Hi

I work at Google helping webmasters. Hopefully there won't be a next time, but for reference, your best bet is to post in our forum specifically about this type of issue: http://www.google.com/support/forum/p/Webmasters/label?lid=2...

For your specific case, unfortunately it can be anything. Start at the HTML and JS and see if it's different in ways you don't expect. Check for obfuscation techniques like base64 encoded PHP code, or JS code in libraries that is not in the original distribution. It really can be anything. Also check your .htaccess, any CMS and its plugins, etc. Really check everything.

That should identify the issue. Once you do, fix it, and try to understand why it happened. Was your FTP password compromised? Was it a known vulnerability in your CMS? Was it a rogue plugin you installed by mistake? Identifying the attack vector is very important as you will need to close it too. Otherwise all your hard work fixing the site will be undone in no time.

Also be sure to check any other parts of your site: the attacker might have entered through one CMS (say a forum) and compromised another (say a blog).

That's basically a summary of what you need to be doing. We have a very detailed guide about dealing with hacked sites: http://www.google.com/support/webmasters/bin/answer.py?answe... . It recommends quarantining the site and returning HTTP 503. That's a very good first step.

And if you need more help, seriously, the forum I linked to above has a great community that knows a lot about identifying and fixing these issues.

Hope this helps, Pierre

Hello Pierre, thanks for chiming in, I appreciate it.

So it appears that we were in fact compromised. The problem is that the Webmaster tools didn't show this until a good 30 minutes after the browsers started complaining. How can this be? Now I feel terrible for posting this in the first place, I would hate to compromise anyone! :(

As soon as we detect malware, that info starts getting sent to various places (e.g. the safe browsing lists that browsers use). But the data can take a while to get everywhere; in this case, it sounds like it made it to browsers a little before webmaster tools. That's unfortunate, but in general we wouldn't want to hold off showing the info in the browsers for any reason, because more users would be infected.

It's a pain to get hacked, but on the bright side it will probably help you harden security in the longer run. Some quick, simple tricks (e.g. use an .htaccess file to make a whitelist of IP addresses that can access your /wp-admin/ directory) can give a lot of protection.

Wow a reply from Matt Cutts himself! _blushes_ :)

Thanks for the explanation, and it makes sense. One thing I would suggest is to update the docs to point this out!

"Please trust the warning over what Webmaster tools says as they might take a while to update".

Love the idea of the .htaccess for /wp-admin/, I'll make sure the WPEngine guys implement that for our site.

So sorry for this whole hoopla everyone, and thanks for the help.

Happy to try to help, and good point about whether we should update the docs.

P.S. This incident aside, nice job on the site--bootstrapping is cool, and I like the idea of lo-fi mockups that are quick and easy to make.

Thanks for the feedback. I'll pass it on.

And good luck with fixing the hack!

Sorry to hear that you got infected. You're getting good advice from pierrefar and others here, but here's one other tip: once you get your site back up, you can doublecheck that you're not infected by using the "Fetch as Googlebot" feature in Google's free webmaster console.

When you use Fetch as Googlebot, we actually send a crawler to your site, fetch the page you request, and then show you exactly what Googlebot saw. It's an extra way to tell if you've gotten rid of the hacked junk.

FWIW, I just visited your site and it contained some compressed JavaScript at the top and a broken link to http: // gsdgsd.freewww.biz/showthread.php?t=72881717 (slightly obfuscated to avoid accidential clicks). It was gone after a reload, so I can't give you any more information.

wow this is definitely a hint. The WPEngine guys are looking into it now.

Happened to seven WP sites I maintain. It's a script and someone got into an account. The script finds all .php and .htm files and adds stuff to the top. If you only have wordpress files, it's an easy fix - reset the password and get a different template.

What does the attack do for those who visited the site trying to figure out what was going on?

The malicious script only inserted an iframe with a broken link, so I wouldn't worry to much.

