Reported Attack Message and Cannonical Issues

[vinay11111]

Hi All,

this is in continuationwith my previous post at webproworld (Reported attack site message).

I have observed something that's pretty strange. Sometimes my website doesn't displays reported attack message when I open the website without www. I am curious if malicious software attacks only www version only.

and if its true then will redirecting the website can help me get rid of the this virus/malware attack inmy site.

Thanks a lot...

[morestar]

Did you perform any of the suggestions that were provided to you in the link you provided?

[vinay11111]

Yes it worked initially but now again I am getting the reported attack message.

But my main aim for this post is to know wheather virus attack reflects only to www version of a site or not.

Thank you

[morestar]

My first instinct is that it is not because the code on your domain.com/index.php or .html page essentially is the same as the www,domain.com/index.php page and so forth.

But I'm sure others will have a more definitely answer for you.

Is the site in question any of the sites in your signature?

[vinay11111]

Quote:

Originally Posted by morestar

My first instinct is that it is not because the code on your domain.com/index.php or .html page essentially is the same as the www,domain.com/index.php page and so forth.

contnet is same for domain.com www.....com and index file

Quote:

Originally Posted by morestar

Is the site in question any of the sites in your signature?

No site is not in the signature

[morestar]

OK you could provide the domain if you like - i would like to look at it myself and see if I get the message on my end...

[danlefree]

Out of curiosity, which site is set as your preferred domain at Google Webmaster Tools..? (Or do you use GWT?)

[SnerdeyWebs]

Did you look for an Unwanted <IFRAME> or <BODY> tag extras in the source of the website home page? Redirects all that not good enough. You've got to remove whatever it is that the search bots are finding etc.. Clear your cache, view the site again from other computers.

Most likely an auto frame injector script using a opening in your website, just figured out your password etc.. check your home computer, laptop too for virus, worms.. it can be a mess.

Anytime a webmaster, site owner gets this it's a red flag to check everything attached to you including your digital camera flash drive, backups .. worms spread quickly.

[weegillis]

First thing to do is work from another computer that you're sure is not infected, as SnerdeyWebs advises. Change the passwords to your site and clean up as needed.

Also, like mentioned above, you could have a real mess on your hands with your own machine(s). Time to call in your favorite tech and get a proper clean up. Nowadays it just doesn't make sense to try to fix things yourself, unless of course you are the tech.

[deepsand]

Quote:

Originally Posted by vinay11111

But my main aim for this post is to know wheather virus attack reflects only to www version of a site or not.

There is no such thing as a "www version." There is but a single copy of the content of your pages on the server.

The "www" merely tells the server which localhost is to provide the requested service; using CNAME records, "www" can be mapped to whatever localhost is desired.

See CNAME record - Wikipedia, the free encyclopedia

[weegillis]

Quote:

Originally Posted by deepsand

There is no such thing as a "www version." There is but a single copy of the content of your pages on the server.

which as much as says that if there exists an infection of some sort on the site, there is no escaping it with a different url. Still the same infected content.

Personally, I'm still waiting for a real explanation to be posted for this OP. Until then, all the pedantry we can muster can only point you in one direction or another. Wish I could be more helpful...

[vinay11111]

Quote:

Originally Posted by danlefree

Out of curiosity, which site is set as your preferred domain at Google Webmaster Tools..? (Or do you use GWT?)

Hi Danlefree,

My proffered domain in GWT is with www. I have cleaned all the code (IFRAME script) from all the infected webpages of my site and alse reset the FTP password.

Moreover I have also put up reinclusion list in the GWT, still google is showing up "visitng this site may harm your computer message"

Please help in this I have lost all my google traffic since the message started appearing.

thanks,

[Bernd]

Quote:

Originally Posted by vinay11111

My proffered domain in GWT is with www.

Why don't you setp up your preferred domain in your webmaster interface or the .htaccess?

Quote:

Originally Posted by vinay11111

I have cleaned all the code (IFRAME script) from all the infected webpages of my site and alse reset the FTP password.

You have to clean your entire webspace not only your webpages, because there might be a script which infects your webpages.
Do you have a local clean copy of your site?

[vinay11111]

Quote:

Originally Posted by Bernd

Why don't you setp up your preferred domain in your webmaster interface or the .htaccess?

I don't know how to do it

Quote:

Originally Posted by Bernd

You have to clean your entire webspace not only your webpages, because there might be a script which infects your webpages.
Do you have a local clean copy of your site?

Yes I have uploaded clean and scanned copy of webpages.

[Bernd]

Quote:

Originally Posted by vinay11111

Yes I have uploaded clean and scanned copy of webpages.

But before you have to clean your webspace. And that's not only the html-folder.
Also cgi-bin-, phptmp-folder, ...
Btw which permissions are set for these folders. Let me guess ... You don't know?

[vinay11111]

You are right I don't know but will let you know soon.

[DrTandem1]

This is most likely caused by malware on the computer you use to access sites using an FTP client. You need to find and delete the malware. After you're sure that is done, you need to change all the FTP passwords and do NOT save them on the FTP client. When cleaning your site(s), the iframe was most likely placed on the index file. However, also check any 404.html files or files where "404" may have been used in the file name for the iframe. The iframe is usually found right after the body tag, but has also been found in the head section. Sometimes it has been encoded and uses a bunch of characters you won't recognize, but has the same effects.

The malware is scanning your FTP client and stealing the log-in information where upon it adds the iframe to the site(s).

[NetProwler]

Quote:

Sometimes my website doesn't displays reported attack message when I open the website without www. I am curious if malicious software attacks only www version only.

Go to an untainted machine and check the status of the site through Sam Spade software. You should see the same page (if you have not set up the canonical resolution - pointing to the www version from a non www through a 301 permanent redirection mode) with the same status code 200.

If the above is true, chances are that your previous computer's DNS cache was tainted. It is common for some malware to force your browser to go to one of their designated sites if you head to Google or other search engines. If this is the case, you would have to start with a clean slate - format the drive and reinstall the OS and software instead of trying to clean the malware.