Why My Blog Is Dangerous

So, a couple people have asked me why Google thinks that my site may harm your computer.

On Wednesday, I received an email from “Googlemebelicoaching Search Quality”:

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

I looked through, and sure enough, the links they offered were indeed ‘infected’: I’ve always used WordPress despite my knowledge of the fact that it has security exploits more often than I get around to fixing them (though I do try to keep up). They had has a small iframe included, which claimed to be ‘stats tracking’: Instead, there was Javascript included which, presumably, was malicious.

To the best of my knowledge, I solved this problem on Wednesday night, by removing the mal-links that were pointed out, and patching the security holes I could find fixes to in WordPress. (I just upgraded to WordPress 2.5; In the past, upgrading has been painful, but it wasn’t so bad this time, and there are not yet any known security holes for 2.5 that I’m aware of.)

All in all, not a bad thing: Google emailed me, I fixed the problem, everyone wins. Except…

Following Google’s FAQs, I went to Webmaster Tools, signed up, verified my site, went to their tools…

And in the site management tools, found no such link as they described. Great.

At the time, I assumed only Google was using stopbadware: I’ve since discovered that other things are using it, so I’ve requested reconsideration there.

Still, Google now tells users that my site may be dangerous, despite the fact that it no longer is, and there appears to be no tool in the website management ‘tools’ panel to have them check it out again. Stretches the definition of ‘Do No Evil’ a bit… (Edit: Okay, not really, but it always works when you really want to get a response out of Google to just tell them they’re being evil: People get defensive and help you out ;))

In any case, my web site should be safe. Sorry that people have been confused by the problem.

mebeliEdit: JohnMu in comments pointed out why I was having a problem: Since crschmidt.net/blog/ was the only thing listed as ‘infected’, I had to sign up and verify for crschmidt.net/blog/ *seperately* from crschmidt.net. Certainly not exactly intuitive, but doing so allowed me to request a review of my site, so hopefully soon people will be able to view my site again in FF3, and won’t be caught out by Google’s warning (assuming I got all my malware off).

14 Responses to “Why My Blog Is Dangerous”

  1. anonymous coward Says:

    The other issue is that it reduces the reliability of Google’s Search Quality metric, since your site is a now “false positive” until they update the rating

  2. John Cowan Says:

    “Do no evil” isn’t the same as “do no harm”, especially when the harm results from an act of omission (not providing a way for a human to fix a computer’s blunder). Only the infinitely smart (or the All-Wise) can undertake to do no harm at all. The doctor’s “do no harm” only covers acts of commission, in general.

    “Do no evil”, on the other hand, is a matter of intention: don’t plan to screw people for the sake of your own gain.

  3. crschmidt Says:

    The only vaguely evil thing (which I’m not that serious on anyway, as I’m sure you know) is the fact that the FAQ that Google has published references a specific option in the Webmaster Tools that doesn’t seem to exist. If it comes in at some point, that’s fine, but if they state that they are implementing something, but have no real intention to do so, that’s more problematic.

    Mostly though, invoking the “Google is doing evil!” clause is enough to get someone who knows how to fix the problem to notice it: It’s soapboxing so that I can figure out how the heck to get my site off the ‘bad, bad, boy’ list more quickly.

  4. James Fee Says:

    /me wonders if I should put a disclaimer on Planet Geospatial as well.

  5. cmn Says:

    It’s not just Google either.

    Firefox 3.0b5:

    “Reported Attack Site!

    This web site at crschmidt.net has been reported as an attack site and has been blocked based on your security preferences.

    Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

    Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.”

    FF3 uses StopBadware as well IIRC, so it looks like the blame lies with them…

  6. JohnMu Says:

    Hey crschmidt, you might want to try to verify just the sub-part of your site that was detected as having malware, If I do a [site:crschmidt.net] query, I see that everything outside of /blog/ is not marked as having malware. If you’ve already verified http://crschmidt.net/ , you should be able to verify http://crschmidt.net/blog/ without doing anything new.

  7. crschmidt Says:

    JohnMu:

    I didn’t verify that part of my site didn’t have mal-ware: StopBadware/Google only ever detected crschmidt.net/blog/ as being an issue. When I said “verified”, I meant that I verified to Google that I was an owner of crschmidt.net, so that I could have full access to the Webmaster Tools.

    I still don’t see any tool in Webmaster Tools that has any documentation about how to get crschmidt.net/blog/ removed from the Malware list. I did eventually find a ‘request reconsideration’ link — it’s on the main frontpage for webmaster tools, instead of in the domain specific view where I had been looking — but it appears to be related to SEO rankings, and claims to take several weeks for processing, so although I have submitted through that mechanism, I don’t think that I feel that’s actually the one I need to worry about.

  8. JohnMu Says:

    Hi crschmidt, I think I was a bit confusing in my posting :-). What you need to do is make sure that you have verified ownership of http://crschmidt.net/blog/ (not just crschmidt.net) in your Webmaster Tools account. Once that is done, you should be able to see the warning and the link for the review process.

    In general, when a site gets hacked the whole site gets hacked and has that link right in the root for the whole domain. However, in your case it’s only the subdirectory and lower that was hacked and which has the malware warnings. That’s why you explicitly need to verify ownership of the subdirectory so that you have access to the warnings and can file a for a review.

  9. crschmidt Says:

    JohnMu:

    Ah. Okay. That definitely was *not* clear from the UI: I understand the problem, and see why it could happen.

    I do think it’s probably not an uncommon thing for a sub-‘site’ of a website to be infected, given the number of sites that use a separate blogging software (within the same domain) for their website.

    Your instructions did help me get to the point where I’ve requested a review: Here’s hoping there’s nothing funky that I’ve missed in my review. Thanks!

  10. Bill McGonigle Says:

    Hi, Chris – no warning from FF3 (trunk) today. Looks like you’re off the list. Thanks for posting this – definitely a bit obtuse.

  11. itsalljustaride Says:

    I just got blacklisted too. In my case I can’t seem to log into the WordPress admin panel since the Firefox 3 “Reported Attack Site” alert keeps borking the login. Had to log in with Safari to even attempt to find the parts I need to fix. Very annoying.

  12. Dusty Bradshaw Says:

    I couldn’t agree more. Spacecheck.org must be “dangerous” too, even though we have upgraded to the newest wordpress version and in doing so lost the functionality of the our custom (but not dangerous) comment moderation system, until I re-write it for the new WordPress…

    Gah.

    I have asked google 2 times for manual review and it has been over 24 hours now… nothing. Spacecheck is not dangerous. It isn’t like my site is big or anything. It is tiny. It is CLEAN! Be glad at least you got your issues here resolved. Maybe mine will be resolved in days/weeks?

    I even called google and actually spoke to someone on the phone. They didn’t even send a courtesy email sent saying they had found something (.js file) fishy before they lowered the dangerous/malware hammer.

    Anyway, this is a good service I guess.. but a speedy clean up of my site (or anyone else’s) shouldn’t be rewarded with slowness on Google’s part to re-index/crawl/vet/checkout/ the sites.

  13. Spacecheck » Blog Archive » Google thinks this site is still dangerous. It isn’t! Says:

    […] for some rather simple javascript (.js) hacks, and we weren’t defaced or anything like that. Since google began its new security service to alert web surfers of potential security risks many si… The warnings which state something like “This website may be dangerous” on every search […]

  14. handan Says:

    for some rather simple javascript (.js) hacks, and we weren’t defaced or anything like that. Since google began its new security service to alert web surfers of potential security risks many si… The warnings which state something like “This website may be dangerous” on every search