking on a search result with a warning label, and also via an "additional information" link in Firefox 3's warning page. Of course, for anyone who wants to know more about how our detection system works, we also provide a detailed tech report [pdf] including an overview of the detection system and in-depth data analysis.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

111 comments:

pando said...

Great, how about a landing page so people can easily query a url they come across in search results? Mcafee has a FF plugin for their, SiteAdvisor service.

Opendns offers a service that's opt-in, to filter "adult" sites. Why doesn't Google offer that ability in it's search results? That's "safe browsing" for the family, work and malware.

Thank you.

PAZ said...

I agree with Pando,
what about a Landing Page with a form and a "Safe Browsing" option on your SERPs?

M Henri Day said...

Like Pando, I should very much like to see a Firefox add-on which, in the manner of the McAfee SiteAdvisor, provided users with a small notice icon in the status bar regarding the present status of a web site they have visited, the clicking of which gave access to more detailed information....

Henri

Tina said...

nice one :)

Ravi Kumar said...

Its nice to work. But as nothig is perfect, there always a reason for improvement.

Jake said...

Hey Guys.. I put together a page so you can easily query to check your site.
Safe Browsing Diagnostic Tool

I'm trying to help out on a problem everyone seems to have, so hopefully this isn't considered shameless self promotion, and canned.

M Henri Day said...

Nice, Jake ; thanks !...

Henri

Jake said...

FYI.. I had a comment on my blog to create a bookmarklet... Sooo.. I did. You can check it out here.

Safe Browsing Bookmarklet

M Henri Day said...

My attempt to draw the bookmärklet to my Swiftweasel [Firefox optimised for Linux] 2.0.0.14 browser toolbar failed, as did my attempt to draw it to my Google Toolbar (the above on Ubuntu Hardy). So instead I right-clicked the box for the website URL and chose «Create Custom Search» Voila ! - a nice little «GT» icon on my Google Toolbar which links to Jake's «Google Safe Browing Diagnostic» blog....

Henri

wow gold said...
This comment has been removed by a blog administrator.
Felix said...

Isn't this vulnerable to a man-in-the-middle attack?

The API is unencrypted.

In other words, if a mitm were able to remove hash codes from the lists that Firefox requests, they could circumvent the antiphishing feature in Firefox.

Even the MD5 checksum calc on the lists would be vulnerable. It could simply be rewritten to match the list supplied by the mitm.

MD5 only guarantees the integrity of the communication from the source (which is no use if the source is in fact a mitm).

This is an acutely important issue in the UK, where advertising firms like Phorm are trying to impose their foul behavioural marketing garbage on ISP customers.

It would mean big name ISPs like BT , Virgin Media, TalkTalk were effectively operating a 24x7 mitm attack on their own customers.

The only solution I can think would be an encrypted HTTPS API that would allow clients to authenticate the source of the anti-phishing data.

Pete

viranin said...
This comment has been removed by the author.
Todd said...

Interesting security tool. Someone needs to run a comparison of this vs SiteAdvisor on 100 "clean" and 100 "infected' sites. Would be interesting to see the results.

On a side note - it would be interesting to see if Google checks for malware at the time you make the request, or only as part of the last crawl.

info said...

Jake, nice work with the browsing tool. Glad someone is making this even easier for the average user to use.

http://www.MBridge.com

Eirik said...

As a small information security vendor, I'd be interested in a derivative of this tool that points to the meanest, nastiest websites at the moment to stress our anti-malware tools. Is this plausible?

grafilab said...

I am now on the other side, a user of our web site posted a redirect link on our web site to another web site that distributed malware.

Now our web site is listed as compromises in google listing and also there is a huge alert for firefox users. We know that our web site is not infected now, but the big damage for our business was not the virus itself, but Google alerts to our customers. This is creating a big problem for our business now.

You should have tools for us, the hackers victims to request a fast review.

I understand clearly that end users should be alerted, however, you are still publishing an alert about a dangerous web site, while the web site is not longer dangerous.

Bryce said...

This whole Google-Borg type thing is a major pain in a webmaster's @ss... and it could potentially kill a business. The system in place for reviews is slow and in many cases wrong, or very lacking in information on how a webmaster can fix things to make the Google Borg happy once again. I see a major class action lawsuit just waiting to happen.

Natalie said...

I totally agree with Bryce.

I think that before Google says that your website can 'harm your computer', it should warn the owner of the site first... then if the owner doesn't do anything, THEN say those nasty words, and scarce people out of looking at your site.

There should be a better process... especially since Google is such a powerful force in the world of searching.

mike.s said...

Stop protecting dummies. I am being blocked from a site I know is safe. This is really making me mad because everywhere I turn, policies are being made because people don't know how to take care of themselves. This is not the Soviet Union. I didn't buy an apple for a reason...I KNOW HOW TO USE A COMPUTER. Google stop limiting what I can do.

Jake said...

It is not necessarily protecting dummies, but protecting everyone. Google doesn't keep you from viewing the site, it simply provides a warning mechanism to let people know there have been problems. Is it bad that your browser tells you that a site's security certificate is expired or that you are leaving a secure connection?

@grafilab - if a user on your site can post a redirect link, you have problems with your site, and users should be warned, because who knows where they'll get redirected next... I admit that there needs to be a re-assessment application somewhere, but then if you we're a spammer, you would get re-assessed, and then just put the malware back up..

By saying there was a problem in the last X months, you let the visitor know there was an issue, and that it may have been resolved.

M Henri Day said...

To my mind, Jake makes some very valid points here. Categorising people who are less familiar with computers or the internet as «dummies» is both absurd and singularly unhelpful ; as lectures at the latest Black Hat conference made quite evident, we all need protection from certain criminal elements who are making use of weakness in our applications and in the structure of the internet itself. Google is to be applauded for working to make the net safer. Users who find this too intrusive can always choose, e g, another search engine - in particular, as they, at least in their own estimation, are not «dummies»....

