Google is Doing Automated Mass Blackballing
22nd October 2007
|
With the recent PageRank update, I noticed Google labeled my site as potentially malicious in the SERP’s. Just below where the title tag appears, they inserted this line of text: “This site may harm your computer.” This is totally unfair. How prevalent is this throughout the web. My guess is that they have begun an unfair practice of mass blackballing This is one step away from de-listing an honest site. Now, I have to go into my Google Webmaster Tools and request a review…similar to a reinclusion request. Google is so bogus! Their business decision has the affect of crippling honest people who rely on their site for their livelihood. And to top it off, they probably will take a very long time to getting around to re-examining the large volume of “requests for review”. Unbelieveably bogus Is Google evil? Do they want us to rely on Adwords? On paying for clicks? Alternate sources of traffic: UPDATE: 1) My webhost backed up the database & restored the files to an earlier date. The issue is now resolved. Whew! A big thanks go out to Bluehost & Philipp Lenssen (and Matt Cutts for the indirect tip thru Philipp). More comments and updates from Matt at Sphinn. Related posts: |
October 22nd, 2007 at
Shimon, visiting your site just now from the SERPS using IE7, I think i see the reason - this message pops up at the top -
“This website wants to run the following add-on: - Microsoft Data Access - remote Data Services Dat… From Microsoft Corporation. If you trust the website and want it to run, Click here”.
I did NOT “click here”, yet mt Startup manager (Winpatrol)detected a startup change that I rejected three times.
THEN Winpatrol detected a change to my hosts file.
Reviewing the changed file, here’s what I see - it’s a whopper - sorry to fill your comment space…
Wow - It won’t let me “reject the change” either, saying my previous host file cannot be found. Hmm… not good. (Glad I’m not on my computer, using my kids’ laptop
***begin new hosts file***
192.168.200.3 ad.doubleclick.net
192.168.200.3 ad.fastclick.net
192.168.200.3 ads.fastclick.net
192.168.200.3 ar.atwola.com
192.168.200.3 atdmt.com
192.168.200.3 avp.ch
192.168.200.3 avp.com
192.168.200.3 avp.ru
192.168.200.3 awaps.net
192.168.200.3 banner.fastclick.net
192.168.200.3 banners.fastclick.net
192.168.200.3 ca.com
192.168.200.3 click.atdmt.com
192.168.200.3 clicks.atdmt.com
192.168.200.3 customer.symantec.com
192.168.200.3 dispatch.mcafee.com
192.168.200.3 download.mcafee.com
192.168.200.3 download.microsoft.com
192.168.200.3 downloads-us1.kaspersky-labs.com
192.168.200.3 downloads-us2.kaspersky-labs.com
192.168.200.3 downloads-us3.kaspersky-labs.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 downloads1.kaspersky-labs.com
192.168.200.3 downloads2.kaspersky-labs.com
192.168.200.3 downloads3.kaspersky-labs.com
192.168.200.3 downloads4.kaspersky-labs.com
192.168.200.3 engine.awaps.net
192.168.200.3 f-secure.com
192.168.200.3 fastclick.net
192.168.200.3 http://ftp.avp.ch
192.168.200.3 http://ftp.downloads1.kaspersky-labs.com
192.168.200.3 http://ftp.downloads2.kaspersky-labs.com
192.168.200.3 http://ftp.downloads3.kaspersky-labs.com
192.168.200.3 http://ftp.f-secure.com
192.168.200.3 http://ftp.kasperskylab.ru
192.168.200.3 http://ftp.sophos.com
192.168.200.3 go.microsoft.com
192.168.200.3 ids.kaspersky-labs.com
192.168.200.3 kaspersky-labs.com
192.168.200.3 kaspersky.com
192.168.200.3 liveupdate.symantec.com
192.168.200.3 liveupdate.symantecliveupdate.com
192.168.200.3 mast.mcafee.com
192.168.200.3 mcafee.com
192.168.200.3 media.fastclick.net
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 my-etrust.com
192.168.200.3 nai.com
192.168.200.3 networkassociates.com
192.168.200.3 norton.com
192.168.200.3 office.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 phx.corporate-ir.net
192.168.200.3 rads.mcafee.com
192.168.200.3 secure.nai.com
192.168.200.3 securityresponse.symantec.com
192.168.200.3 service1.symantec.com
192.168.200.3 sophos.com
192.168.200.3 spd.atdmt.com
192.168.200.3 support.microsoft.com
192.168.200.3 symantec.com
192.168.200.3 trendmicro.com
192.168.200.3 update.symantec.com
192.168.200.3 updates.symantec.com
192.168.200.3 updates1.kaspersky-labs.com
