Have you ever been cruising the web, minding your own business, when your browser suddenly freezes your search and your pages start lighting up like you have tripped some terror alert color scheme gone mad?  What if it’s your very own web site that is setting off the alerts?  In order to make web browsing as a painless experience as possible, many popular applications—from Google Search to Firefox to Safari—use Google’s malware database to warn their users to keep away from potentially harmful sites.  Pages which are deemed dangerous are identified and blacklisted.  These aren’t just sites which are set up specifically to generate spam – generally it’s much, much worse than that.

However, many sites are collateral casualties in the war against spam as hackers place malicious content into legitimate websites.  The onus is then on the site owner to clean up the site in order to remove the warnings triggered that can affect their site’s traffic and standing.  So one needs to know how to remove their site from Google’s malware database and avoid the common mistakes that can leave even cleaned up sites blacklisted for a long time.  The first step is to figure out what exactly is wrong with the site.  In addition to an Acunetix Vulnerability Scan, you may also want to take a trip to Google’s Safe Browsing diagnostic page, at the very top of the diagnostic page that says “Diagnostic page for <URL>”, where URL is the topmost level at which all web pages are blocked.

Go down to the “what happened when Google visited this site?” paragraph.  There are two dates that are critical in interpreting this information:

  1. the scan date (the last time Google visited your site)
  2. the discovery date (when the suspicious content was last found).

If your site is blacklisted, the dates are probably the same.  After your scans are clean with us, you should request a malware review through the Google Webmaster Tools.  Within a few hours, Google should rescan your site.  If your scan is clean with us, you should come back with an approval.

The second step, should you still be at a loss for why Google considers your site dangerous, is to go and look for sentences with phrases like “Malicious software is hosted on N domain(s), including <malicious domains here>” or “N domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including <intermediary domains here>”.  There will be telltale traces, be it a hidden iframe, or external script, or unauthorized redirect.  It is best to begin scanning your files for these domain names.

Unfortunately, hackers don’t leave easy trails to follow.  They don’t want to be discovered as much as you want to discover them.  They cover their tracks and bury the truth.  If simple scans revealed them, there wouldn’t be much of a problem.  Hackers change the domain names of their sites often and can link to new domains daily.  To check for bad content, you have to look not just for the malicious domains, but your investigation should concentrate on intermediary domains, where malicious content from your site links to.

When in doubt, search the web for the domain names listed on the diagnostic page.  Each name is a clue and you aren’t the only detective on the case.

SHARE THIS POST
THE AUTHOR
Acunetix

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.