Henri

Natalie said...

The other way around this, or course, is to use another search engine !!!!

Which makes me realise how powerful google is becoming.

Larry said...

I'm with the majority of the others in the comments here. I, too, have gone to the other side. Yes, my site got hacked, and I've been flagged. The majority of the damage is to your reputation. You are going to lose your visitors. After getting flagged, I completely rebuilt my site in a day. But, now, I have to wait for google while I lose visitors.
Google should rethink what they are doing to the web masters. Now, they are assuming that the webmaster is the bad guy.
Before flagging a website, they should contact the webmaster. The webmaster can easily take down the site and effect repairs. If not, then flag it.
You know, "This site is down for maintenance". Please come back soon". That would be a sensible solution. What is taking place now, is not sensible. Did they ask the Google user base about this before taking action? I doubt it. To subject your customers with this malware flag is a disservice to all using Google. This is like a big brother act.
What makes it worse... I'm running my sites on Joomla. Has anybody at google tried to maintain a Joomla website while that nasty malware flag is in the way. I doubt it. Plus, it is next to impossible to access your Joomla administrator with that malware flag in place. Bad idea, Google.
Please rethink what you are doing with this malware flagging.
Larry

Cindy said...

Echoing everyone's sentiments here. My site was flagged, I repaired the supposedly infected pages, and STILL Google says my site is hosting malware! WTF!!!!! The once great reputation of my site is now toast. THANKS GOOGLE!

James said...
This comment has been removed by a blog administrator.
daniel said...

There is another solution by checking website’s IP address.
The website’s IP address (on Internet) is allocated by IANA, RIR, and ISP etc. Based on this information, ISPs build Internet backbone routing table. Because of IP routing, website’s IP address must be legitimate, routable and reachable. Therefore website cannot fake its IP address as well. Also, most companies do not change their IP address (block) because of the complexity of updating/testing backbone routing table.
We can create a white list based on the IP address. If a website’s IP address is not on the white list, then the user will not accept any download from this site. Any phishing website can be detected as well. This white list will not change often (due to most companies don’t change its IP address), small (finite number of IP address – at least for IPv4) and easy to maintain.

perryjh said...

A white-list idea has always had it's merits in thought, but it's been difficult to pull off due to high-maintenance of the list itself.
Companies not on the list, would need to make a request, and then there would be investigation to determine whether the company (and thus the IP) is not going to be used maliciously.

daniel said...

For malicious attack, the white list will have well known organizations that provide executable code to the user. For example, major software companies that distribute application codes, fixes, device driver, etc. For phishing protection, the list will include all major financial institutions. This white list is not intended to include all websites that do not pose threat to the user. This will keep the list small and easy to maintain. The user can always modify this list for her/his needs.

tips said...

I was surprised at the power of Google Safe Browsing diagnostic page. At the time of browsing with Google Chrome one week ago, I discovered the website falsified by illegal computer access, and reported to the authority concerned. In some browsers, it was only Google Chrome that it was effective to detect server system tampering.

Patrick said...

Can anyone help me? My site is getting a malware flag when using Google search for "assisted living san jose", but the wording on the flag refers to someone else's website (some site in Russia). If I go into my own site by entering the url directly and look at the code, there is nothing wrong with it. My site is www.assistedlivingsanjose.com . I am completely baffled by this. The malware flag doesn't even have any code associated with it when you try to "view source". Thanks for any suggestions in advance. --hall.pat@gmail.com

Mystery shopper said...

hi

my site is affected by malwares :( dont know how .. i dont know how to remove this problem :( is there idea please .. i have research a lot but all side gives just an idea they dont know how to detect that and remove :(...... Forr this google must create a free software by which we check what is the problem inour site.. becozz there is great loss of business if you site will show such messages....and i think i dont have such other issue that i am doing some thing unethical thing which will harm other sites or computer:(

tom said...

Just found out that my site (which has been going for 10 years in many forms)is now unwise to visit. My reputation - built before Google was born is now sullied and I cannot do anything to fix it but re- design the entire site from scratch and wait 90 days is a long time in web land

admin said...

Our site has been blocked even though Google's own diagnostic page says ABSOLUTELY NOTHING IS WRONG. This is a completely unfair and malicious attack on OUR business. There needs to be greater quality control so as to avoid unnecessary and harmful false alarms.

backup said...

Yes, we have the same problem. Bacause of google ignorance and bad organization even they don't know what they are doing. Our site was marked as suspicios without any reason nor proof. And of course google does not bother to even respons to our requests to explain what was the reason for doing so. We also use networksolutions WatchDog which is more competent than google.

Jake said...

Many of you are angry because you feel that you have done nothing wrong.. it is being discovered in many cases that the webmasters only wrong was not protecting their domain name, and creating a security whole in which subdomains of your site are hijacked and host malware. If you haven't updated your whois information.. do it.

Google is not just randomly attacking your site... someone could be hijacking your domain. Also.. if you are doing any type of link trading (another no-no) you may be linking to a site that has malware... The company you keep!

Patrick said...

I thought Google was blocking my site, but then I checked further. Actually, someone hacked the server that hosts my website and installed malware that advised my site visitors that there is a possible virus. If I go to my site directly, there's no warning, however, if I go there from a search result page of any search engine, it warns of a possible virus (and offers to sell me software to cure the problem). The only solution I could come up with was to change hosting companies, since Globat would not admit their server had been hacked. Also, I found some malicious code for pornography keywords embedded at the bottom of my website when I did a view "page source." --patrick

brew13 said...

