Best Practices for Verifying and Cleaning up a Compromised Site

Thursday, October 22, 2009 10:38 AM



As part of Cyber Security Awareness Month, Google's Anti-Malware Team is publishing a series of educational blog posts inspired by questions we've received from users. October is a great time to brush up on cyber security tips and ensure you're taking the necessary steps to protect your computer, website, and personal information. For general cyber security tips, check out our online security educational series or visit http://www.staysafeonline.org/. To learn more about malware detection and site cleanup, visit the Webmaster Tools Help Center and Forum.

In our last post in this series, we explained Google's malware scanning process and how malware warning reviews work. It's not always clear to webmasters how to go about cleaning up their sites once they've been compromised, so this time we thought we'd share some best practices.


1) Verify Your Site with Google Webmaster Tools

If you have added and verified your site's ownership with Google Webmaster Tools, you can view a partial list of URLs where our system has detected suspicious content on your site, as well as samples of the malicious code. Once you've thoroughly cleaned up your site and addressed the vulnerability that allowed it to be compromised, it's easy to request a review through Webmaster Tools. We recognize that some site owners may want to use these tools even if they haven't already signed up with Webmaster Tools. For that reason, we enable you to verify ownership of your sites at any time, even if our systems have listed them as potentially dangerous.

2) If Your Site Has Been Compromised, Perform a Comprehensive Cleanup

If any part of your site has been compromised, thoroughly check all pages on the site for harmful code or content — not just the example pages listed in Webmaster Tools. Be sure to identify and address the underlying vulnerability that led to the compromise, or else reinfection is likely to occur.

Remember to Check Your Web Server Configuration

In addition to checking the contents of your site's pages and web server source code, remember to check that your web server configuration has not been modified by any intruders. If your web server has been compromised, your site's error pages can be modified to include custom HTML that actually redirects visitors to malicious sites.

Deleted & Error Pages: Dark Corners of Your Website Where Malware May Be Lurking

When a page is deleted from a site, the web server returns an error code (usually 404: Not Found) when requests to the "deleted" URLs are made. In addition to the error code in the HTTP header, the web server may send a custom error page or "Not Found" page, usually intended to help users find what they are looking for. If your site is infected, its error page can contain arbitrary HTML that exposes your visitors to malware. You can search our Webmaster Forum for information about how others are dealing with similar problems. The recently-launched malware samples feature in Google Webmaster Tools could also come in handy.

3) If You Switch Hosting Providers, Disable Access to the Old Version of Your Site

When a site is moved to a different hosting provider, the DNS records are updated such that the domain name points to a new IP address. In some cases, DNS caching can cause your domain name to continue resolving to the old IP address for some visitors even after the site has moved. For this reason, we recommend instructing your former hosting provider to stop serving any content for your site. This may cause some visitors to experience server errors for a few hours, but can protect them from visiting a potentially dangerous web server.


As always, our Webmaster Forum and StopBadware's BadwareBusters can be good sources of help and information when cleaning up a compromised site.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

6 comments:

Abdulhakim khalib Haliru said...

This is really informative, i got something here. Thanks.

Abdulhakim khalib Haliru said...

This is really informative, i got something here. Thanks.

James praker said...

Hi!
This is great news.Google Anti-Malware team is rally doing something to make safe use of internet.I'll defiantly follow these guidelines..Thanks for sharing.
- J.
Web Designing

pence2cents said...

There are various websites that I visit regularly that have malware warnings, which I appreciate, but I don't always get the same warning screen and one of them makes it particularly difficult to access the site. It lists the URL that I was trying to reach, but it's not a link and there's no "check here to proceed" box. So, I have to copy and paste the URL and then I get the normal Malware warning with the red background and the option to proceed if I check the box. I don't know if this is just a glitch, but it makes browsing much more difficult for me because the websites generally don't have good internal search engines.

Vernon said...

I am currently cleaning up malware on the server. Thanks for the tips!

Nick Adams said...

I really like your blog and this blog gives me a great information. Thanks to you share with me this nice information. So keep it up. .