
Diagnostic page for Google.com - dushyant
http://www.google.com/safebrowsing/diagnostic?site=google.com
======
q2
Few honest questions:

1\. If Google detects something as malware, i.e. google software knows that it
can be dangerous to users, then why it cannot prevent itself from acting as
intermediary? Also, why it does not stop hosting malware?

2\. >>> Malicious software is hosted on 279 domain(s), including 24corp-
shop.com/, abu-farhan.com/, soaksoak.ru/.

These web domains do not belong to Google. It seems google is downloading
several pages onto its server for various purposes. Is it legal in all
countries?

From the architecture point of view, is it difficult to sandbox/protect user
facing google.com search engine from the above websites all the time so that
if malware is there, do not let it effect search engine or other major parts.
Users are not security-literate.

3\. What should I do as user? Just ignore this assuming that this is for
webmasters and not for ordinary users?

Honestly, for me personally, malware on google is unimaginable, since we
consider it as gold standard on the web.

~~~
johnmu
It's important for us (I work at Google on web-search) to be transparent about
these reports, and we use them to remove / block content that is malicious too
(just like other sites can use the Safe-Browsing API to get information about
sites they host). With regards to where it's hosted, there are two main
elements involved: a site that actually hosts the exploit (which could be a
Windows EXE file, etc), and a site that sends the user to that exploit. Often
these are separate. Sometimes it's not even a direct embedding of a known
malicious site, for example, it could be that a counter/analytics-tracking
site is hacked, which could result in all other sites that use those
counters/scripts unknowningly sending users to malicious content.

From talking with webmasters, I have seen almost no false-positives in this
flagging, but it's sometimes very hard to find the actual exploit. It
sometimes hides from some visitors (direct visitors - like the webmaster -
might not see it, it might only be visible for those coming from search),
sometimes is limited to geographies or devices. This makes finding the exploit
hard sometimes, and fixing the website so that it's no longer vulnerable to
the attack that dropped the exploit isn't easy in many cases either.

I take these warnings very seriously when I see them in the browser, even when
accessing a site with a fairly locked-down & up-to-date browser. I would
recommend never skipping them, even to diagnose an issue (use other tools for
that).

~~~
artenix
Hi there! Why so many security reports on blogspot?
[http://www.google.com/safebrowsing/diagnostic?site=blogspot....](http://www.google.com/safebrowsing/diagnostic?site=blogspot.com)

------
mempko
And for DuckDuckGo,
[http://www.google.com/safebrowsing/diagnostic?site=duckduckg...](http://www.google.com/safebrowsing/diagnostic?site=duckduckgo.com)

~~~
screwedup
"Of the 153 pages we tested on the site over the past 90 days...."

That's a small sample.

~~~
debacle
[https://duckduckgo.com/robots.txt](https://duckduckgo.com/robots.txt)

------
diakritikal
Would some kind soul please describe to me what this does, my corporate eager
beaver network admins seem to consider this some kind of problem site and it's
URL is blocked by our gateway proxy.

~~~
ciupicri
Safe Browsing Diagnostic page for google.com

 _What is the current listing status for google.com?_

This site is not currently listed as suspicious.

Part of this site was listed for suspicious activity 12 time(s) over the past
90 days.

 _What happened when Google visited this site?_

Of the 6815255 pages we tested on the site over the past 90 days, 1686 page(s)
resulted in malicious software being downloaded and installed without user
consent. The last time Google visited this site was on 2015-01-22, and the
last time suspicious content was found on this site was on 2015-01-22.

Malicious software includes 139894 exploit(s), 2748 trojan(s), 502 virus.
Successful infection resulted in an average of 5 new process(es) on the target
machine.

Malicious software is hosted on 275 domain(s), including 24corp-shop.com/,
abu-farhan.com/, soaksoak.ru/.

296 domain(s) appear to be functioning as intermediaries for distributing
malware to visitors of this site, including southeastasianarchaeology.com/,
thesmallbusinessplaybook.com/, impots-economie.com/.

This site was hosted on 3 network(s) including AS36040 (YOUTUBE), AS43515
(YOUTUBE), AS15169 (GOOGLE).

 _Has this site acted as an intermediary resulting in further distribution of
malware?_

Over the past 90 days, google.com appeared to function as an intermediary for
the infection of 528 site(s) including s3.amazonaws.com/lowlordyok/,
s3.amazonaws.com/fann21ahsdc/, s3.amazonaws.com/skcfb01kpl/.

 _Has this site hosted malware?_

Yes, this site has hosted malicious software over the past 90 days. It
infected 22 domain(s), including burguscircus.free.fr/,
plus.google.com/112502198606472559837/, beljews.info/.

 _Next steps:_

Return to the previous page. If you are the owner of this web site, you can
request a review of your site using Google Webmaster Tools. More information
about the review process is available in Google's Webmaster Help Center.