I'm a webmaster and my site was hacked and I fixed in 2 days, but Google still is warning the public that my site is dangerous. I submitted it for review and it's been 24 hours and still no review. I don't understand why Google can't immediately review a site that it has labeled as dangerous when a review is requested by the Webmaster.

I'm sure they could if they wanted too. I have a reasonable proof. The proof is Googles action when clicked the button to have the site verified . . . it was verified within less than 1 minute . . . almost instanly. Therefore, I'm sure Google could write the code to review a site immediately.

puffboobie said...

I just got flagged and the supposed "malware" sites that google alleges are tied to my site were reviewed 4 days later and no suspicious activity was found on them. But I am still flagged for being tied to them.
First of all, I don't know how I am even tied to them because google doesn't specify what pages they found this "malware" on.
Second of all if those sites aren't malicious or suspicious, why am I???
Third of all googles pages run you in circles and don't make any sense to me.
I happen to be very computer illiterate and it would take me a long time to rebuild my website because someone else built it for me originally and now I don't know how to get ahold of him.
Oh yeah, and I responded to the e-mail google sent me about my account suspension and the reply I got back was about billing questions.
WTF! This is ridiculous. I wish there was a contact number for google so I could take to a person to resolve this more quickly.
So thanks google for totally f-ing my business in a time of economic hardship. You might want to contact people first before you put up a red flag on their main source of advertising. If there is a class action lawsuit, sign me up!!!

Jake said...

@Puffboobie

If you need help with your site.. contact me jbohall[at]virante.com

Good luck

MS said...

I have some web content at the free web hosting site www.freewebtown.com

I am absolutely sure that there is no malware on my site.

However, it seems that Google has blocked the entire freewebtown domain as an "attack site".

I find that unfortunate. Probably someone is abusing that free service to post some malware. Then, Google should block the sites on the domain where it has found malware, not the whole domain. (If Google found malware on someone's personal site on AOL, would it block the entire AOL domain? If someone posted malware on a Geocities site, would all Yahoo be blocked? What about if someone posted malware on a Google Site?)

Freewebtown is the best free web hosting service I have found, with a lot of space available per person, no ads put on the pages (unlike other free services, such as Geocities), no file size limit. Unlike Google Sites, you can use FTP to upload content created elsewhere.

I am sure that the vast majority of sites on Freewebtown are legitimate, with no malware. Should all the good sites be blocked, due to a few bad ones? Just block the bad ones!

I am a teacher, earn no money from the sites, it is something I use to provide information and help to my students. (Being for young students, it is important that the pages not have ads on them.) Freewebtown is the best host I could find for that.

I sure hope that Google stops blocking the whole domain!

Is anyone listening?

Eric Krock said...

My web site AIDSvideos.org was hacked on July 4th, 2008. I discovered the problem in late July when Google blocked the site (so Google's malware service DID perform a useful function at that point) and promptly fixed it. I've reviewed every character of every page on the site to ensure nothing remains from the hackers. Yet five months later, after SIX requests through their system to be removed from the list, Google is still blocking my web site yet providing no explanation or justification in their review request responses for why they're doing this. One other site has removed their link to our site until this is resolved. Prospective donors and volunteers ask about it. I use iPowerWeb hosting. It's a shared server. Is this guilt by association of some kind? Do I have to switch hosting companies? Google--are you listening? What do I have to do to get off this list?

Outsourcing Services to India said...

Hi

our site is affected by malwares : (dont know how .. we dont know how to remove this problem ) is there idea please .. We have research a lot but all side gives just an idea they dont know how to detect that and remove there is great loss of business.

Plese reply

Manisha said...

My site http://sarkari-naukri.blogspot.com has been flaged as Malware. Google shows that only one page is infacting but it has not notieid which one. I have more than 4000 paged in my site and how can I narrow donw to the infacted page. I am sure my site is clean as it runs on blogger site only.

I have requrested for review it again but two days have passed and nothing has happend. I am llosing visitors ans reputation. Google should have informed me so that I could have taken action.

Anyone whao has bloger site and had been effected by same Malware flag, Please help me to remove the badwares.

Regards,
Manisha
New Delhi India
http://sarkari-naukri.blogspot.com

liewqi said...

My site had also been flagged, even though I went through all my files and checked every single one of them. My hosting provider has also found nothing wrong with my website, and get this: only certain Firefox users are blocked from viewing my site. It is only showed as a Reported Attack Site on my laptop and my friend's, but everybody else can still view it.

2 issues here:

1) I am fairly sure I have not hosted any malware and have done scans to ensure this is so. I do not see how my website can be flagged as a reported attack site. This has happened before and the block only went away when I bought a dedicated IP in Oct 08 (recommended by my hosting provider), but it is back again.

2) If your Safe Browsing is meant to protect Firefox/Google users, why is it that from the 10 users I have asked to view my site, only 2 get the block sign? Even if your safe browsing page has "correctly" identified an attack site, I find it strange that not everybody is "protected".

Lastly, I have a recommendation: Your diagnostic page is most useless in informing webhosts what the problem is, and where the problem is. I have showed the whole page to my hosting provider, hostmonster.com and they told me that it wasn't helpful at all - if you block a site, the least you should do is better explain why.

Regards,
Liew Qi
(liewqi@sixseven.org if you would kindly reply though I highly doubt it)

Larry said...

I still stick to my statement that I made on August 16th. The idea that Google flags a site before contacting the webmaster is a lousy thing to do. As for community service in this arena, Google has none. They should provide help, and not just make their own customer base look bad. Surely, if google had worthy competition in the analytics arena, things would be different.

Jake said...