I would still worry a bit. Some hackers will show a broken link if you're accessing a page directly with no referrers, for example. But if you come in with a referrer or from a search engine, then they might return the malware payload.

If a site was showing up recently in our malware list, it's practically certain that an actual user downloaded malware via the site.

Peldi, something similar to this happened to me for a number of years (I've run my own WP site for 6 years now); every 3 months or so, no matter what I did to lock the site down it would get reinfected with malware.

It got so frustrating that I toyed with just taking the site down permanently a few times because I couldn't handle the maintenance burden psychologically (it was such a downer to be fighting the same fight every few months for 2 years).

BUT, I finally found out what had happened, apparently there are some f-ing ingenious ways people can hide hacks in your WordPress site.

I outlined all of my steps here: http://www.thebuzzmedia.com/finding-and-removing-hidden-word...

The basic trick boils down to uploading a fake HTML or image file that is actually a PHP script that hides in your server folder and is executed by the running process every few weeks which then infects all the other files (adding in JS headers or footers to every template file).

Another nasty trick is to use the same mis-named file uploaded into your /uploads directly, but to register it as one of your WordPress plugins. So if you search the WP database plugin table for non-PHP extensions you might find a "plugin" registered as "/uploads/2011/06/profile.jpg" when in reality it is a PHP file and not an image that WordPress is executing.

The blog post outlines how to find and remove them, I'd also recommend against running WordPress with permissions that don't allow writing except for the /uploads directory.

This means no more automatic updates inside of WordPress, you'll have to do them yourself (same for plugins) but it also means no more hacks getting through and writing themselves to your DB or file system. They can even upload themselves but then cannot effect the system in anyway because the executing process has no write perms.

It has just been a lot easier for me to run in that fashion and keep everything up to date manually.

Hope that helps!

Chrome uses a bloom filter[1] to check a URL against a list of known malware sites. It's possible your URL, by coincidence, has become a false positive.

However the article also mentions that once found in the bloom hashes, Chrome checks in with HQ if the URL is malware or not, probably to avoid false positives. Maybe these servers are down, and Chrome by default marks all (false) positives as malware without checking with HQ.

Keep in mind that this is the web security's equivalent of saying "my program doesn't work because there's a bug a in the compiler", it should be pretty low on the probability list.

[1]: http://blog.alexyakunin.com/2010/03/nice-bloom-filter-applic...

Firefox uses a filter that doesn't give false positives [1]. If your site is blocked (even intermittently) there, it is in Google's malware list.

[1] Actually, the odds are 1 in 2^128 if Google's servers are up, and 2^32 if Google's servers are down.

The only part that is relevant to you is the last part:

"In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message."

So maybe you sourced some external javascript or advertising that contained something bad.

Edit: what does that obfuscated code at the top of the html do? http://pastebin.com/u3T3wJcG

Edit2: I think it's a bit irresponsible to post a page that has been marked as containing malware to a highly trafficked website. You could have at least run it through some alternative scanners first.

We are asking WPEngine to turn off our server immediately.

Hello everyone. Our site is back, clean and the malware warnings are gone. The guys at WPEngine.com dealt with this very quickly and professionally today, you should check them out.

I wrote a little status update here if you're interested: http://pastebin.com/V3jwaL1Q

On one hand I feel bad for posting this and possibly infecting people as a result. On the other we now all have a wonderful collection of tips for securing Wordpress websites. This community is _truly_ valuable. Thanks all.

Peldi

Glad to hear the malware warnings are already gone--thanks for providing an update!

Overwrite core WordPress files first. Run WordPress Exploit Scanner to root out anything in the database, and WordPress File Monitor as a tripwire going forward.

http://wordpress.org/extend/plugins/exploit-scanner/

http://wordpress.org/extend/plugins/wordpress-file-monitor/

That's what I did when I had this same issue happen to me on my WP installs (yeah, the same hole infected other sites on the server). These plugins showed me what files on my server had be changed and where the offending code was.

