Virus and/or malware warning when entering site

  • Thread starter Thread starter Belprice
  • Start date Start date
B

Belprice

I work for an online travel and leisure company and a few days ago peopele
started calling us and saying we had a virus and/or malware , spyware warning
popping up when they tried to get into the site. The message is
below:...............

Reported Attack Site!

.......This web site at www.forcetravelclub.co.uk has been reported as an
attack site and has been blocked based on your security preference.


Attack sites try to install programs that steal private information, use
your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are
compromised without the knowledge or permission of their owners. END......

Our IT guy has run all the usual virus and spam/maware/spyware programs and
they all come up clear. I was wondering if the reason for this may be that
someone has hacked into our server and/or done something which makes this
message come up. Also when you do a Google search for our site ( Force Travel
Club) you also get a warning that the site may harm your computer if you go
into it.

Its causing us loads of problems and everyone who goes near the site gets
these warnong messgaes and stay way clear. I would be very very grateful for
any help or advise on how to deal with this problem


Thanks in advance.

JC
 
I work for an online travel and leisure company and a few days ago
peopele started calling us and saying we had a virus and/or malware ,
spyware warning popping up when they tried to get into the site. The
message is
below:...............

Reported Attack Site!
......This web site at www.forcetravelclub.co.uk has been reported as an
attack site and has been blocked based on your security preference.

Attack sites try to install programs that steal private information, use
your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are
compromised without the knowledge or permission of their owners.
END......

Our IT guy has run all the usual virus and spam/maware/spyware programs
and they all come up clear. I was wondering if the reason for this may
be that someone has hacked into our server and/or done something which
makes this message come up. Also when you do a Google search for our
site ( Force Travel Club) you also get a warning that the site may harm
your computer if you gointo it.

Its causing us loads of problems and everyone who goes near the site gets
these warnong messgaes and stay way clear. I would be very very grateful
for any help or advise on how to deal with this problem


Thanks in advance.

JC

For the Google warning see:

FAQ: Malware and hacked sites
http://www.google.com/support/forum/p/Webmasters/thread?tid=5078e3ae6fc0996a&hl=en

" Q: My site has been labeled as "This site may harm your computer." What
do I do?
A: Clean up your site. If you don't know how to do this, contact your web
host for help.


Q: Google's search results say I have malware, but I can't find it!
A: If you can't find malware on your site yourself, it's generally best to
let the users in the Webmaster Help Forum help you to find it. Oftentimes,
malware is somewhat hidden. "

Malware and Hacked Sites section of the Google Webmaster Help Forum
http://www.google.com/support/forum/p/Webmasters/thread?tid=5078e3ae6fc0996a&hl=en

I tried to access the site using Firefox 3.0.17 and now see the "attack
site" warning. It would be nice if you had included such information in
your initial post.
The advisory is provided by Google so just contact them for assistance in
locating where the malicious content may be.

http://www.google.com/safebrowsing/diagnostic?site=http://www.forcetravelclub.co.uk/&hl=en

" What is the current listing status for forcetravelclub.co.uk?

Site is listed as suspicious - visiting this web site may harm your
computer.

Part of this site was listed for suspicious activity 1 time(s) over the
past 90 days.

What happened when Google visited this site?
Of the 4 pages we tested on the site over the past 90 days, 4 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2010-01-19, and the
last time suspicious content was found on this site was on 2010-01-18.

This site was hosted on 1 network(s) including AS15418 (FASTHOSTS).

Has this site acted as an intermediary resulting in further distribution
of malware?

Over the past 90 days, forcetravelclub.co.uk did not appear to function as
an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites,
which would cause us to show the warning message.

Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your
site using Google Webmaster Tools. More information about the review
process is available in Google's Webmaster Help Center. "



MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
Got it. Darn multiposters !!! <w>
It's a sad commentary when a law enforcement website doesn't understand
how their site was hacked.


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
From: "MowGreen" <[email protected]>

| Got it. Darn multiposters !!! <w>
| It's a sad commentary when a law enforcement website doesn't understand
| how their site was hacked.


LE site ?

Looked like a travel club site.
 
"Force" Travel Club, David.
It's " An exclusive web site for Police Officers, Police Staff, and
Retired Police Offers " in the UK.

MG
 
From: "MowGreen" <[email protected]>

| "Force" Travel Club, David.
| It's " An exclusive web site for Police Officers, Police Staff, and
| Retired Police Offers " in the UK.

| MG

I see. Danke.
 
There's a good joke about traveling cops somewhere in this thread...I
just can't think of one at the moment. ;-)
 
Hi Dave , Mo Leo and all others offering me great help and advise.


Thanks thus far for all your help , we are currently going through the info
and advise you all provided. All we want is to remove the warning sign and
have the site up and running again. One of you sauggested that we contact
Google and have them remove the message , but how does one go about this.
Also , am I right in that we have a malware issue here , or am barking up
the wrong tree.!