Liew, you make some very sound points.. As a webmaster, I empathize with your request for more information, I'm sure google has a really sound reason for not giving out this information... Specifically.. If you are a malicious hacker, and you can easily check your site to see if/why you are being flagged, it makes it much easier to troubleshoot until you no longer trigger the tool, even though your site is still malicious.

I believe it would be a safe bet that you have, or have recently had, something awry with your site.. check things like subdomain hijacking, any type of link cloaking, outbound links to malicious sites, check your javascript, and check your site vulnerability.

liewqi said...

For some reason my problem 3 months ago wasn't resolved until I got a dedicated IP... but since then I have deleted all my subdomains, I don't use any javascript (not that I can recall), outbound links were only to haloscan.com, deviantart.com and livejournal.com and also to hostmonster.com

I recently downloaded Acunetix Web free and it didn't pick up anything.

The only php files I have on my domain are those I coded on Notepad, and they are mostly a bunch of includes to other pages on my site.

I can understand why Google would not want malicious hackers to know where their "mistakes" are, but considering most of these blocks happen to newbie webmasters like me, if we do not know where the malicious content is coming from, how are we supposed to know to remove it and stop it from spreading around? As for hackers, with a block in place, even without telling them information would already alert them to modify their codes. I say either give us a full proper block which works on all Firefox browsers with at least some indication of where the problem is, and not some in-between safe browsing system which doesn't benefit the majority of users.

Regards,
Liew Qi

Bharat Book Bureau said...

Hi,

My web site www.bharatbook.com was also flagged as malware. Because the site was infected with iframe code. Now i have removed the code from the web site and restored the old back up the database. And i have given a request a review in google sitemap. But still in google search its showing as This site may harm your computer..

It would be great if any one kindly suggest what to do to remove this statement in google search. As now the web site is free from malware.

Thanks
Webmaster for www.bharatbook.com

Fai Mao said...

The ancillary problem is that companies like Anchiva pick up the Google blocks and completely prohibit users from accessing sites at a job or through a network. Many of these sites are used by people for their jobs or at lunch.

Google also seems to flag sites that are put up by groups that disagree with their politics. This could be because people who do not like those sites complain to Google or intentionally hack the site and not be technically Google's fault but it is still disconcerting

For example
http://www.lucianne.com
has been flagged for months and they have completely rebuilt the site. They were hacked by a group in the PRC who were implanting code in post. The problem is solved but Google still flags them

I don't agree with nearly everything the posters on that site say but the links to newspaper articles are a very useful service.

Jake said...

FYI:

1) Many of these problems are occurring because you are hosted on a shared IP, and someone else on the server (could be another site on that shared hosting account).. is doing malicious activity. This is the same type of bad neighbor rule that google will use to penalize you in SEO

2) It takes up to 90 days following a successful clean spider of your site (ip address)... so 3 months after everything is fixed AND Google confirms that it is fixed, your site should be restored.

3) Many times a hacker will place malicious code embedded in an image on your server, or in an iframe. Othertimes, they will write a script that will generate new pages on your server without your knowledge. You can never be certain that your code is clean unless you have a backup that you restore, or you re-check it by hand.

Virante.com offers a diagnosis outlining point of entry for any of these attacks, as well as an action plan to resolve the issue. Cost is $250/hour, and generally takes 2-3 hours.

Ralph said...

Why are Linux (fedora forums) popping up wit this intermediate page that makes it hard to get to research info? Make the forward link clickable!

ying said...

Its odd to visit a page that I had visited yesterday with no problems, while today it has been flagged. Would be good if it tells you why its being flagged.

Taking a quick search on "google browsing diagnostics" - resulted in this page being flagged as well... Is it running amok ?

GillB said...

My website, digitaldesktops.biz is flagged as having malware.

The only things on my website are image downloads in zip format, and an .swf flash file showing a handful of other images I created.

I have links to various affiliate programmes all connected with the artworld, DAZ, Renderosity, E-on software, 3D Commune.

That is it. Nothing more - yet a friend alerted me today of this flag.

It would be a better tool if it got things right and didn't put people off clean sites !!

Car Finance said...

nice post, what if my site has not found under any malicious practice but what if my site was hosted with one network and that network has some malicious software and malware to his site or server. Does it affects my positions in SERP. Or does my site get penalty for the same, coz i m facing problem of sudden ranking lose, so want to confirm it here. Your answers are appreciable. thanks.

Kathy said...

I'm with all of you who are complaining about the length of time it takes Google to review and unlock the site, and the fact they lock it without notification. It took my client's customer to notify her. She didn't even know her online business was locked. Lots of other people's businesses are affected as well. I'm wondering if this could actually be a criminal offense? If these web businesses were actual buildings and someone came in and took them over and kept everyone else out, isn't there a name for that? Theft? They could certainly be sued for monetary loss. My client's site is banned now yet her site is clean. She's losing money. Google is stealing from her. Her husband is an attorney. I think they are planning to "talk" to Google. Since Google is in our backyard, it's easy for them to do so. Google needs to be made aware of the fact that they are hurting businesses. Hopefully, they'll respond well and change their practices.

Jake said...

FYI... CHECK THE IP ADDRESS OF YOUR SITE BEFORE CLAIMING THAT YOUR SITE IS CLEAN... YOU COULD BE SHARING AN IP WITH A MALWARE SITE (SHARING AN IP MEANS YOU'RE SITE IS ON THE SAME COMPUTER).

If you are on a compromised server, which we have seen to be the issue in many of these cases, then your site will be flagged. Solution.. move to a dedicated IP.

liewqi said...

A dedicated IP costs money --" It's the server provider's fault for not removing the site with malware, and not the fault of others who share the same server. Google ____ sucks (insert your hosting provider there) and check to see if they have security issues covered.