How old is your WP install? The hole could actually be in a plugin you are using. That was the case with me.

Also, TimThumb.php was recently in the news as having a security hole in it.

For good measure, here is the Hardening Wordpress article from WP: http://codex.wordpress.org/Hardening_WordPress

I used to see this type of problem at Google.

Your site may have been hacked. Check the site:balsamiq.com search for injected hacked pages. Check also for injected text being hidden by CSS, and try if you can to view your site through a proxy like HideMyAss, to see if they are showing you one version of the page and showing users a different one.

Also, if Google knows your site's hacked, there should be a message inside the Webmaster Tools account for balsamiq.com - check there for more information.

That's the thing, Google Webmaster tools says we're all OK! Maybe it just takes a while to notice internally?

Update: Webmaster tools finally woke up and is reporting malware. I guess I should have just waited 30 minutes???? How can their outside systems be updated but not the admin pages they send me to in order to fix the issue? Grrr...

Co-founder of WordPress here -- since no one has mentioned it yet: I would highly recommend VaultPress, it's designed exactly to protect against this sort of thing.

Update: the site is cleaned up and back up, we're just waiting for Google review.

Do you run a Wordpress Blog? Is it up to date? There was a big "Hack" going around last month on the wordpress platform.

Yes it's Wordpress, managed by WPEngine and updated (we're on 3.2.1 right now). The guys at WPEngine are looking into it, waiting for info from them as well (I'll report back here).

Like nodata said, you might want to take a look at third-party plugins / add-ons. My friend had an issue with using a third-party advertising company to run adverts on his site and firefox / chrome flagged the JS it embedded as malicious.

Might be the timthumb vulnerability?

FWIW The sophos anti-virus I'm forced to use at work says this is the problem:

http://www.sophos.com/en-us//threat-center/threat-analyses/v...

It's probably wrong though!

What we have been seeing that web-malware that appears intermittently, only appearing to certain browsers and not appearing twice in a row to the same browser/IP, is usually pushed in via a FTP credential compromise.

The code often resides in template file, in config files and/or sometimes is also put into the database.

We've seen a lot of these kind of "intermittent" malware through the recent timthumb attacks on WP sites:http://www.stopthehacker.com/2011/08/30/timthumb-malware/

You've already got a lot of good information from the other responders, so I will not repeat the obvious, but great, points. Change password, check plugins..

You could also use http://sitecheck.sucuri.net .

However, since the site is now disabled, it won't find anything...

*note that we see this type of malware on sites with vulnerable plugins or using that uploadify script.

thanks,

Run this just in case (free) http://www.qualys.com/forms/trials/stopmalware/

to the person who downvoted me, why is running this or sucuri scanner a bad idea or bad advice when you suspect malware in your site?

Ran without finding anything.

Maldet is an awesome open-source linux program that searches a directory for malware signatures. http://www.rfxn.com/projects/linux-malware-detect/

I've used it dozens of times successfully, and with WordPress sites, it's usually a PHP backdoor uploaded into wp-content/uploads, and then compressed JS added into a file somewhere. Run it with -a.

Good luck!

Can you share what the nature of the malware was?

I've updated my Balsamiq Mockups desktop app at around 10 hrs ago and now am concerned whether malware might have tagged along.

If the site is clean now, should I get a fresh copy?

You should check out CodeGuard[1]. It is a great tool for issues just like this.

[1] https://www.codeguard.com/

Also try masking your user agent as google bot. In the past i've seen people mask the results for google bots to build backlinks.

Rename your wp-admin. Its a known target.

You could run these commands on regular basis

grep -R "document.write(unescape" * > js_malware.txt

grep -iR --include ".php" "[a-zA-Z0-9\/\+]\{255,\}" > php_malware.txt

Once the commands complete, examine the .txt files and see if any files are compromised.