

Ask HN: I can't tell why my site is showing malware warning. - balsamiq

UPDATE: we took down our site for now. Thanks all.<p>UPDATE: STAY AWAY FROM OUR SITE, it seems like it's compromised for real (even though all the official signs point to the opposite). I have asked WPEngine to turn it off  immediately.<p>----<p>Hello HN, I hope there's some googler here who can help me.<p>My website http://balsamiq.com has started showing a malware warning in Chrome (and intermittently in Firefox as well) about 20 minutes ago.<p>The interesting thing is that the Google Diagnostics page here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fbalsamiq.com%2F&#38;client=googlechrome&#38;hl=en-US says we're clean.<p>Also, Google Webmaster tools says we're clean as well, so there's no way to request a review for them.<p>Also, http://www.stopbadware.org/home/reportsearch doesn't show anything for balsamiq.com.<p>OK so if my site is clean, which I think/hope it is, why it showing the warning and what can I do about it?<p>Sorry if this is not really "news" but I hope there's someone here who has had this issue before...
======
pierrefar
Hi

I work at Google helping webmasters. Hopefully there won't be a next time, but
for reference, your best bet is to post in our forum specifically about this
type of issue:
[http://www.google.com/support/forum/p/Webmasters/label?lid=2...](http://www.google.com/support/forum/p/Webmasters/label?lid=2fe2a8ee8e37c08e&hl=en)

For your specific case, unfortunately it can be anything. Start at the HTML
and JS and see if it's different in ways you don't expect. Check for
obfuscation techniques like base64 encoded PHP code, or JS code in libraries
that is not in the original distribution. It really can be anything. Also
check your .htaccess, any CMS and its plugins, etc. Really check everything.

That should identify the issue. Once you do, fix it, and try to understand why
it happened. Was your FTP password compromised? Was it a known vulnerability
in your CMS? Was it a rogue plugin you installed by mistake? Identifying the
attack vector is very important as you will need to close it too. Otherwise
all your hard work fixing the site will be undone in no time.

Also be sure to check any other parts of your site: the attacker might have
entered through one CMS (say a forum) and compromised another (say a blog).

That's basically a summary of what you need to be doing. We have a very
detailed guide about dealing with hacked sites:
[http://www.google.com/support/webmasters/bin/answer.py?answe...](http://www.google.com/support/webmasters/bin/answer.py?answer=163634)
. It recommends quarantining the site and returning HTTP 503. That's a very
good first step.

And if you need more help, seriously, the forum I linked to above has a great
community that knows a lot about identifying and fixing these issues.

Hope this helps, Pierre

~~~
balsamiq
Hello Pierre, thanks for chiming in, I appreciate it.

So it appears that we were in fact compromised. The problem is that the
Webmaster tools didn't show this until a good 30 minutes after the browsers
started complaining. How can this be? Now I feel terrible for posting this in
the first place, I would hate to compromise anyone! :(

~~~
Matt_Cutts
As soon as we detect malware, that info starts getting sent to various places
(e.g. the safe browsing lists that browsers use). But the data can take a
while to get everywhere; in this case, it sounds like it made it to browsers a
little before webmaster tools. That's unfortunate, but in general we wouldn't
want to hold off showing the info in the browsers for any reason, because more
users would be infected.

It's a pain to get hacked, but on the bright side it will probably help you
harden security in the longer run. Some quick, simple tricks (e.g. use an
.htaccess file to make a whitelist of IP addresses that can access your /wp-
admin/ directory) can give a lot of protection.

~~~
balsamiq
Wow a reply from Matt Cutts himself! _blushes_ :)

Thanks for the explanation, and it makes sense. One thing I would suggest is
to update the docs to point this out!

"Please trust the warning over what Webmaster tools says as they might take a
while to update".

Love the idea of the .htaccess for /wp-admin/, I'll make sure the WPEngine
guys implement that for our site.

So sorry for this whole hoopla everyone, and thanks for the help.

~~~
Matt_Cutts
Happy to try to help, and good point about whether we should update the docs.

P.S. This incident aside, nice job on the site--bootstrapping is cool, and I
like the idea of lo-fi mockups that are quick and easy to make.

------
rkalla
Peldi, something similar to this happened to me for a number of years (I've
run my own WP site for 6 years now); every 3 months or so, no matter what I
did to lock the site down it would get reinfected with malware.

It got so frustrating that I toyed with just taking the site down permanently
a few times because I couldn't handle the maintenance burden psychologically
(it was such a downer to be fighting the same fight every few months for 2
years).

BUT, I finally found out what had happened, apparently there are some f-ing
ingenious ways people can hide hacks in your WordPress site.