I found that one of my sites had it's htaccess hacked. Apparently this is quite a common problem; check all your htaccess files (above and below your public_html) folder with a word editor (like Notepad) and make sure it's completely empty. I found some random crap inserted into mine and after deleting it the Google block was lifted. Change your FTP passwords regularly or try a secure FTP program.

Jewelfortune.com said...

I agree with Pando,
what about a Landing Page with a form and a "Safe Browsing" option

the clairvoyant said...

I am the webmaster for
http://ukc.ksea.org/ukc2009
This site does not host any malware but for some reason google is showing it as malware.

I would appreciate it if such warnings are removed.
It is critical for our conference success.

Thanks

JAE said...

We happend the same; blocked and no advise. Unfortunately google was right and we had a file (javascript) with maleware. How many time do we have to wait to solve it? to google remove the advise (as an internet media with an average of 25.000 unic daily visitors every hour means too many people) So I would like to make some refelxions:

1st.- why there´s not a human contact to advise/talk to say the problem is solved?

2nd.- why google doesn´t help to determinate the file that compromises the security? -obviously if they know it, I dont know this point-

3rd.- if that helps, the problem in our server was with a javascript named JScript.js that loaded a gif from the sites: 51of.net and web.51.la that tried to install a file from g00gleadserver[dot]com/set.htm

We don´t know who placed/overwrote the file but the fact was it was malware.

Now we have to wait to a review of our site, but don´t know when nor who will make it... and meanwhile the time passes and our visitors now receive a false advise (big responsibility have google assumed, we hope you will be consequent with it. It´s very hard to make a brand and very easy to damage it)

JAE
Content Manager
Informativos.Net

vipmultimedia said...

I had similar problem like JAE.
What Google is doing is just not acceptable.

Even if we cleaned our website we had to wait 24hours for new scan with some imprecise information where the problem is.
We should talk in minutes not days like google is doing right now.

And for god sake give us some decent scan tool so we dont have to wait for good to bless us and tell us how our website is infected.

JAE said...

To VIP Multimedia:

I used a very fancy tool (freeware -I think developed by microsoft or someone related to it as you can see in the help menu-) to determine where the infection came from. It´s here (http://www.fiddler2.com/Fiddler2/version.asp)

It´s name is Fiddler and once installed you start it and then your web browser (you can find a direct access in your toolbar -IE and FireFox-) Since then all the traffic between a server and your web browser is traced (suspicius files are also marked in red) so you can trace what file is acting dangerously. In my case I saw a .js calling a .gif that pointed to a malware site. Was easy because we host all files in our own servers so something loading from 'outside' was very easy to trace.

Wait about 24h after solved to be recogniced as safe again by google... :(

JAE
Content Manager
Informativos.Net

Frances said...

Hi All

We are a small business and have had the same problem with Google putting a notice on our site without any notice to us - (come on google, please start informing us as first as our small business feeds our family and im sure im not the only one).

When we received the email from google, it was quite a big shock as we only ever upload information via copy and paste to our site from word documents which are written from computers that have very up to date anti-virus and anti-malware software.

I am in the same area as all of you, google has told me i have a problem but will not explain what it is, i then have checked a Norton webchecking tool and my site is completley clean - here are the results - so i am a little confused

https://safeweb.norton.com/report/show?url=faa-uk.com

I have spent the whole weekend reading what to do (a huge thank you too all of you for taking the time to describe your problems and possible solutions)

I would advise you all to first check every link you have with the google checking tool to make sure the links are clean, then remove any sub-domains and link directory links (these could be a source of problems). Next go to www.malwarebytes.org (great reviews) to check if your own system is in anyway infected which could lead to infected uploads.

Finally I have come accross a very interesting article that may help others - this is our last step before we submit for a review.

http://kb.siteground.com/article/How_to_check_your_website_for_malicious_content.html

Fingers crossed this helps - I will certainly keep you all updated

Once a gain a huge Thank you for all your comments and suggestions. Keep up the great work.

F Armstrong

JAE said...

Well, to add more confusion this weekend we have been banned by google (again) The funny thing is that we have do nothing (except review the code and ask for an external auditory who said our servers were clean -very expensive conclusion due to the weekend and night work- and recommended us... wait.

Exactly... without do anything the alert has been removed 48 h later!!

What? Yes! has been a false positive that has been blocking our traffic and giving alerts to our visitors all the weekend FOR FREE!!!

Incredible... :(

P.D: obviously no signs of life by google

Bill From Cleveland said...

My site was just flagged just for the simple reason it was hosted on a shared server with another site that really did have malicious software.
This is insane, we are a fansite for a radio program. We don't even have any ads running let alone any desire to harm peoples computers.
Googles action may have caused us unrepairable damage for no reason.
We are good people that got squashed for no reason.
www.theoandavirus.com

Ps. The radio program is on XM satellite radio. The name of the channel is "The Virus".

Jake said...

Hi Bill,

Google makes the point that if you are on a compromised server, that it is possible that any infection could also cause harm from your site as well and you would never know it.

Simple solution.. get a dedicated IP.

JAE said...

I have used Fiddler to sniff the traffic on your site and seems there´s no problem actually. Just ask for a review of your site (google tools) and wait... in less than 24h you should be ON again.

Good Luck!

JAE
Informativos.Net

Nytmare said...

I run a parsonal image gallery for my friends and I on a my server, I have no domain name, only myself as Admin, Only I myself has FTP access and I also Have a dedicated IP. I have also used multiple checkers to ensure that I am Virus and Malware free.

I'd like to know how Google's usualy stellar service could go so wrong?

uniqbrc said...

www.dinisohbet.org is clean web site and there aren't malware or trojan but google still says this web site is bad. what can I do.

JAE said...

