Warning: Something's Not Right Here!


#1

Google has found malicious software may be installed onto your computer if you proceed. If you’ve visited this site in the past or you trust this site, it’s possible that it has just recently been compromised by a hacker. You should not proceed, and perhaps try again tomorrow or go somewhere else.

Does ANYONE know a solution to fix this? My computer did a scan on all my files and I don’t have one single virus.

I put in a request to google to re review the site because it’s blocking it from Chrome. (haven’t checked with FireFox or IE.)

I normally don’t get mad at companies, but dreamhost is getting on my last nerve. This can turn away 100s of visitors an hour.


#2

That’s great news. Now you need to check the files you uploaded to DreamHost. The warning from Google is about the possibility your own computer is infected. It does not address the possibility that what you have installed on your web site has flaws that open up a different can of worms. See the thread already discussing this at http://discussion.dreamhost.com/thread-134262.html

Do you have someone familiar with web development and computer programming to help you clean your site?


#3

I only have basic skills when it comes to web development, and I don’t know how to scan my site with files already uploaded. How would I do that?


#4

You learn how to do it and do it yourself or you pay someone who knows how. That’s how it works for most things in life.

Or you can ignore the problem and it won’t go away.


#5

Very helpful.

Wasn’t ignoring the problem…that’s the reason I came here.[quote=“bobocat, post:4, topic:57317”]

You learn how to do it and do it yourself or you pay someone who knows how. That’s how it works for most things in life.

Or you can ignore the problem and it won’t go away.
[/quote]


#6

It helps if you spend some time helping yourself first then. No one is going to hold your hand and walk you through step by step, especially when people have already volunteered their time to consolidate that type of information in the wiki. Which step did you attempt that caused you problems?


#7

Actually, it’s 5 AM right now, and I’ve been working on it since 10 AM.

So far, I have deleted all my subdomains I don’t use, did a virus scan of my computer, did a hard upload of the site, did a backup, and resubmitted the site to google. Google got back to me and my 2 pages are still malicious, apprently, and I can’t find anything in the source code that seems different.


#8

What’s the website so we can take a look?


#9

What about .htaccess?


#10

[quote=“sXi, post:8, topic:57317”]
What’s the website so we can take a look?
[/quote]ppmegahelpsite.org and ppmegahelpsite.org/quest.html are the pages. I wasn’t able to locate at .htacess file


#11

.htaccess is by default a hidden file from what ever FTP program your using, look to enable something like ‘show hidden files’ .


#12

Given the redirects to a Russian site I’m guessing the wordpress hack that hit a bunch.


#13

Comin’ up roses now.


#14

You’re roses are bugged.

http://sitecheck.sucuri.net/results/ppmegahelpsite.org


#15

Sucuri? Really? meh…

What you are seeing there are not the results of an actual live scan.

I checked OPs links using IE, FF, Opera and Chrome before making my post above. None issued the warnings OP was complaining about (Chrome most definitely would have). If redirection was present in .htaccess or injected headers then I’d think at least 1 of the 4 browsers would have been redirected. The only problem with the site when I looked was the right popout javascript could use some attention. For what it’s worth, sucuri have been “discovering” exploits in the past few weeks that are > 5 years old in the wild, so inb4buthey’reexperts

Caveat emptor :wink:


#16

It’s an .htaccess exploit as I tried to point out above. They only target requests from search engines:

[code]wget -O - --header “Referer: http://www.google.comhttp://ppmegahelpsite.org
–2012-03-24 19:19:32-- http://ppmegahelpsite.org/
Resolving ppmegahelpsite.org… 208.97.136.162
Connecting to ppmegahelpsite.org|208.97.136.162|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://ca-ba.ru/example/status.php [following]
–2012-03-24 19:19:32-- http://ca-ba.ru/example/status.php
Resolving ca-ba.ru… 95.163.67.212
Connecting to ca-ba.ru|95.163.67.212|:80… failed: Connection timed out.
Retrying.

–2012-03-24 19:19:54-- (try: 2) http://ca-ba.ru/example/status.php
Connecting to ca-ba.ru|95.163.67.212|:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: `STDOUT’

2012-03-24 19:19:55 (7.72 MB/s) - `-’ saved [121]

[/code]

#17

It was clear when I checked, and Google reported it was clean as well.

He’s probably got a remote shell sitting on his account being cron’d and become reinfected.


#18

Guaranteed! Which is why I want to know which of the steps in the wiki did s/he have trouble with? It’s kind of frustrating that I and others have gone to the effort to update the wiki with relevant information so that people don’t have to read through thousands of posts to help themselves, but they still come and essentially just say, my site’s broken, I don’t know how to fix it, someone please give me step by step instructions (i.e. do it for me).


#19

I hear ya. You should see my inbox… it’s flooded lol.

Might need to set up an auto-reply with links to your Wiki articles :smiley:


#20

I did read the wiki… But clearly I wasn’t able to figure it out myself, the reason I came here and asked in the forums which is why we have them. I was able fix it a few hours after I posted.