How to remove your web site from Google’s blacklist

Google’s “This site may harm your computer” may very well be every website owner’s most dreaded nightmare. When Google blocks your site you can say goodbye to any traffic you had and see your revenues go down drastically.

Whether you like it or not, Google traffic means everything:

Here I’m going to show you how to fix this issue and get your web site back in order. The process is fairly straightforward and if you follow these steps, you do not need to worry.


1) Assess the problem

The first thing you need to do is activate Google’s webmaster tools. If Google is flagging your site as malicious, then they ought to show you what the problem is, right? And that, they generally do.

Add your site to Google Webmaster Tools by clicking the “ADD A SITE” button.

Google will ask you to verify that you are the site’s owner:

Use FTP or CPanel to either upload that file or create it with exactly the same name and content.

Once this is done, navigate to Health-> Malware:

Here Google will tell you what it found and where. This includes a list of pages where bad code was found:


2) Remove the problem

The problem is malware or some other sort of malicious / spammy / phishy content.

Cleaning up a website can be a difficult task if you are not familiar with coding or security in general. However, you are not alone. There are entire communities out there where people can get help. I recommend in particular StopBadware and BadwareBusters.

If you just want the problem solved for you there are companies that specialize in website cleanups. Do a bit of research, read some reviews and pick the one you want. Obviously this is not free. Prices range from $60 to $399 for one website. The company I work for, SparkTrust does offer such a service. In fact, most website cleanups are sent over to me, so most likely you’d be dealing with me ;-) If you are interested, you can sign up here.

Once your site has been cleaned up, secured and all passwords changed, you can breathe a little and get ready for the next step.


3) Restore your good standing with Google

On the screenshot seen above, you may have noticed a button called “Request a review“. Click on it and fill in the details in the next screen:

Then Google will print a message:

This does not mean your web site has been cleared yet! Unfortunately, you have to wait… again! Waiting times seem to vary quite a bit, but if nothing has changed after 48 hours, you will want to review the malware report again to make sure that all the bad stuff has been removed.

A quick note regarding the malware removal: it is advised to disinfect the files rather than completely remove them (unless, of course, the files are entirely malicious). For example, it is common to see legitimate JavaScript files get injected with malicious content. It makes it easier for Google to crawl those same files again and confirm that they have been cleaned. If the files have been removed, Google won’t be able to verify that.


4) Learn about the experience

Once Google has cleared your site, you may want to forget about the whole thing and hope it never happens again. You can do that… or take the time to review what just happened and how to prevent it in the future.

Review why your website was hacked. Was it because of a poor password, an infected PC that leaked your passwords, an out-of-date WordPress installation? Whichever it was, you can take this bad experience and learn a few things about security. See my security tips.

If you were helped by some people from the community, you may want to return the favor and use your own experience and what you’ve learned to pass it on to others. Malware is a global problem that can only be tackled by proper knowledge and education, not just software.


Jerome Segura

Nothing but big phishes

I came across this PayPal phishing scam that I thought was kind of funny.

First time I see scammers ask for the account’s current balance! Do they not bother if your balance is too low? Maybe not ;-)

Jerome Segura

The Malware is in the DB (not the pudding)

Recently, I came across a site infested with malware and where FTP access was broken and SSH not available. The only thing I had at my disposal was access to an old SQL Server 2000 Database.

The site is running IIS and The main page contains malicious code:

However this code is not present in the deafult.aspx index file. The only thing I could notice were references to a database:

The next logical step was to search the DB for that bad code. In fact, I just took the first table I could get my hands on and did a simple query: select * FROM {dbnameremoved).dbo.Information

And there it is… The bad code has been injected in almost  every single table in fact.

The cleanup path would be to delete those entries with some SQL DELETE statements, but overall given how outdated the server is, it would just be a matter of time before it gets re-infected. Unfortunately in this case, the user is not very computer-savvy and migrating the whole site without the malware and no backup available sounds like a Herculean task.

This is one of these cases where sites are never updated for years, get infected and become broken beyond belief.

Jerome Segura

Update: this site is really owned! Check out this insane Google report:

Of the 688 pages we tested on the site over the past 90 days, 449 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2012-06-25, and the last time suspicious content was found on this site was on 2012-06-25.

Malicious software includes 738 scripting exploit(s), 100 trojan(s), 65 exploit(s). Successful infection resulted in an average of 2 new process(es) on the target machine.

> Wish me luck! ;-)

Update 2: site disinfected

The cleanup consisted of preserving the good data and erasing the malicious code. The following SQL query was used:

This is a server that is shared with a lot of other people and the security on it is really bad as you can not only see their names but also their Databases:

You can also browse the server file system:

This is a reminder that shared hosting is not secure. Now you know why it is so cheap.

Securing your website: some tips

I’ve been a contributor (or helper) in the BadwareBusters forum (StopBadware) in the last month or so. Recently someone asked about how to prevent a future re-infection and secure their website. I came up with a bunch of ideas which I thought I could share here as well:

BACKUP REGULARLY (once a week)
- back your files, databases
- store backup on a different server, other media, etc.