Hi, uniqbr:

Your ste seems clean (as far as I can see with fiddler -diag. tool-) What you have to do is... WAIT. Yes, wait, waiy, wait untill someone in google decide to unban your site.

Patience...

JAE
Informativos.Net

Panayiotis Mavrommatis said...

@uniqbrc
http://dinisohbet. org/ was very much dangerous when we checked it. If you do believe it's cleaned up, you can file for a review via the Webmasters Console.

Rhodes Hileman said...

Hosting your website on a shared server is not necessarily the kiss of death. I have had my site up for 14 years, only three of those were on my own server with dedicated IP addresses (and my own DNS server). For the other 11 years I was hosted remotely on professional ISPs (Best and Speakeasy). The only time I was attacked and flagged was when I had my own server and was not paying enough attention to it.

So properly run ISPs can guard your web site, and its server, effectively. Pick the right one.

Shelly said...

I think this stinks. I get a warning on a page i built for my dad and have no way of knowing what googole is talking about. Its "Malicious software is hosted on 1 domain(s), including martuz.cn/."--what is this all about? The only ad I have on my page is google!

so peole can't come to dad's site and I don't know why!

Shelly said...

PS to "Natalie said... I totally agree with Bryce.

I think that before Google says that your website can 'harm your computer', it should warn the owner of the site first... then if the owner doesn't do anything, THEN say those nasty words, and scarce people out of looking at your site."

I agree with both of them--but even it it did warn me first--I don't know what they are talking about--how about a warning that take you to a page that tells you what to do to get rid of their suspected problem!!!! My warning tells me I have a link to a malicious --where is the link????? I can't find it!

Shelly said...

Kathy said...

" I'm wondering if this could actually be a criminal offense? If these web businesses were actual buildings and someone came in and took them over and kept everyone else out, isn't there a name for that? Theft? They could certainly be sued for monetary loss. My client's site is banned now yet her site is clean. She's losing money. Google is stealing from her. Her husband is an attorney. I think they are planning to "talk" to Google. Since Google is in our backyard, it's easy for them to do so. Google needs to be made aware of the fact that they are hurting businesses."

IF ANYONE INITIATES A LAWSUIT PLEASE LET ME KNOW AS THIS IS INSANE--i HAVE NO WAY TO PAY $250 AN HOUR TO FIND THE PROBLEM AND WAIT 3 MONTHS FOR GOOGLE TO "CLEAN ME." Shelly{at}day-by-day{dot}org

Bare Bear said...

would anyone be willing to check my website? www.fairlytradedorganics.com

It was flagged by google and my customers are complaining they can't access information they need (download spec sheets etc). My hosting services (bluehost.com) says that everything is fine

Thanks!

Jake said...

Bare Bear... ur problem is being reported as having to do with traffic-resources.cn... I would start by eliminating any scripts calling from that site.

If possible.. disable any scripts running on your site period.. and work them back in as you test.

Marc said...

Hi, please please please can someone tell me what is wrong with my site, google webmaster has my site as suspicious and has put a warning sign on my site (www.hiagra.com) my site is very straight forward, the only script i have on in webmaster and analytics, so i dont understand why it is doing this.

It is causing me sales and as my only income source it is worrying.
Please can someone direct me how to be taken off the so called list.

Many thanks
Marc

Mikko said...

It seems I have to stop using Chrome as this warnign feature has now flagged the whole domain of getdropbox.com, a very handy file sharing/ "virtual memory stick" service I subscribe to. (And with thousands of users, BTW) Way to go Google!

Jake said...

Mikko..

getdropbox.com doesn't show any type of warnings for me... I'm using google chrome...

Also, if I try the tool here - http://www.grapethinking.com/google-safe-browsing-diagnostic and type in getdropbox.com.. google reports the domain as safe..

M Henri Day said...

But note, Jake and Mikko, that suspect content - 119 of a total of 1183 sites - was detected by the tool on the site, with the last detection[s] occuring today, 2009-06-12. That «thousands of users» may utilise its services hardly improves the situation....

Henri

eligio said...

can anyone check if my site has malware funoyun.com, my site is currently block, but i checked it already. thanks

Raz said...

Hi,

Some long time ago you could have accesses http://sb.google.com/safebrowsing/update?version=goog-black-url:1:1 and see a part of the black list.

Is there any way you can retrieve / have access to the black list of URLs Google's SB is storing?

I mean, the SB API lets you check against the db a specific URL, but I would like to search their list for a specific URL format, not knowing the exact URL to check the db if it has it or not.

Thanks,

Fragrant Blossom Soaps - Arcadia Soap Shop said...

Today I found that Fragrantblossom, the site that I count on very heavily on, was blacklisted by google for malware. I deleted the entire site, and made a new one, uploaded it. Google, I can't wait weeks for you to get around to approving my site. My husband works for automotive and we need to make a living here. Please unblacklist my site!

contact said...

I also have just had my first experience of having my hosting account hacked and received an email from Google.

I am completely in agreement that you do this Google, but I have 2 suggestions:

1. When you warn web visitors under our link in the search engines, you could also say that in many cases the site they are trying to visit will have been hacked by some 3rd party and it is highly likely that the site itself is a good site - or words to that effect - because if I had come across your wording when doing a web search I would NEVER knowingly come back to that site again!

2. PLEASE, please make your 'help pages' easier to follow - as someone else said above, you give explanations with link, after link ...after link, but I still haven't found out (after 2 hours of reading) how to submit my site to google to get the ban lifted. (btw, this applies to nearly all your help pages. I know you have great info but some of us would need a year to read it all ;)

Miranda

Fragrant Blossom Soaps - Arcadia Soap Shop said...

