I was reading a blog post from Matt Cutts in which he gave us an excellent reminder about dealing with hacked sites. Cutts states that besides “clear-cut black-hat webspam” the second largest category of
spam that Google deals with consistently is that of hacked websites.
Preventing Malware Infection
This article contains tips and pointers for preventing malware infection. However, it is by no means exhaustive, and Google encourages encourage webmasters to conduct more thorough research as well.
Cutts reminds us that the best way to protect yourself against having your site hacked is to keep your web server software up to date and install the most current patches. This is an easy fix that can help prevent major downtimes associated with the time involved to repair the hack. Another common method of hacking is to use malware.
Malware is a blanket term describing the use of malicious software written to specifically harm a computer or on a network of computers. Common types of malware are viruses, spyware and Trojan horses. Once a computer or network is infected by malware and had been compromised, the machine(s) are usually used to host phishing site, or used to take administrative control over the site(s) infected.
Often hackers will change the content of the site for to add spam or add new pages to the site with the intent of phishing, which is an attempt to trick individuals into divulging their personal or banking information for their own nefarious purposes.
How Do I know if My Site is Infected?
If your site has been hacked, it is normally because an attacker has managed to find vulnerability on your web server that has allowed them to take control of your website. In most instances, this is in order to install malicious software that either allows access to the infected computer, or as an attempt to steal personal data or banking information.
Google reminds us that the easiest way to detect problems with your site and possible hacks of your site is to use their Google Webmaster Tools. Once you verify your account, you can see if Google has detected malware on your site.
Google’s reports are based on the guidelines established by stopbadware.org, but admit that they have their own set of criteria, procedures and tools to identify hacked sites. They also state that in some cases, third parties manage to insert malicious code into legitimate site causing the warning message to show.
Google automatically scan website to determine if a hacker has inserted malware into your site and will list your site as being “infected” in the search results in order to alert others. This designation that your site is infected in based solely on the content of the affected page and not dependent on your site’s reputation or you as a webmaster.
If you site is infected, follow the following steps established by Google:
- Quarantine your site
- Take your site down immediately
- contact your web hosting provider
- chane all passwords and user accounts
- Assess the damage
- Visit the Google SafeBrowsing diagnostics page for your site (http://www.google.com/safebrowsing/diagnostic?site=www.example.com)
- Scan your site with an up-to-date anti virus program that scans for malware
- Check the Malware page in Webmaster Tools
- Use the URL Removal tool in Webmaster Tools to request removal of hacked pages or URLs. This will prevent the hacked pages from being served to users.
- Report phishing pages to the Google Safe Browsing team.
- Use the Fetch as Google tool in Webmaster Tools to detect malware that might be hidden from the users’ browsers, but served to Google’s search engine crawler.
- Review the antiphishing.org recommendations on dealing with hacked sites.
- If you have other sites, check to see if these have also been hacked.
- Clean up the site
- Update any software packages to the latest version. Google recommends doing a complete reinstall of your OS from a trusted source to be sure that you’ve removed everything the hacker may have done. Also make sure to reinstall or update blogging platforms, content management systems, or any other type of third-party software installed.
- Once you feel confident that your site is clean, change your passwords again.
- Get your system back online. Change your server’s configuration so that it no longer returns a 503 status code and perform any other necessary steps to make your site publicly available.
- If you used the URL Removal tool to request removal of any URLs that are now clean and ready to appear again in search results, use the same tool to revoke your request.
- Request a review of your site from Google
- On the Webmaster Tools Home page, select the site you want.
- Click Site Status, and then click Malware.
- Click Request a review.
Requesting a Malware Review
Once you’re sure your site is free from any infected code and content, you can request a malware review.
For complete details of the detection, removal and reviewing of your site, please refer directly to the Google page here: http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634
“If you feel your site has been mistakenly identified, or if you make changes to your site so that it no longer hosts or distributes malicious software and you secure your site so that it is no longer vulnerable to the insertion of badware, you can request that your site be reviewed here.”