Reported attack site message

[vinay11111]

Hi,

Various of my sites are now giving reported attack website message. I did little research and found that its due to some <iframe> injection in the code of my website.

Please suggest if there is any solution to get rid of this message.

Thanks...

[wige]

Where are you receiving the message?

The first step, of course, will be removing the infected code, and securing the server to close whatever vulnerability is allowing the attacker to compromise the site.

[Dubbya]

Without visiting your site, I'm thinking that this may have have been implemented using SQL injection in one of your web forms.

When Wige recommends securing your site, a good place to start would be with your forms. They need a data parsing script to strip out illegal characters that might be used to run SQL scripting that messes with your database.

Here's an article that might be of use to you:
CodeProject: SQL Injection Attacks and Some Tips on How to Prevent Them. Free source code and programming help

Good luck.

[GarrickGreen]

We had a similar problem with IE giving a warning message when using an iframe the message stated that it was a "potential vulnerability / compromise" in the page code - scaring off potential users. Having double checked and triple checked the code; all was fine.

It came down to IE requiring the correct privacy policy permissions to be put in place for the site which sorted the matter. Using the iframe and taking information through it meant establishing the correct policy and this has to conform with the P3P policy standards (for IE to render without popping an error) and we initially, for speed of getting it in place, used the generation tool provided at ....p3pwiz... (cant post full URL due to being a newbe poster).

It's worth trying if you've checked your code, ruled out SQL injection, and haven't checked your P3P/come to an answer.

Mike.
GMP Group Ltd
Intuitive Internet Software & Systems

[rfuess]

I have had a similar problem. This was either an iframe right after the body tag opens, or a js tag right after the body tag opens.

CAUSE: A virus/trojan on my computer - that scraped ftp data. I didn't believe it at first - but when I noticed a trend - that it happened to several webites (different web hosts) that I posted using ftp - then I realized it was true. Even if the virus/trojan was removed recently the damage could already be done - they may already have your ftp info.

Some of them Google noticed and flagged as a reported attack website. Some Google didnt notice yet.

SOLUTION:

1) Run spyware software on your computer. Something like (free) MalwareBytes works well.
2) Fix websites - as described. Repost any files that were updated lately with a non-infected file.
3) Let Google know that the site is corrected - if Google shows this message. Google provides links to do this when you find such a site. You will probably need to "verify" the site with a meta-tag or a html page upload.
4) CHANGE the ftp password on each of these sites IMMEDIATELY - or it WILL happen again!

[vinay11111]

Quote:

Originally Posted by wige

Where are you receiving the message?

The first step, of course, will be removing the infected code, and securing the server to close whatever vulnerability is allowing the attacker to compromise the site.

I am getting this message when I open the site in firefox as well as ini google SERPs

Please check Attorney Medical Malpractice – area of Legal & Professional Medical Malpractice

[vinay11111]

Quote:

Originally Posted by Dubbya

Without visiting your site, I'm thinking that this may have have been implemented using SQL injection in one of your web forms.

When Wige recommends securing your site, a good place to start would be with your forms. They need a data parsing script to strip out illegal characters that might be used to run SQL scripting that messes with your database.

Here's an article that might be of use to you:
CodeProject: SQL Injection Attacks and Some Tips on How to Prevent Them. Free source code and programming help

Good luck.

You are right, Its some kind of code injection an Iframe code is added to the website somewhat near the <body> tag and no matter how many time I remove the code it get added in the website.

Normally the code get inserted in the index pages of the website only.

[danlefree]

The Google Safe Browsing Diagnostic reports:

Quote:

The last time Google visited this site was on 2009-06-23, and the last time suspicious content was found on this site was on 2009-06-23.

You really should not post links to your site if it may mean that more people are exposed to the infection.

If you are hosted by LiquidWeb on any kind of managed plan, they should be able to offer assistance - otherwise, now would be a good time to restore from backups and/or complete the audits suggested by prior posters.

[vinay11111]

thanks all of you... reported attack message is removed no but I am suspicious it may appear again...

[NetProwler]

If you are on a shared hosting, you will have to ask your host to address this issue. If you have already done a full security auditing of your site and still find that your pages are added with malicious codes, there is a good chance that one of the other sites in the same server may have been compromised.

If you have a full backup, delete the files then the directories and rebuild the entire structure from scratch. Change all the passwords to more robust ones. Set up a monitoring script in another server to check your index page at regular intervals. If there is any change, the script should alert you. That gives you some time before people or robots come calling. If they can still change your code, it is certain that your server is not secure enough.

[urb100]

i had exact same problem with sites on goDaddy shared hosting.
i kept cleaning up - going through all the steps described here and more ... and it kept on coming back. ...

after few cycles, it stopped ... and has not happened again ... never got to the bottom of the reason ...

i think it was security hole of the goDaddy's server.
i tested with a site which as no forms, nothing. Just 1 page with skeletal html and still it happened - so form is not the only door they hijack the site.
But not sure what exactly causes it.