Malware: What to Do If Your Site is Infected

Malware is the bane of every webmaster and site owner. It destroys the user experience, causes Google to penalize your website, infects your systems, and more. It’s not surprising, then, that malware – and ways to protect against it – should come up as a regular topic for discussion on our own SEO Chat forums.

You can check out our latest thread on this topic. The original thread poster is really suffering, as his website has been affected by malware three times now. Be sure to visit the thread and share your experiences with malware and preventing infection. We’ve already seen some excellent advice, but with a problem like this, more help is always better.

Dzine suggested that ads might be to blame, and asked for more information. “Are you using any affiliate links? Any (other) type of ads that might involve foreign code being inserted? Ads based on <IFRAME>?”

Highland took a more intensive, hands-on approach. While noting that there was nothing wrong with Dzine’s suggestions, he stated that the most common issue he’s seen that causes these kinds of malware problems is a hacker attacking a website and/or its server. How does this happen? “I know, for instance, that Plesk (a popular hosting management system) had a major vulnerability that got exploited several months back and malicious activity is just now starting to creep in (even if the host patched the vulnerability),” he explained, giving just one example.

So how do you prevent this kind of problem? Highland gave a simple, step-by-step process. First, load the Firefox browser, with the Firebug add-on installed. Then, open Firebug (F12), click on the Net panel and make sure that it is enabled. Now load your site and look at the Net panel. You’ll see ALL of the requests your browser made to load the page. “This makes it easier to spot malware because many hackers will obfuscate their URLs in the code,” Highland pointed out.

What should you do if you’ve found malware? Again, it’s a simple, if tedious process: change the passwords for your control panels, server, FTP. “Change any password that would let someone access your server files,” Highland wrote. After you’ve changed your passwords, remove the offending code. Finally, submit a reinclusion request to Google, so the search engine giant knows you’ve done something about the problem.

NathanielB noted that if you’re using a quality company to host your website, you should be able to simply email your host, let them know you’re getting warnings about malware, and have them fix it. Just sent them a trouble ticket with the details. “I have used this before with personal hosting accounts I had, and it’s been fixed within the hour, so it’s a good way to get the work done correctly for free by your host,” he explained. You’ll still have to change your login details and send the reinclusion request to Google.

Joshz strongly suspects that the host isn’t to blame in this case – and that the problem is closer to home, with the original poster’s computer itself. In short, he thinks that computer is infected. “You save your FTP passwords in your FTP program, right? Let me guess, you’re using CoreFTP or Filezilla? They store passwords in PLAIN TEXT. Fix and scan YOUR COMPUTER fist, then clean up your website,” he wrote. After explaining why he was so certain this was the problem, he also explained how to fix it: get Microsoft Security Essentials; Spybot Search and Destroy; and Malware Bytes. Scan your computer with those to find and eliminate the problem at the source. And to help prevent this problem in the future, “DON’T SAVE YOUR PASSWORDS IN PROGRAMS THAT STORE THEM IN PLAIN TEXT!” Joshz shouted.

AlexTampa agreed that this might be the problem. He noted that he’d dumped an entire hard drive once when he had this issue. “I was not taking any chances,” he explained.

Again, be sure to stop by the thread to add your comments about finding and removing malware (and preventing infection in the first place!). We look forward to seeing you join the conversation!

[gp-comments width="770" linklove="off" ]