Thanks in advance..

Your truely Inspector Clueso...An officer of the LAW!!!!
 
Belprice said:
Hi Dave , Mo Leo and all others offering me great help and advise.


Thanks thus far for all your help , we are currently going through the info
and advise you all provided. All we want is to remove the warning sign and
have the site up and running again. One of you sauggested that we contact
Google and have them remove the message , but how does one go about this.
Also , am I right in that we have a malware issue here , or am barking up
the wrong tree.!

Thanks in advance..

Your truely Inspector Clueso...An officer of the LAW!!!!

You can't ask Google to remove a warning that is still valid! I know nothing
about building web pages, but I do know yours needs to be edited to remove the
references (links) to nt010.cn. Whoever created your web page must know how to
do that? Only when it is fixed can you expect Google's warning to disappear.

More importantly, you have to find out how an outsider managed to corrupt your
page(s), and fix that.
 
You can contact Goggle for assistance in cleaning up the "bad" code:

Q: Google's search results say I have malware, but I can't find it!
A: If you can't find malware on your site yourself, it's generally best
to let the users in the Webmaster Help Forum help you to find it.
Oftentimes, malware is somewhat hidden. "

Malware and Hacked Sites section of the Google Webmaster Help Forum
http://www.google.com/support/forum/p/Webmasters/thread?tid=5078e3ae6fc0996a&hl=en


And, as Martin has posted, you need to contact your *Hosting Company *
and find out how the site was hacked in the first place. It is being
hosted by FASTHOSTS, correct ?


MowGreen
===============
*-343-* FDNY
Never Forgotten
===============

banthecheck.com
"Security updates should *never* have *non-security content* prechecked
 
Belprice said:
Hi Dave , Mo Leo and all others offering me great help and advise.


Thanks thus far for all your help , we are currently going through the info
and advise you all provided. All we want is to remove the warning sign and
have the site up and running again. One of you sauggested that we contact
Google and have them remove the message , but how does one go about this.
Also , am I right in that we have a malware issue here , or am barking up
the wrong tree.!

Thanks in advance..

Speaking from personal experience, there is malware on your site. You
just have to find and fix it, and find the opening. Look at the code for
the pages referenced, and especially look for an iframe tag. Also look
at your site with an FTP program for folders that you didn't upload. Use
your web host's stats to see which pages site are getting the most
traffic (the hacked pages) and where it is coming from, i.e. referral
pages. Look for the search words visitors are using to get to your site.
Get your web host to help you find out where the hacker got in. Upload
the original pages created by your web site designer and make sure you
dont' contaminate them from the hacked pages on your site. Keep
uploading clean pages until the hacking stops; if necessary change the
page names because it's probably being done with a script from a remote
site. Then you need to change the permissions on your pages and folders
to make sure they can't be written to from off the web.

And after your site has stayed clean for a couple of weeks, you can
petition Google to remove the warning.
 
From: "Donahoo" <[email protected]>


| Speaking from personal experience, there is malware on your site. You
| just have to find and fix it, and find the opening. Look at the code for
| the pages referenced, and especially look for an iframe tag. Also look
| at your site with an FTP program for folders that you didn't upload. Use
| your web host's stats to see which pages site are getting the most
| traffic (the hacked pages) and where it is coming from, i.e. referral
| pages. Look for the search words visitors are using to get to your site.
| Get your web host to help you find out where the hacker got in. Upload
| the original pages created by your web site designer and make sure you
| dont' contaminate them from the hacked pages on your site. Keep
| uploading clean pages until the hacking stops; if necessary change the
| page names because it's probably being done with a script from a remote
| site. Then you need to change the permissions on your pages and folders
| to make sure they can't be written to from off the web.

| And after your site has stayed clean for a couple of weeks, you can
| petition Google to remove the warning.

Your experence does NOT equate to her experience.
The site was scanned with anti malware software but I doubt it has any.

Chances are extremely high the the malicious actor found a vulnerability in the web site,
exploted it, and inserted redirection code. You don't have infect the web site and have
malware reside on the web site to do this. It is the site where the user is redirected to
that hosts the malware.
 
Donahoo said:
Speaking from personal experience, there is malware on your site.

It's too soon to make that call. A server's webpage has evidently been
edited to lead clients to malware. How it got edited remains to be seen.
The OP needs to take down the server and use forensics to determine how
the affected page(s) got edited. Possibly a software
vulnerability -something like this:
http://en.wikipedia.org/wiki/Cross-site_scripting.
 
From: "FromTheRafters" <erratic @nomail.afraid.org>


| It's too soon to make that call. A server's webpage has evidently been
| edited to lead clients to malware. How it got edited remains to be seen.
| The OP needs to take down the server and use forensics to determine how
| the affected page(s) got edited. Possibly a software
| vulnerability -something like this:
| http://en.wikipedia.org/wiki/Cross-site_scripting.



Or PHP, SQL-Injection, etc...
 
Back
Top