- use strong passwords
- do not store your password on your computer in a text file or within your FTP client (ie. Filezilla)
- Check that the only FTP accounts are authorized ones (in other words, watch for ‘rogue’ accounts). You can do this from you Control Panel within your hosting account or simply by asking your hosting company for a list of usernames associated with FTP.
- avoid FTP if possible and choose SFTP or SSH which encrypt your connection whenever you need to connect to your server to upload files/make changes.

- avoid connecting to your site over insecure wifi

- list all software running on your site
- remove any software/plugin that is not needed
- update all software running (CMS, PHP, Apache, etc)
- update all plugins
- run a web vulnerability scanner to detect weaknesses with your site

- review all file and folder permissions in your public_html folder
- permissions should never ever be 777
- files should be set to 644, folders to 755
- if server is running Linux, harden the .htaccess file
- harden your CMS (hide which version it is running, change the default login from admin to something else)

- review access and error logs on a weekly basis
- identify attack attempts and block the malicious IPs

You can find me under the handle ’jerome’.

Jerome Segura

Achtung: this site may harm your computer!

This German website for a PC repair company warns its users about the DNS Changer Trojan and advises to check if one’s computer is infected.

(click to enlarge)

However what they don’t know is that their own site is compromised with malicious code and will infect unpatched PCs…

(click to enlarge)

The JS code redirects to a bad site ( Wepawet report here.

Jerome Segura

Anonymous site hosts malicious script

The site: hosts a malicious script:

It looks like an automated injection to me because it is right after the <body> tag. (click  to enlarge)

Wepawet report ( shows an iframe to

Thankfully the page has been parked.

Jerome Segura

Canada Post Phishing scam and malware served from your local preschool

This is a clever phishing scam that targets Canadians:

I say clever because beyong the legitimate looks, the payload is distributed by a malicious URL combined with a legit one.

One thing we always tell people is to never trust links, even if they look fine. This is because it is easy to create a hyperlink that says: but instead really is

Let’s take a closer look:

By placing the mouse cursor over the link (NO CLICKING!!), you can see in the taskbar that this indeed is a match for the real site. If you did click on it, you will be sent to Canada Post’s official website:

At that point, you think this email must be legit after all and you are ready to click on the second link. That’s the catch!

Here I repeat the same mouse over process but look at the URL: it is NOT the same!! Sneaky…

What we have here is a zip file called

If you open it up, it contains the malicious file the bad guys want you to run:

The file is poorly detected by Anti-Virus products. (VirusTotal 3/42).

Let’s take a look at where this file is hosted:

This is the site for a preschool in California. They probably aren’t aware that they are being used to host a malicious file used by scammers. (I will let them know soon).

They are running the Content Management System (CMS) Joomla!:

and it is out-of-date (Joomla Version 1.5.15) current is 1.5.26 which could very well be why the site got hacked.

Speaking of out-of-date, WordPress released version 3.4 today, so if you haven’t updated your CMS yet, do so quickly :-)

Hat tip to Marlee for reporting the phishing email.

Jerome Segura

Password sharing site gets hacked, redirects to adult site

These guys have an ‘interesting’ business model which consists of providing you with passwords for popular websites (torrent, file sharing sites) if you take a couple of minutes of your time to answer a survey.

Sounds fishy? Right, I don’t like it too much either. However, this is not where the problem lies. The site itself has been hacked:

and redirects the user to an adult site instead:

At least the site content is within the realm of what file sharing people are used to…

Jerome Segura

Hack attempts: examples from the error.log file

Webserver logs contain a lot of useful information regarding the health of your website. Here is the error.log file for a site that I created a few years ago, and for which I still have access to.

Attempt to exploit timthumb vulnerability:

Attempt to brute force login:

Attempt to exploit phpMyAdmin:

Attempt to do a directory traversal attack to find passwords:

Wrong OS!

Jerome Segura

LinkedIn passwords leaked, cracked

LinkedIn, the popular networking site, was hacked and more than 6 million passwords were leaked. The breach was confirmed today.

It took only minutes for the full dump of passwords to spread virally (

The decrompessed file weighs 258 MB and contains 6458019 lines of hashed passwords.

LinkedIn hashed the passwords (meaning they created a checksum of the plain text strings) but did not apply any other level of security, including salting.

For example the password ‘password’ was stored as e4c9b93f3f0682250b6cf8331b7ee68fd8 (SHA1).

It is trivial to find the original (clear text) password using tools such as hash-cat:

It is quite interesting to look at passwords people use… it reveals a lot about human nature ;-) Warning, coarse language ahead!

LinkedIn announced that they are taking immediate action by blocking accounts that have been affected as well as introducing new security measures (in the form of salting their passwords).

This is a reminder that there is no total security. However, strong passwords are still a great protection. For example, to retrieve those passwords hackers use a ‘wordlist’ or dictionary attack. That means if your password was weak, it will be uncovered in seconds. If your password was fairly complex, it will take hackers a lot of pain and effort to crack it.

On that topic, we should change the word password to passphrase. The term is so much more meaningful and shows that actual phrases such as ‘Jimmylovescarsespeciallyatnightonchannel99′ are so hard to crack versus your typical password.

Jerome Segura