192.168.200.3 updates2.kaspersky-labs.com
192.168.200.3 updates3.kaspersky-labs.com
192.168.200.3 updates4.kaspersky-labs.com
192.168.200.3 updates5.kaspersky-labs.com
192.168.200.3 us.mcafee.com
192.168.200.3 vil.nai.com
192.168.200.3 viruslist.com
192.168.200.3 viruslist.ru
192.168.200.3 virusscan.jotti.org
192.168.200.3 virustotal.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 http://www.avp.ch
192.168.200.3 http://www.avp.com
192.168.200.3 http://www.avp.ru
192.168.200.3 http://www.awaps.net
192.168.200.3 http://www.ca.com
192.168.200.3 http://www.f-secure.com
192.168.200.3 http://www.fastclick.net
192.168.200.3 http://www.grisoft.com
192.168.200.3 http://www.kaspersky-labs.com
192.168.200.3 http://www.kaspersky.com
192.168.200.3 http://www.kaspersky.ru
192.168.200.3 http://www.mcafee.com
192.168.200.3 http://www.microsoft.com
192.168.200.3 http://www.my-etrust.com
192.168.200.3 http://www.nai.com
192.168.200.3 http://www.networkassociates.com
192.168.200.3 http://www.pandasoftware.com
192.168.200.3 http://www.sophos.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.symantec.com
192.168.200.3 http://www.trendmicro.com
192.168.200.3 http://www.viruslist.com
192.168.200.3 http://www.viruslist.ru
192.168.200.3 http://www.virustotal.com
192.168.200.3 www3.ca.com
***end***
October 22nd, 2007 at
Wow. Thanks Scott. I’m gonna fix this mighty quick.
October 22nd, 2007 at
You’re welcome - I got your email, and just tried to look at it again, and it appears that you may have found and removed whatever that was, right? Because now I don’t get that message anymore - tried a second PC too, so I’m guessing you found it.
Clicking throigh one of your SERPS now Google takes me to a secondary page where they tell me how dangerous it might be and refers me to Stopbadware.com.
Odd that it disn’t affect your rankings, but talk about a “click through killer”! This stinks! Maybe Matt can help expedite you out of this mess… good luck!
October 23rd, 2007 at
im curious to how this is affecting traffic from G? is your traffic plummeting because of this bogus error message?
October 23rd, 2007 at
Hi Shimon, after removing the bad code you should also take a look and try to work out how the hackers got that there in the first place. Usually your server logs can help you to spot that, especially if you can pinpoint the time when it was installed. Often the attack will be done by exploiting some installed extension or module, either on the server (maybe an old Frontpage version) or in your site (perhaps an older Wordpress version, some extension, etc). It usually makes sense to go through all of those things and check for available updates, to get them installed and to set up some sort of plan for making sure that you stay on top of things in the future.
Nathan Johns wrote a nice checklist at http://googlewebmastercentral.blogspot.com/2007/09/quick-security-checklist-for-webmasters.html and there is something similar from StopBadWare as well: http://www.stopbadware.org/home/security
Good luck!
October 23rd, 2007 at
I believe the issue has been resolved now. If anyone sees otherwise, please let me know. A great big THANKS to everyone who helped!
October 23rd, 2007 at
Cool man! - Hope Matt can help remove that flag from Google soon… Are you going to Pubcon?
October 23rd, 2007 at
[...] Ultimately, his web host was able to restore from a backup, and they do believe the offending program is gone, so if you want more details, you can read his post. [...]
October 24th, 2007 at
It doesn’t show up for me. Do you have McAfee virus protection on your computer? This did this to one of my sites all the time. I went round and round with McAfee, but no use.
October 25th, 2007 at
Shimon, I emailed the malware review team to see if they could review your site now. There’s one webhost I’ve seen that has had a bunch of hacked sites recently, but I checked and you don’t appear to be on that webhost. It is a good idea to make sure your webhost is running a fully patched version of cpanel and stuff like that.
October 25th, 2007 at
Thanks Matt
I appreciate your help. For additional precautions, I have a senior programmer re-examining my site, and on Monday I’m making an upgrade to the latest version of Wordpress.