Practical Guide to Dealing With Google's Malware Warnings

For webmasters and site owners

To protect web surfers, Google is continually working to identify and blacklist dangerous pages. Many popular applications (Google Search, Google Chrome, Firefox, Safari, etc.) use Google's malware database to warn their users to keep away from potentially harmful sites.

The majority of blacklistes sites are in reality legitimate websites into which hackers have inserted malicious content. Often, the site owners are having difficulty, both in cleaning up their sites, as well as in removing malware warnings that seriously impact their sites' traffic and reputation.

This guide will provide you with practical information about how to remove your site from Google's malware database, as well as how to avoid common mistakes that can cause cleaned up sites to remain blacklisted for a long time.

You can use this form to check if your site is currently listed as suspicious

If your site is blacklisted and you want to resolve this issue, you should:

1. Correctly interpret Google's Safe Browsing advisory and find out the reason why your site has been blacklisted
2. Clean up (and secure) your site
3. Request a malware review via Google's Webmaster Tools

1. Interpreting Diagnostic Pages

To find out what's wrong with the site, consult a Google's Safe Browsing diagnositic page (use the form above)

You may find the diagnostic page difficult to understand. The following instructions will help you extract the most important information.

What? First of all, you should determine what exactly is blacklisted by Google. You can get this information at the very top of the diagnostic page that says “Diagnostic page for <URL>”, where URL is the topmost level at which all web pages are blocked. Examples:

blog.example.com/pages/page1.html – only this page
blog.example.com/pages/ - everything below /pages
blog.example.com – the whole blog
example.com - the whole domain and its subdomains.

This information can help you narrow down your search to specific sections of your site.

When? Next, find out when Google last visited your site (the scan date) and when the suspicious content was last found (the discovery date). You can find these dates in the “What happened when Google visited this site?” paragraph. You should match these dates with the date of the last attempt to clean up the site (the cleanup date).

Here's what you should know about these dates:

1. Google doesn't scan your site every day. The Internet is big and it may take weeks between consecutive scans of your site.

Google is not aware of anything that happened to your site after the scan date. If you want Google to pick up your latest changes, you should request a malware review via Google Webmaster Tools - this will make Google rescan your site within a few hours.

2. If your site is blacklisted, the scan date and the discovery date are usually the same.

3. In some cases, the site can be blacklisted but the scan date is more recent than the discovery date. It is important to correctly interpret this situation.

   Google's unofficial explanation is confusing: “The review may have found "suspicious" content that was not "suspicious" enough to have added the site to the malware list - but it is "suspicious" enough to prevent it being removed from the list”.

   In our experience, this usually means that Google hasn't found anything suspicious on the site, but they are not sure if this is a permanent change or just an attempt to fool their system. Therefore, they put the site in quarantine, and it may take one or more scans before they are sure the change is permanent and the warning is subsequently removed.

   What can trigger such a situation?

   • You have cleaned up your site but didn't request a malware review. Without such a request, it may appear to Google as though you've removed the malicious code from some pages but haven't yet finished the site cleanup, and they are therefore waiting for you to ask them to review the site.
   • You have either removed all the infected pages, or all the site's web pages, and requested the review. Google may think that you will restore the infected web pages after a successful review. Thus, instead of removing the web pages themselves, you should remove only the malicious content. (more...)

Why? If you still don't know why Google thinks your site is suspicious, the information about malicious and intermediary domains may help you identify and locate the source of the problem.

This information can be found in the “What happened when Google visited this site?” section of the diagnostic page. Check for sentences that read like the following:

“Malicious software is hosted on N domain(s), including <malicious domains here>”

“N domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including <intermediary domains here>”

One way or another, there should be traces of these domains on compromised sites. It may be a hidden iframe, or external script, or unauthorized redirect. So start with scanning your files for these domain names.

Intermediary domains should be your priority in the investigation. This is where malicious content from your site links to.

Sometimes, when hackers point a compromised site directly to servers with malicious content (or when Google can't determine the final destination of the malicious chain), the diagnostic page won't mention intermediary domains and you should therefore look for the malicious domains.

What if you can't find references to the malicious domains?

Unfortunately, references to malicious sites are usually obfuscated and cannot be revealed by simple scans. Please note that hackers change the domain names of their malicious sites fairly often (so they can't be blocked), and therefore compromised legitimate websites are often updated daily in order to ensure they link to these new domains. As a result, Google's diagnostic page may mention malicious and intermediary domains that can no longer be found on your site, since they have been replaced with new domains already.

If you can't find the “bad” content, try searching the web for the domain names listed on the diagnostic page. The chances are that someone else has already figured out how those domain names are involved in website exploits.

Search selected specialized sites

One of the places where you can find reviews of prevalent hacker attacks is a Sucuri blog.

You might also want to ask for help in the "Malware & hacked sites" section of Google's Webmaster Help forum or at BadwareBusters.org.

Malware Details

If your site is blacklisted or marked as "This site may be hacked" in Google search results, you can usually find additional details about your problem in the "Security Issues" section of Google Webmaster Tools. The details may include web pages where Google detected malware or spam, type of malware and examples of the malicious code. Note, depending on the type of the problem, there may be no examples of malicious code.

2. Clean Up Your Site

Once you've identified the source of the problem, you should clean up your site and take action to prevent reinfection.

Usually the easiest way to clean a site is to restore everything (files, database, configuration files) from a clean backup copy.

