Malware infection type: Error template

What does it mean to have pages marked with the malware infection type "Error Template" in Google Search Console?

The Error template type of malware infection occurs when the template used for error messages, such as 404 File not Found, is configured to distribute malware. In this way, attackers can launch attacks on URLs that do not even exist on your site.

For more general information on malware, see Assess the damage (hacked with malware).

How do I investigate the "Error template" malware type?

First, avoid using a browser to view infected pages on your site. Because malware often spreads by exploiting browser vulnerabilities, opening an infected malware page in a browser may damage your computer.

Consider confirming the behavior by using cURL or Wget to perform HTTP requests (for example, to fetch a page). These freely available tools are helpful in diagnosting redirects, and have the flexibility to include referrer or user-agent information. By serving malicious content only to users with specific user-agents or referrers, the hacker can target more "real people" and can better avoid detection from site owners and malware scanners. (Your site will need to be online to use these tools.)

For example:

$curl -v --referer <referer-field> --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30" </your-url> 

such as

$curl -v --referer "" --user-agent "Mozilla/5.0 
  (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) 
  Chrome/12.0.742.112 Safari/534.30"

This may return a 404 status code and the source code used to distribute malware.

Next, log in to your webserver. Investigate server configuration files for an error page directive. For example, the error template for Apache webservers can be declared in the .htaccess file.

ErrorDocument 404 http://<malware-attack-site>/index.html

How do I clean my site of the "error template" malware type?

When ready to clean up your site (which is Step 7 of the Help for Hacked Site recovery process), you can either replace the .htaccess files(s) with a known good backup, or you can delete the unwanted ErrorDocument directives on the existing .htaccess file(s). Be sure to also clean the actual error files if they exist on your site. Last, restart your webserver to make sure all changes take effect.

Please be aware that removing the error template or helper files doesn't address the underlying vulnerability that allowed the hacker to initially compromise your site. Without correcting the root cause, your site may be compromised again in the future. For more information on cleaning your entire site (not just this malware type), see Help for Hacked Sites, specifically "Filesystem damage assessment" in Step 5: Assess the damage (hacked with malware).

Was this helpful?
How can we improve it?