~~~
nailer
I'm not sure re-posting the site answers the OP's question.

This its likely the result of user generated content running on a google.com
subdomain.

~~~
adam12
"Would some kind soul please describe to me what this does, my corporate eager
beaver network admins seem to consider this some kind of problem site and it's
URL is BLOCKED by our gateway proxy."

------
27182818284
I just tried with a known, compromised site and that scanner said it was OK,
so be cautious.

~~~
mparlane
I have seen php malware distribution code that checks if it's a google
originating address and doesn't display to the "user" if it is.

------
ldng
AS36040 (YOUTUBE), AS43515 (YOUTUBE), AS15169 (GOOGLE), AS54113 (FASTLY),
AS36459 (GITHUB), AS16509 (AMAZON-02), AS14618 (AMAZON-AES), AS16509
(AMAZON-02), AS38895 (AMAZON-AS-AP) and so on.

Could someone tell me more about those network codes ?

Where do they come from ? Specifics to Google or following some standard ?

~~~
gtrubetskoy
AS numbers is part of the BGP protocol, when you are a large organization with
multiple presence points on the internet you need to advertize your prefixes
(routes), i.e. the IP blocks that you host behind your routers, and to do that
you need to be an "Autonomous System" and to be one you need to register with
IANA (it costs $500 I think and you need to prove that you actually need one)
and you get an AS number. The techincal details are here:
[https://tools.ietf.org/html/rfc4271](https://tools.ietf.org/html/rfc4271)

------
spdy
How can google.com be used to serve malicious content?

~~~
rplnt
For example gmail is on google.com, so is google drive, google transalte (I
think this might be a big one), and various other services that host user
content.

~~~
yaddayadda
And code.google.com

Someone briefly had a pointer to
[http://www.google.com/safebrowsing/diagnostic?site=code.goog...](http://www.google.com/safebrowsing/diagnostic?site=code.google.com),
which includes:

> Malicious software is hosted on 23 domain(s), including sms-
> bomber.googlecode.com/, gdata-issues.googlecode.com/,
> infojob.googlecode.com/.

------
dmd
The diagnostic page doesn't appear to always be strictly accurate. For
instance, it says "Google has not visited this site within the past 90 days."
for many of my sites which it has crawled daily for years.

~~~
yaddayadda
I assume there are different levels of data collected for different types of
visits. For example, Google may just collect data for the PageRank algorithm
(i.e. your pages have been visited by google.com) or they may ___also_
__collect safebrowsing /diagnostic data (i.e. your pages have been visited by
google.com ___and_
__[http://www.google.com/safebrowsing/diagnostic](http://www.google.com/safebrowsing/diagnostic)).

------
acd
[http://www.google.com/safebrowsing/diagnostic?site=www.sourc...](http://www.google.com/safebrowsing/diagnostic?site=www.sourceforge.net)

"Of the 10 pages we tested on the site over the past 90 days, 0 page(s)
resulted in malicious software being downloaded and installed without user
consent."

What about bundleware fail?