Make sure hackers haven't left any backdoor scripts on your server. Malicious files can be hidden deep in the directory structure and may look like legitimate files. So you might want to delete everything before restoring the site from a backup.

When your site is clean, you should take steps to prevent reinfection. Hackers use automated tools and can update malicious content on compromised sites every day. So if you don't secure the site, it may be blacklisted again very soon, or may not even pass the initial malware review.

It is important to investigate the issue and identify the security hole so that you know what caused your specific problem and what should be done to prevent it.

Every case is different, so there are no universal instructions, just best practices.

• Start with the PCs that you use to work on the site. It's important to keep them virus-free. In order to do that:
  • Scan for malware
  • Keep your essential software up-to-date (online test by Secunia):
    • OS
    • web browser
    • browser plugins (i.e. Flash, Java, Adobe Reader, QuickTime, etc.)
    • anti-virus and/or anti-spyware tools
  • Use browser security extensions like NoScript to minimize risks of being infected while surfing the web.
• Change all site passwords. Refrain from saving new passwords in FTP programs where malware can easily steal them.
• If possible, use only secure protocols like SFTP or FTPS. FTP is an insecure protocol that transmits your credentials unencrypted (in clear text), which makes it easy to steal them. Most modern FTP-clients support secure protocols, and you don't have to learn how to use a new program - just change the protocol in the settings. If your hosting plan doesn't include support for secure protocols, you might want to find another web host that provides this feature.
• Update all third-party scripts. If you use any third-party software on your site (blog, forum, CMS, wiki, e-commerce solution, etc., and their themes, plugins and components), make sure it's up-to-date. Hackers specifically target vulnerabilities in popular scripts, and with their automated tools, they can start a massive attack against vulnerable sites just a matter of a few hours after the discovery of a new security hole. Thus, if the vendor of the script releases a security patch, it's in your best interest to upgrade as soon as possible. (You can check security advisories for your software at Secunia.)

3. Request Malware Review

This step is required if you want to quickly remove your site from Google's blacklist. Once you submit the request, it'll take just a few hours to complete the review and remove the warning if your site is clean. Without the request, it may take several weeks before your site's status is cleared.

The request does two important things:

1. It tells Google that the owner of the site is aware of the problem and has already taken action to remove the malicious content. This shifts the odds in your favor when they make decisions following ambiguous scan results.
2. It puts the site on a priority list (it should be scanned within 24 hours)

To be able to request the review, you should add your site to Google Webmaster Tools and verify ownership of the site. Make sure to add both the www and non-www versions of the site. You'll need to request the review at the level where your site is blocked.

Once the site ownership is verified, open it in Webmaster Tools. You might see some messages about security problems right in the Dashboard. Or you can go to the "Security Issues" section and check the details of the problems detected by Google. At the bottom of the page, you will find the "Request a review" button that you should use once the problems are resolved.

What if you don't see the "This site may be distributing malware" warning?

• You may need to wait for a couple of hours before Webmaster Tools picks up the new status of the site.
• If you don't see the warning in the Dashboard for example.com, try to check the Dashboard for www.example.com.
• Are you sure your site is blacklisted? Sometimes you can see a warning in a browser but the site itself is not blacklisted. This happens when your browser detects in real time that a web page contains elements from a malicious site. This is called a cross-site warning. In this case you should clean up the site, but the malware review is not required.

Don’t be afraid to request the review, even if you are not sure that your site is completely clean. If any security issues are detected during the review, they will be reported in your Webmaster Tools account. You can then fix them and request another review.

Don’t delete infected web pages. If Google reports specific URL's as examples of web pages where malicious content was found, it expects to find these pages clean during the review. If the pages cannot be found, it may be considered as if they were temporarily removed just to pass the review. If you don’t need specific pages, delete their content (you can remove them after a successful review) or configure your web server to return the 410 Gone error.

Malware Review vs Reinclusion Reconsideration

Don't confuse requesting a malware review with requesting reconsideration of your site (for reinclusion into search index). Malware reviews are automated and usually take less that 24 hours, while reinclusion reconsiderations are not automated and may take several weeks. Blacklisted sites are not removed from search results (they are just labeled as potentially harmfull), so if you only need to remove the warning, the reconsideration request is not for you.

Update: With the introduction of the "Security Issues" section in Webmaster Tools on October 30th, 2013, you no longer need to worry about which request you need. Just use the "Request a review" button on that page and your request will result in an automatic review if you have malware problems and in a manual review if your site has spam issues, or in both if your site is affected by the both types of security problems.

Useful links

Google Webmaster Tools - register your sites here

 

Forums where you can ask for help if your site is blacklisted

• Google Webmaster Help Forum
• BadwareBusters Forum

Google Webmasters/Site owners Help

• Webmasters help for hacked sites

Official Google Webmaster Central blog

• Malware? We don't need no stinking malware! October 24, 2008
• Hey Google, I no longer have badware August 21, 2008
• Best practices against hacking February 20, 2009

Google Online Security blog

• Best Practices for Verifying and Cleaning up a Compromised Site October 22, 2009

Oliver Fisher's blog

• Diagnosing the Diagnostics - series of articles about Safe Browsing diagnostic pages
• Suspicious and Really Suspicious January 29, 2009
• Cross-site Warnings January 23, 2009

StopBadware.org

• Tips for Cleaning & Securing Your Website