Google, when you ban sites without contacting the webmaster, and most of us are honest, decent people who are trying to make a living online as you are, you are making it hard for us to compete. My customers have been calling in to ask what happened and I've hardly gotten work done this week. Please lift that ban! I have erased all the files and put a brand new website up.

Please work with webmasters BEFORE you restrict the page. Offer us a fix it for a fee! I'd pay the fee over having my site banned with no warning.

gdinim said...

from lightmountainphotography.com
It is unconscionable for google to block a site without first advising the webmaster that there is a problem. Especially since they block the site 90 days after noticing the problem and block the site without having revisited it in the past 90 days.
It is a highhanded practice that smacks of contempt.
I believe that the only way that google will change this practice of blocking a site without giving warning to the weebmaster so the site can be cleaned up is a class action suit by all the business who lose income as a result of this shortsighted practice by google

bpoworld said...

I am the webmaster for
http://trainingtag.com
This site does not host any malware but for some reason google is showing it as malware.

I would appreciate it if such warnings are removed. and please it is very difficult to wait weeks for a review. please take necessery steps to minimize the review time.


Thanks

bnip said...

I've only recently become aware of this feature and it sounds great. However, as point out by many others sites I manage for clients were marked as having malware.

And at one point in time this was true (which I'm glad I was told about by this feature); however, I've fixed the problem, but the sites are still getting labeled saying "This site may harm your computer".

http://brashwebdesign.com
http://theroofmd.com
http://contemporaryphoto-fl.com

I've followed all the suggestions about contacting Google as well as Badware Website Clearinghouse, but the turn around time is a little crazy 3 months (90 days).

Please help me fix this so I don't lose clients and ultimately my lively hood.

Thanks,

bnip said...

It seems this issue has been fixed now.

Using the Badware Website Clearinghouse seems to have helped speed up the turn around time.

myshortpencil said...

There is absolutely no malware on my website at myshortpencil.com. Yet, there is no way to tell Google that it is libeling my site and have it withdraw its assertion via the Firefox browser that my site is "A Reported Attack Site!"

It appears that my site is being blocked because other domains at my hosting service may have badware, but mine doesn't. If Google claims a site has badware, it ought to point specifically to the problem.

Who do I complain to at GOOGLE about this serious attack on my website?

Patrick said...

I had a similar problem last year. Someone hacked our website and put some porn keywords into it. I did a "view source" and found previously unknown porn keywords and removed them from our site. But the warning message remained. The hackers true aim was to sell software to "fix" the problem. They also hacked the server where my site was hosted, at Globat.com. Unfortunately, I was could not convince Globat to move my site to a different server. The problem finally went away when I moved my site to a different hosting service. The "Warning" page disappeared within one day. My friend who was giving me tech support theorizes that somehow, the hackers had inserted code on the former hosting server (not my website) that served up the warning message in response to any request for our website that came via a search engine. Google can't fix the problem since it's not really their warning message--it just looks like it comes from Google.

M Henri Day said...

I hope that Google will take the difficulties described by site owners on this forum seriously. The adventures of a Swedish site owner who found his site suddenly blocked on Google without prior notification were portrayed today on a media programme on Sveriges Radio ; the site owner, though willing to correct any problems, found himself utterly unable to come into contact with anyone at Google who could help him resolve the difficulty. It was only after a journalist at Sweden's largest media complex had intervened that Google took contact with the site owner. Stories of this type do not help Google's reputation, particularly when, as in the present case, they are true. Given the firm's absolute dominance in the search industry, Google is going to have to find a better way to deal with problem sites than that it employs today - a new policy will no doubt be costly, but it is absolutely necessary....

Henri

myshortpencil said...

It turns out there was a malware script inserted into my index.htm and index.html files that started with
(script)var f18Dp4="9Bk29Bk";var bIllCc="79k";var IOWlLGaq="k%68Bk";var sqVRWw="Bk65Bk%"

It appears that the infection came in through WordPress. I was running version 2.7 and found the infection in my theme editor in the script for the main page. Even though I scanned my site with CPanel's virus checker and my hosting service said that Google's alert couldn't be confirmed by it, the malware was there! I have no ads on my site and allow no posting without my approval in the blog, but the malware got in. I spent 12 hours fixing my site and I'm still not sure if I got it all.

In my opinion, GOOGLE ought to have the duty to tell people which specific web pages it finds the malware in. I have hundreds of webpages that I've accumulated over 10 years. It's impossible for me to check every page.

My hosting service said I might be able to run grep -R \"(script)var\" to have the computer search for that combination of characters in all of my webpages, but I haven't tried it yet.

Google won't let me write the tag
"script," so take out () and put in <> for what I really mean.

Also, there's another problem. I followed Google's instructions to have my site resubmitted for a rescan but the link Google said to click on in Webmaster Tools doesn't exist. So, I resubmitted my site at stopbadware.org.

Google needs to do what's right here -- not what's easy. It feeds off website owners. The least it can do is provide accurate information on its webpages and provide the information about where exactly it found the malware.

myshortpencil said...

It turns out that Google did provide the link to request a review of the presence of malware in the Webmaster Tools. It turned up about 24 hours after my site was blacklisted.

The best website explaining how to fix your website is http://25yearsofprogramming.com/blog/20071223.htm

And the site that found all the malware on my site was http://wam.dasient.com/wam/

The second best was http://www.unmaskparasites.com/

Panayiotis Mavrommatis said...

As we mentioned in our announcement, reviews are usually done within 24 hours.

You should be able to get more prompt responses in our webmaster forum and in Badware Busters.

Also see our recent blog post for more details about how reviews work, how long they take, and how to get more help.

MirandaR said...

Thanks to myshortpencil for that info and those links. I've sorted it this time around but in case there's a 'next time', links will be very useful

MONEY-TISE-ONLINE said...