[http://httpshaming.tumblr.com/post/95068402386/filezilla-
sou...](http://httpshaming.tumblr.com/post/95068402386/filezilla-sourceforge-
installer-insecure)

------
pherocity_
My personal site is literally safer than google by google's own tool.

~~~
cheeze
Probably quite a bit less traffic and content too.

~~~
pherocity_
Just a smidgen. If you sign up, I would have 1 user. But it's safe.

------
cwmma
Is this due to people with viruses/compromised routers going to their home
screen (google) and having that redirected to some malicious page?

~~~
yaddayadda
Some of it could actually be hosted through code.google.com

~~~
cwmma
ah good point, though github.io does not seem to have that problem
[http://www.google.com/safebrowsing/diagnostic?site=github.io](http://www.google.com/safebrowsing/diagnostic?site=github.io)

~~~
yaddayadda
repost from another sub-thread [1]...

Someone briefly had a pointer to
[http://www.google.com/safebrowsing/diagnostic?site=code.goog...](http://www.google.com/safebrowsing/diagnostic?site=code.goog...),
which includes:

> Malicious software is hosted on 23 domain(s), including sms-
> bomber.googlecode.com/, gdata-issues.googlecode.com/,
> infojob.googlecode.com/.

I would actually compare it to github.com and github.io
[http://www.google.com/safebrowsing/diagnostic?site=github.co...](http://www.google.com/safebrowsing/diagnostic?site=github.com)

[1]
[https://news.ycombinator.com/item?id=8934594](https://news.ycombinator.com/item?id=8934594)

------
yaddayadda
On the one hand, I feel smugly better about using another browser[1]. But how
could I feel this without google (i.e. google.com/safebrowsing/diagnostic) to
provide the ammunition? I'm so confused now.

[1]
[http://www.google.com/safebrowsing/diagnostic?site=duckduckg...](http://www.google.com/safebrowsing/diagnostic?site=duckduckgo.com)

~~~
adamkochanowicz
Another browser? You mean search engine?

~~~
yaddayadda
Thank you for the correction. (I clearly hadn't had my morning coffee yet!)

------
NextPerception
So now all my domains have a "permanent record". I am having grade school
flashbacks.

~~~
joekrill
If by "permanent" you mean "90 days", then yes.

------
alexyoung
The comparison with Bing is interesting:

[http://www.google.com/safebrowsing/diagnostic?site=bing.com](http://www.google.com/safebrowsing/diagnostic?site=bing.com)

"This site was hosted on 25 networks" vs. 3, 1 virus vs. 503.

~~~
abraham
Also 83476 pages tested vs 6893497.

------
nissimk
Is it the ads? Most malware is distributed through ads. I don't think there's
a risk in AdWords text based ads, but the display ads frequently include
malicious software. That and download.com. I'm glad I use the ad blocker.

~~~
kozlinov
I wonder why your comment is downvoted. It seems there is some bot on this
site randomly downvoting comments.

------
blossoms
GitHub's is also _not_ clean:
[https://www.google.com/safebrowsing/diagnostic?site=github.c...](https://www.google.com/safebrowsing/diagnostic?site=github.com)

~~~
eridal
2 of 139816 is 0,000014305%

~~~
axorb
isn't it 0.00143045%?

------
flurpitude
Odd that it provides links to the sites that hosted malicious content. That
seems like a poor design decision.

~~~
highwind
Actually they link to the Diagnostic page for the malicious site.

------
salibhai
This is hilarious

~~~
kozlinov
This comment has been downvoted by the downvoting bot.

~~~
brazzledazzle
There may be a downvoting bot, but if the culture here is anything like reddit
was 5-7 years ago 'haha' type comments are probably frowned on.

------
known
[http://validator.w3.org/check?uri=microsoft.com](http://validator.w3.org/check?uri=microsoft.com)

~~~
razster
I'm OCD and a slight perfectionist, so when I use this on my site I spend
hours making sure I have not a single issue. After seeing that! I would go
insane.

Makes you wonder how come M$ doesn't make their site more compatible? As a
multi-billion dollar company, they should have higher standards and meet the
W3 standards.

