Search
Clear search
Close search
Google apps
Main menu
true

Malware infection type: Server configuration

What does it mean to have URLs with the malware infection type "Server configuration" in Search Console?

This means that hacker has compromised your site and is redirecting visitors from your good site to their malware attack site, likely by modifying your server’s configuration file(s). Server configuration files commonly allow the site administrator to specify URL redirects for specific pages or directories on a website. For example, on Apache servers, this is the .htaccess file as well as httpd.conf.

For more general information on sites compromised to distribute malware, see Assess the damage (hacked with malware).

How can I confirm the redirect behavior of the "Server configuration" malware type?

First, avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Consider confirming the behavior by using cURL or Wget to perform HTTP requests (for example, to fetch a page). These freely available tools are helpful in diagnosting redirects, and have the flexibility to include referrer or user-agent information. By serving malicious content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and malware scanners. (Your site will need to be online to use these tools.) For example:

$curl -v --referer <referer-field> --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" </your-infected-url>
such as
$curl -v --referer "http://www.google.com" --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" http://www.example.com/page.html
So fetching a page with the "server configuration" type infection may return the following headers:
...
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 24 Feb 2013 21:06:45 GMT
< Server: Apache
< Location: http://<malware-attack-site>/index.html
< Content-Length: 253
...

 

How do I clean my site of the "server configuration" malware type?

Login to your server through shell/terminal access (the site may be offline if you wish) and review relevant server configuration files. There may exist more than one server configuration file on your site modified by the hacker. Check these files for unwanted directives, such as redirects, where the hacker can configure your site to redirect to unknown malware attack sites. For example, in .htaccess:

RewriteEngine On 
RewriteCond %{HTTP_REFERER} .*google.* 
RewriteRule ^third-page.html($|/) http://<malware-site>/index.html [R=301]
Additionally:
  • Be sure to check the entire file in case the hacker added their code at the end of the file where it could more easily be missed.
  • Investigate potential cron jobs created by the hacker that are designed to continually update the .htaccess file. Cron jobs can be listed in several locations including /etc/crontab (also numerous /etc/cron* directories) and /var/spool/cron.

When ready to clean up your site, you can either replace server configuration files with a known good backup or you can delete the unwanted code on the existing file. Be sure to restart your webserver if that's required for the new configuration files to be active.

Cleaning the malware type "server configuration" is helpful in recovering a hacked site, but it doesn't address the underlying vulnerability that allowed the hacker to compromise your site in the first place (and how they might do it again). For more information on cleaning your entire site, see the Hacked with malware topic in the hacked recovery documentation.

Was this article helpful?
How can we improve it?