The past 15 hours haven’t been fun for me.
It all started around 8 pm last night when I started getting emails like this:
“Hey, when I try to visit Domain Name Wire I get a warning that your site is infected with malware.”
If you tried to access the site last night via Chrome or Firefox, you probably saw such a message. You also saw a warning in Google search results.
The timing was pretty bad. Super Bowl Sunday is usually a high traffic day on Domain Name Wire thanks to people looking for Go Daddy’s commercials.
I’m writing this post to not only inform you of what I did to fix the “problem”, but also in case anyone has specific advice, as I haven’t been able to fully solve how the site was flagged…
As soon as I became aware of the problem I went to Google Webmaster Tools and found a warning about malware. Google identified 27 URLs on DNW that were suspicious.
Unfortunately, Google told me nothing else about it. It didn’t say what made them suspicious, what type of vulnerability was found etc.
I was in the dark.
But I’ve dealt with malware before. About five years ago an FTP password on one of my domains was compromised and some hackers inserted a redirect.
I sifted through the pages Google identified this time hoping to find something obvious. But there was nothing. I looked at every URL on the pages, every script…nothing looked out of the ordinary.
I went to a couple site scanners and tried them. They all showed up clean.
Exasperated, I went ahead and asked Google to rescan the site.
I went to bed, but all night I had the same feeling I’ve had whenever my (previous) web host went down: when will I be back up?
Fortunately, but 6 am my time Google was no longer warning about the site.
But I recalled that I had paid Verisign (now Symantec) $300 a year for a Trust Seal (now Site Safe). Included is a daily malware scan.
I went to Symantec’s site to see if it had flagged me for malware.
Actually finding out if it had flagged me was a nightmare. I had purchased the site seal through Moniker, which meant Symantec wouldn’t let me access an online account. “Sorry, you have to contact the reseller”.
But it turns out Symantec sent a warning to me around 1 am today. (Ironically, all of the emails from Symantec land in my spam folder). With a bunch of clicking and form filling, I was finally able to see what was identified as malware on my site.
Apparently two scripts were flagged, including this one:
wp-includes/js/jquery/jquery.js?ver=1.8.3
Hmm. This is included by default in all instances of WordPress 3.5. Why was it being flagged?
Symantec’s support person wasn’t very helpful. He said the file was similar to ones that have been problematic.
“But this is in every copy of WordPress 3.5!”
He didn’t seem bothered by that. I asked if it was something added to the file or the file name itself that was a problem. He didn’t know.
After calling back later and talking to another Symantec rep, the company forwarded my question to its malware team for investigation.
It’s at this point that I’ll note that, despite the devastating effect a malware warning has on a web site, it doesn’t seem like an urgent matter to many of the companies that operate in this space.
Perhaps a big malware warning issue happening today with some of the biggest web sites (thanks Mike) will change that. The Netseer issue is unrelated to my problem. (I do want to thank @stopbadware for assistance on Twitter today.)
So here I am, about 15 hours later. I still don’t know if I had a false positive or there’s some sort of problem that will creep back up. After all, Google’s second scan of my site found no problems. Interestingly, Google has even removed any record of the malware problem — including messages/alerts — from Webmaster Tools. Previous messages about Googlebot access problems are still listed.
Update: Symantec just rescanned my site and now says there are no problems, despite the site still having the same exact files it had yesterday.
DNW.com (the shortcut) will still give you a warning, but that should be fixed later today.
If anyone out there has additional help, I’d appreciate it.
Kevin Murphy says
The one thing I learned as a security reporter for ten years was to stay as far as possible away from Symantec software as you can.
I used to microwave the review copies of the installation CDs they sent me, just to be sure.
Jp says
These situations would be much easier to handle if symantec or G was ever made liable for the devestating effects this stuff causes to people’s sites/businesses. Until then all this stuff does is add value to G as symantec and cost you money. Shows how reliable all this stuff is that Symantec’s emails ended up in your spam.
Andrew Allemann says
It bothers me that the Chrome message says “The Website Ahead Contains Malware!”
If there’s a false positive, that’s really damaging.
JP says
The whole thing is based on the fact that most small website owners can’t afford to take action against them and that most other website owners won’t bother to attack them. You never clicked “I Agree” anywhere to allow the possibility or this service to impact your business and it wasn’t legislated by government that you had to. It just sorta happens to you whether your like it or not. I’ve said this a million times on blogs and I’ll say it again, why are we not charging Google to access our sites? They get everything for free and then sell it. In this case they got to scan your site for free. The internet is free but our work doesn’t have to be.
Spencer says
I’ve seen situations where an ad network script will inject malware. Make sure any ad networks you use are scanning their advertisers rich media content for malware before allowing it on their network, then in turn into your website.
theo says
I visited this site yesterday on a friends laptop and i was rather suprised that AVG detected malware in one of the ads.
My own laptop did not gave me a warning so i thought it was a false positive.
