Did Google Label Your Blog Harmful?
May 18, 2008 by Michelle Waters
A few months ago, one of my clients reported that her blog had been labeled harmful by Google. You can see this when you look at her site in a Google listing:
Now, normally, when a hacker injects code into a website, it is, in my experience, in the form of a file. They find an insecure directory (usually with 777 CHMOD) and upload a bad file to the site.
So when my client reported this to me, I scanned her files with a fine tooth comb — and found nothing.
I then upgraded her blog software, in an attempt to overwrite whatever file was messed up. Afterwards, I checked the dates on all files to make sure there wasn’t some rogue file sitting around messing everything up. Nothing.
But I have figured out what the problem is now.
Because Wordpress had a security hole in version 2.3, the hacker was able to inject the bad code directly into a post.
I’ve found the codes by doing a search directly on the blog for the term:
iframe
Then edited the post to remove the highlighted code.
Read this post to for more information on how to remove the downloader virus.
How to find out if your site is infected
UPDATE: Thought I’d add some more instructions on how to find out if your site is affected by this. If you have already found out that your site has been deemed harmful by Google, simply do a Google search on your domain name. your listing will look like the first screenshot above.
In your Google listing, click the title of your site’s entry. Google will then take you to a page warning you that visiting the site might be harmful to your computer. In the warning’s second paragraph, you’ll want to click the link to Google’s Safe Browsing diagnostic page. (This is the link to that page for Mundane Superhero.)
You’ll see a line that says something like:
Malicious software is hosted on 1 domain(s), including wp-stats-php.info.
What to do if you’ve been hacked
If you follow the instructions above and discover that your site has been hacked, you’ll need to follow the original instructions in this post to remove the code from your blog posts.
Next, read Google’s instructions for sites that have been found to have malware.
At the end of this post, you’ll see instructions for signing up for Google’s Webmaster Tools (Which I highly recommend!), verify your site, and requesting a review of your site.
We recently added a post to our blog about this - you can read it at http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html
It covers lots of details (and has lots of links) on how to handle these kinds of situations. Although several exploits are common - including the one you described which targets old WordPress installations (update regularly!!) - all hacks are a bit different and it really makes sense to ask someone for guidance if you aren’t sure. Several of us Googlers regularly monitor and post in our forums at http://groups.google.com/group/Google_Webmaster_Help , where people with website-issues like this usually get great advice.
[...] Unfortunately, security doesn’t become important until your website website gets hacked. [...]
[...] One of my clients found out the hard way her old Wordpress site had been hacked. You can read about what we had to do to appease Google. [...]