I outlined all of my steps here: [http://www.thebuzzmedia.com/finding-and-
removing-hidden-word...](http://www.thebuzzmedia.com/finding-and-removing-
hidden-wordpress-hacks/)

The basic trick boils down to uploading a fake HTML or image file that is
actually a PHP script that hides in your server folder and is executed by the
running process every few weeks which then infects all the other files (adding
in JS headers or footers to every template file).

 _Another_ nasty trick is to use the same mis-named file uploaded into your
/uploads directly, but to register it as one of your WordPress plugins. So if
you search the WP database plugin table for non-PHP extensions you might find
a "plugin" registered as "/uploads/2011/06/profile.jpg" when in reality it is
a PHP file and not an image that WordPress is executing.

The blog post outlines how to find and remove them, I'd also recommend against
running WordPress with permissions that don't allow _writing_ except for the
/uploads directory.

This means no more automatic updates inside of WordPress, you'll have to do
them yourself (same for plugins) but it also means no more hacks getting
through and writing themselves to your DB or file system. They can even upload
themselves but then cannot effect the system in anyway because the executing
process has no write perms.

It has just been a lot easier for me to run in that fashion and keep
everything up to date manually.

Hope that helps!

------
Matt_Cutts
Sorry to hear that you got infected. You're getting good advice from pierrefar
and others here, but here's one other tip: once you get your site back up, you
can doublecheck that you're not infected by using the "Fetch as Googlebot"
feature in Google's free webmaster console.

When you use Fetch as Googlebot, we actually send a crawler to your site,
fetch the page you request, and then show you exactly what Googlebot saw. It's
an extra way to tell if you've gotten rid of the hacked junk.

------
danielh
FWIW, I just visited your site and it contained some compressed JavaScript at
the top and a broken link to http: //
gsdgsd.freewww.biz/showthread.php?t=72881717 (slightly obfuscated to avoid
accidential clicks). It was gone after a reload, so I can't give you any more
information.

~~~
balsamiq
wow this is definitely a hint. The WPEngine guys are looking into it now.

~~~
bphogan
Happened to seven WP sites I maintain. It's a script and someone got into an
account. The script finds all .php and .htm files and adds stuff to the top.
If you only have wordpress files, it's an easy fix - reset the password and
get a different template.

~~~
DanielStraight
What does the attack do for those who visited the site trying to figure out
what was going on?

~~~
danielh
The malicious script only inserted an iframe with a broken link, so I wouldn't
worry to much.

~~~
Matt_Cutts
I would still worry a bit. Some hackers will show a broken link if you're
accessing a page directly with no referrers, for example. But if you come in
with a referrer or from a search engine, then they might return the malware
payload.

If a site was showing up recently in our malware list, it's practically
certain that an actual user downloaded malware via the site.

------
relix
Chrome uses a bloom filter[1] to check a URL against a list of known malware
sites. It's possible your URL, by coincidence, has become a false positive.

However the article also mentions that once found in the bloom hashes, Chrome
checks in with HQ if the URL is malware or not, probably to avoid false
positives. Maybe these servers are down, and Chrome by default marks all
(false) positives as malware without checking with HQ.

Keep in mind that this is the web security's equivalent of saying "my program
doesn't work because there's a bug a in the compiler", it should be pretty low
on the probability list.

[1]: [http://blog.alexyakunin.com/2010/03/nice-bloom-filter-
applic...](http://blog.alexyakunin.com/2010/03/nice-bloom-filter-
application.html)

~~~
gcp
Firefox uses a filter that doesn't give false positives [1]. If your site is
blocked (even intermittently) there, it is in Google's malware list.

[1] Actually, the odds are 1 in 2^128 if Google's servers are up, and 2^32 if
Google's servers are down.

------
nodata
The only part that is relevant to you is the last part:

"In some cases, third parties can add malicious code to legitimate sites,
which would cause us to show the warning message."

So maybe you sourced some external javascript or advertising that contained
something bad.

Edit: what does that obfuscated code at the top of the html do?
<http://pastebin.com/u3T3wJcG>

Edit2: I think it's a bit irresponsible to post a page that has been marked as
containing malware to a highly trafficked website. You could have at least run
it through some alternative scanners first.

~~~
balsamiq
We are asking WPEngine to turn off our server immediately.

------
balsamiq
Hello everyone. Our site is back, clean and the malware warnings are gone. The
guys at WPEngine.com dealt with this very quickly and professionally today,
you should check them out.

I wrote a little status update here if you're interested:
<http://pastebin.com/V3jwaL1Q>

On one hand I feel bad for posting this and possibly infecting people as a
result. On the other we now all have a wonderful collection of tips for
securing Wordpress websites. This community is _truly_ valuable. Thanks all.

Peldi

~~~
Matt_Cutts
Glad to hear the malware warnings are already gone--thanks for providing an
update!

------
e03179
Overwrite core WordPress files first. Run WordPress Exploit Scanner to root
out anything in the database, and WordPress File Monitor as a tripwire going
forward.