@myshortpencil.. thanks for the info of about those useful sites.

btw my site: http://moneytiseonline.com also tagged as a harmful site, but I already cleaned it. I also changed the template and removed all the ad links and suspicious third party links.

Any idea on how many days before those warnings will be totally removed?

Rohfun All in One Page Office Site said...

hello everyone
now i clean my site and refresh my hosting account from service providers, but same problem in google search and webmaster not accept my site,show this massage. (This site may be distributing malware. More Details)same matter block my site, i cant use ftp or widget. try and check my site and review me plz
regard
www.rohfun.com/blog

ana said...

hello friends:
my website www.karasc.com
is already have a problem , it had involved a virous one month ago but nowit is clean and safe,so google engine marked it as a problem with virous until now, we couldn't use the website,i need a help..pleaseeee
regard
anahid

Shelly said...

I have to say I was really really upset with google for banning--I wanted o join a lawsuit. However, turns out i was getting attacked from some i-frame viruses--AVG could not find them. My host had to lock me out until I could find the problem. I went to Avast--anti virus and they found stuff hiding in my registry--so I had to go from AVG free version to Avast pro 9I paid 79.00 I think) but it was worth it. I cleaned my computer with avast and used some malware just for good measure.

I resubmitted to google and in one day they cleared me. BUT I have to say i subscribe to their "tools" and have them check my pages until they are clear--they do it right away. i think the folks that have to wait are not subscribed to their "web tools". I hope that helps.

snapper12 - news pictures said...

Taking into account the fact that Google are a huge enterprise..... (really its just people running a database, a very large database) I don't think I've ever experienced such a lack of ability to communicate with actual people.

Us for instance, we're the victims of hackers - not hackers. Hacking on the internet is a huge problem.... there's a whole industry thriving around it - you'd think Google would be brilliant at dealing with the problem of stressed out webmasters, the victims of hackers.

But they're not.

Google should send the one or two people (the folks who make the decisions as to how the victims of hacking are dealt with maybe?) on a course with Apple. Apple are brilliant at communicating with people using the internet. I'd buy almost anything from Apple because I like the way they deal.

I wouldn't buy anything from Google.

Jake said...

@snapper12

Why should google spend their resources and $$ to help you fix your security problems? They aren't the internet police to help you find out how/who broke into your site or provide you with someone to talk to when your inability to "lock your doors" (or that of the hosting company you do pay $ to) results in your site getting hacked.

Google is not apple... they don't make mp3 players, they don't sell software or music.. If you were a paying customer for one of their non-FREE services (like adwords), they do provide support. They have no obligation to include your website in their index, and they have no obligation to take down warnings when your site is serving malicious content. They also do not have any obligation to help you troubleshoot the issue... The mere fact that they tell you about it should be appreciated.

If you want customer support, look to the place where you are actually a customer... your hosting company, your website developer, etc... They are the ones who left you vulnerable, and they are the ones you've PAID money too..

Sorry for the rant, I just hate it when people get something for free and then whine cause they aren't getting more. I'm just waiting for @snapper to start fielding calls and providing tech support to the visitors to his site who now have malware on their computers. Get a life!

Francis said...

My experience is that most Google-flagged sites have been hacked by someone who has obtained the FTP password from a compromised computer used by the web site owner.

So run anti-malware checks on your own computers and change your FTP passwords from time to time, folks.

As for cleaning the web site, look for obfuscated Javascript in the HTML pages, and for .htaccess files in web site subdirectories that are telling Apache to redirect visitors.

Hope this helps.

Freddy Pantouw said...

Dear All,
Please help me to fix my website
it's has been attack I already go to google master tools but now still problem.
my website : http://www.bestmanadoguide.com
Thanks and all the best

pedrolas said...

A good mashup of this tools in http://secureurlchecker.appspot.com/

Digital said...

I need to contact someone at google.

My site is absolutely clean. I checked for malware on webmaster tools, and it says Google has not detected any malware on this site.

but it still comes up with a malware error on chrome and safari browsers, but it's fine on firefox or internet explorer.

the site is digitaldubbed.com

Can someone please review the site as i cannot request it be reviewed because it says that there is nothing wrong with it when i go to the malware section.

PLEASE HELP.

Thanks
-Digital Dubbed

melandria said...

hello, hope you can help me with this, just today, i found my blog with a malware on it and i could not find the source on how i can remove it,

The website at www.melandriaromero.net contains elements from the site newbloggingtipz.blogspot.com, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer.
For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for newbloggingtipz.blogspot.com.
Learn more about how to protect yourself from harmful software online.

i really wanted to erase this malware to my site. hope to hear from you soon.

melandriaromero@gmail.com

Dave Wall said...

IAs with so many other falsely accused website owners, I need to contact someone at google.

My site is absolutely clean having been completely re-uploaded and thoroughly cleaned - not that any tools that any software or person could find in the original site!!

The site is masterpiecesphotography.com.au and is a commercial site which thanks to Google's incorrect, misleading and probably illegal notices, is making my potential customers go elsewhere.

Of EXTREME concern is the fact that at no point did I ever receive any sort of warning from Google about the alleged initial "malware issue" before these warning were applied.

Of even greater concern is the fact that this "problem" raised it's head at the same time I stopped my Google advertising programme - I hope this is just a coincidence!!

Can someone please review the site immediately and provide me a person with whom i can discuss these disturbing issues.

I have a business to run and Google are preventing it from operating properly!!!!

Greek News blogg said...

without my page have a problem google turns into a virus alert what can be done;

this is my site katharismos-saloniou.gr and is CLEAR!!!

Leon Victor said...

I use firefox free add-ons “Malware Search”and ”McAfee SiteAdvisor” for safe browsing.