website malware threat alert

Placebo · 21-09-2010 1:40pm #1

Calls to some script on almost all sites hosted on one of our servers.
Now sites show malware warning

-Scanning the pc, updated flash, will see if acrobat needs update too
-changed all ftp passwords
-downloading everything

whats the best way to get rid of the calls?
notepad++ find in all open docs? [there could be up to 1OO legitimate infected files, rest is probably archive]

most calls are at the end of the page, what if theres ones using iframes?

Also do i just use google webmaster tools and submit the website back?
any idea how long it will take to get off the blacklist?

Thanks

P.S: could i point a domains DNS to a different server? is it the IP that gets black listed?

Trojan · 21-09-2010 2:57pm

Plug the exploit (what was the attack vector?).
Remove all the malware script calls.
Re-upload the sites.
Submit in Google Webmaster Tools for review, then wait...
Done.

Webmonkey · 21-09-2010 11:14pm

Google are quite quick actually, I got off blacklist before within about a week or 2.

But I also told them i took all measures etc, to protect the site etc etc. Just show you made an effort and found the actual problem that caused it in first place.

Trojan · 22-09-2010 1:26pm

Webmonkey wrote: »

Google are quite quick actually, I got off blacklist before within about a week or 2.

But I also told them i took all measures etc, to protect the site etc etc. Just show you made an effort and found the actual problem that caused it in first place.

We had a client's site removed in *3 hours* after we moved hosting and ported it to a new CMS. Very quick turnaround from Google after submitting it in GWT.

Webmonkey · 22-09-2010 1:53pm

Trojan wrote: »

We had a client's site removed in *3 hours* after we moved hosting and ported it to a new CMS. Very quick turnaround from Google after submitting it in GWT.

Impressive. Maybe they prioritize sites based on page rank or something.

Trojan · 22-09-2010 5:36pm

Webmonkey wrote: »

Impressive. Maybe they prioritize sites based on page rank or something.

I don't think so, this was a PR2 or PR3 site, nothing fancypants

I was well impressed with the speed though!

Webmonkey · 22-09-2010 5:38pm

Trojan wrote: »

I don't think so, this was a PR2 or PR3 site, nothing fancypants

I was well impressed with the speed though!

Yeah PR3 myself. Ah well, depends how they feeling I guess!

mneylon · 24-09-2010 9:57am

Placebo wrote: »

P.S: could i point a domains DNS to a different server? is it the IP that gets black listed?

It's the domain that's listed not the IP.

Unless you clean the site moving it is pointless

The two most common attack vectors are:

- desktop > server - usually an infected PC somewhere which compromises the FTP account

- serverside - usually an out of date script or plugin for CMS such as Joomla

Placebo · 24-09-2010 10:11am

Thanks guys,
google are taking less than 24hrs which is good.

website malware threat alert

Comments