<http://wordpress.org/extend/plugins/exploit-scanner/>

<http://wordpress.org/extend/plugins/wordpress-file-monitor/>

That's what I did when I had this same issue happen to me on my WP installs
(yeah, the same hole infected other sites on the server). These plugins showed
me what files on my server had be changed and where the offending code was.

How old is your WP install? The hole could actually be in a plugin you are
using. That was the case with me.

Also, TimThumb.php was recently in the news as having a security hole in it.

For good measure, here is the Hardening Wordpress article from WP:
<http://codex.wordpress.org/Hardening_WordPress>

------
kevinburke
I used to see this type of problem at Google.

Your site may have been hacked. Check the site:balsamiq.com search for
injected hacked pages. Check also for injected text being hidden by CSS, and
try if you can to view your site through a proxy like HideMyAss, to see if
they are showing you one version of the page and showing users a different
one.

Also, if Google knows your site's hacked, there should be a message inside the
Webmaster Tools account for balsamiq.com - check there for more information.

~~~
balsamiq
That's the thing, Google Webmaster tools says we're all OK! Maybe it just
takes a while to notice internally?

~~~
balsamiq
Update: Webmaster tools finally woke up and is reporting malware. I guess I
should have just waited 30 minutes???? How can their outside systems be
updated but not the admin pages they send me to in order to fix the issue?
Grrr...

------
photomatt
Co-founder of WordPress here -- since no one has mentioned it yet: I would
highly recommend VaultPress, it's designed exactly to protect against this
sort of thing.

------
balsamiq
Update: the site is cleaned up and back up, we're just waiting for Google
review.

------
knes
Do you run a Wordpress Blog? Is it up to date? There was a big "Hack" going
around last month on the wordpress platform.

~~~
balsamiq
Yes it's Wordpress, managed by WPEngine and updated (we're on 3.2.1 right
now). The guys at WPEngine are looking into it, waiting for info from them as
well (I'll report back here).

~~~
DuqE
Like nodata said, you might want to take a look at third-party plugins / add-
ons. My friend had an issue with using a third-party advertising company to
run adverts on his site and firefox / chrome flagged the JS it embedded as
malicious.

------
aliparr
FWIW The sophos anti-virus I'm forced to use at work says this is the problem:

[http://www.sophos.com/en-us//threat-center/threat-
analyses/v...](http://www.sophos.com/en-us//threat-center/threat-
analyses/viruses-and-spyware/Mal~HTMLGen-A.aspx)

It's probably wrong though!

------
sucuri2
You could also use <http://sitecheck.sucuri.net> .

However, since the site is now disabled, it won't find anything...

*note that we see this type of malware on sites with vulnerable plugins or using that uploadify script.

thanks,

------
absth
What we have been seeing that web-malware that appears intermittently, only
appearing to certain browsers and not appearing twice in a row to the same
browser/IP, is usually pushed in via a FTP credential compromise.

The code often resides in template file, in config files and/or sometimes is
also put into the database.

We've seen a lot of these kind of "intermittent" malware through the recent
timthumb attacks on WP
sites:<http://www.stopthehacker.com/2011/08/30/timthumb-malware/>

You've already got a lot of good information from the other responders, so I
will not repeat the obvious, but great, points. Change password, check
plugins..

------
tonywebster
Maldet is an awesome open-source linux program that searches a directory for
malware _signatures_. <http://www.rfxn.com/projects/linux-malware-detect/>

I've used it dozens of times successfully, and with WordPress sites, it's
usually a PHP backdoor uploaded into wp-content/uploads, and then compressed
JS added into a file somewhere. Run it with -a.

Good luck!

------
fduran
Run this just in case (free) <http://www.qualys.com/forms/trials/stopmalware/>

~~~
fduran
to the person who downvoted me, why is running this or sucuri scanner a bad
idea or bad advice when you suspect malware in your site?

~~~
justincormack
Because it didnt find anything, while there were positive useful suggestions,
and sightings of malware by actually visiting the site. What value is a link
to a service that doesn't work?

------
donpark
Can you share what the nature of the malware was?

I've updated my Balsamiq Mockups desktop app at around 10 hrs ago and now am
concerned whether malware might have tagged along.

If the site is clean now, should I get a fresh copy?

------
d0ne
You should check out CodeGuard[1]. It is a great tool for issues just like
this.

[1] <https://www.codeguard.com/>

------
didigogo
Also try masking your user agent as google bot. In the past i've seen people
mask the results for google bots to build backlinks.

------
jccodez
Rename your wp-admin. Its a known target.

------
infocaptor
You could run these commands on regular basis

grep -R "document.write(unescape" * > js_malware.txt

grep -iR --include " _.php" "[a-zA-Z0-9\/\\+]\\{255,\\}"_ > php_malware.txt

Once the commands complete, examine the .txt files and see if any files are
compromised.