At the moment google still says dnw.com is flagged/malware.
domainnamewire.com is clean according to google.
Andrew Allemann says
@ theo – what message did you get? I host all ads on this site.
sand dune says
I ran inot it a big totally ligit site for thefirst time today. They changed somehting
theo says
Sorry Andrew, as i mentioned i disregarded it as a false positive so i am not sure which advert it was.
The warning was about a javascript loading malware into the browswer and it was related to one of the adverts.
I will request the logfiles of my friend so you can pinpoint the issue. Though it looks to me you should be able to single out the adverts that use javascript. Browser hijacking is usually related to javascript not to mention these guys took way to long to patch several exploits related to javascript.
Though it is rather odd that dnw.com is still flagged while it looks like a simple redirect to domainnamewire.com.
Nic says
In the 80s every Mac user used Norton Utilities. Great stuff. Then Symantec bought it and it started screwing with our machines. When I here the word “Symantec” I shudder, recalling all the hours trying to sort out problems that were caused by the software.
I’m sure millions of people respond emotionally in a similarly negative way to the brand….an irony indeed, given that they stand for security. I couldn’t trust a brand less.
George Kirikos says
There was a false positive malware warning affecting many sites (including The New York Times and Washington Post) yesterday, due to “Netseer”, see the article at:
http://www.zdnet.com/netseer-suffers-hack-triggers-google-malware-warnings-7000010776/
http://www.mercurynews.com/business/ci_22515730/malware-warning-citing-netseer-blocks-google-chrome-users
Perhaps it was related to that?
By the way, this is why ICANN, Registrars and Registries should not be involved in domain takedowns — too much potential for false positives, and collateral damage.
ChuckWagen says
My Firefox browser identified it as a possible “Attack page” which was certainly alarming.
Vincent Abrugar says
Wordpress sites are the ones that are most targeted by hackers, make sure your site is always updated with the latest wordpress version and also your plugins. Watch out for backdoors if you have backdoor files its just a matter of time before your site gets re-infected and you’ll see the google blacklist warning again.
Jack Yan says
Fifteen hours is a lot. Six days is worse, which is what I faced—to the point where I lost clients and my email provider threatened to pull its service. And I know of sites that have been clean for six weeks to two months that Google has blacklisted because of false accusations. Number of people working at Google on the malware scanner? Two part-timers. And yet Firefox, Chrome, and various security programs all rely on a bot that makes a lot of mistakes, commits a lot of libel in Google’s name, and is overseen by two guys who aren’t even at work half the time.
Maggie says
My site is now an insignificant site but has had a high ranking in Google for many years until recently. This malware warning has appeared more times than I can count in the last few months and now it’s appearing twice a week! My web host has done everything possible and requests the warning to be removed each and every time and it is. Nothing is ever changed on the site so I figure it’s a false positive. I’ve tried to find a way to contact Google direct — to no avail. I’ve tried calling from England but can never get past the endless phone tree. Does anyone know how to get this stopped?
opensourceame says
I’ve had the same issue with a couple of sites. One of them was a blog which had no content updates in over two years, no ads or outside links. Yet Google would mark it as malware and I would request a review without making any changes and magically it would be removed from the blacklist.
What also irks me is my other site had a link to a site which had links to a site which had malware, but Google blocked my site. Surely they should blacklist only the site with *direct* links to the malware, otherwise this sort of idiocy could go on and on with a long chain of links to malware putting a site ten clicks away on a blacklist.
It seems totally idiotic to me!
Jen says
I purchased a domain name on April 19, 2015 at godaddy and parked it for free at sedo to monetize the website. After a few hours when I checked back, Chrome shows it contains malware. I’m still looking for solutions right now.
abcda121me says
Maybe any advert other than google AdSense is a malware for google.
jesarat says
I’ve seen situations where an ad network script will inject malware. Make sure any ad networks you use are scanning their advertisers rich media content for malware before allowing it on their network, then in turn into your website.thank you
joesaba2014 says
A month ago using Chrome and gmail to open a known email of which to be subscribed years ago put a malware in gmail and Google saved me to detect that a second person to have entered my gmail to delete all my emails, Google with Chrome and Gmail at the same time with firefox fight for updates using many unsafe applications, I have few app necessary but some of Chrome with their new applications are not safe, from my Android and Google Chrome open a pdf from an email received in my gmail start the same again and this time save me Malwarebytes.org.
I have friends who use Apple and also spend using Chrome a technician told me that new apps with browsers do not pass the security measures of Malware and Fake apps that all have malware, and my Internet Security Symantec save me and block today from a Fake apps that arrive from Google Play and have with Android hosted in a hidden way from the PDF.
Many apps have a lot of bad milk who develop them must be a genius and soon be signed by some antivirus company to save us from their bad luck tactics, this will never end is a system like medication and health is the same people and computers and their interior it is the same to need health and doctors to heal your inner and outer we all breathe bad Co2.
Good weekend.