1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Google Saying that Images are malware?

Discussion in 'Security' started by craigedmonds, Sep 4, 2012.

  1. #1
    This is driving me and my client nuts.

    This has happened a few times now and each time I actually do nothing on the site, request a review, google clears the site of any malware warnings, but a few days later it flags it as being malware again.

    In order to help the client sort it out, I have registered the clients site in google webmaster tools and today, again, I received the following email.

    The weird thing is, if I then login to google webmasters tools I see the following which shows a couple of images being reported as malware and NOT the pages in the above email.

    So you see, there is no mention of the two urls in the email and if I go to the above images on the clients site, there is no malware warning.

    Anyone else seen this before?

    As mentioned before, every time we request a review, the site passes, then a few days later it gets flagged again.

    This is really affecting my clients ability to run his business and its not doing alot for my sanity.
     
    Solved! View solution.
    craigedmonds, Sep 4, 2012 IP
  2. sabrina

    sabrina Active Member

    Messages:
    212
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    53
    #2
    Try a scan using some good antivirus and see what is the status
     
    sabrina, Sep 4, 2012 IP
  3. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #3
    The site is not hacked though. This is the point. Also, how can an image contain malware and redirect users to a different page? I know images can contain injected code but it cant redirect users to another site, that is not possible.

    Google is saying its got malware and is quoting pages on the site as being infected, yet in webmasters tools its saying images are infected and no mention of the pages.

    To make sure I have my sanity, I have gone through every file on the site including htaccess files and all core file including the database content etc. Scoured it thoroughly. I have also locked down the site pretty good in terms of permissions, sql injection etc.

    The server this site is on uses:

    - clamav
    - ASL 3.0 from atomicorp.com
    - LMD from rfxn.com/projects/linux-malware-detect
    - eXploit Scanner from ConfigServer
    - CSF firewall from ConfigServer

    These 5 items alone provide pretty strong prevention for code injection/XSS etc.

    Again, google is saying one thing then showing something else in the webmasters tools and in the meantime people visiting the web site are getting a warning saying the site is malicious when its nothing of the sort. This is hurting the site owner because a lost lead can results in missing out on $$,$$$$.

    Its quite serious!!
     
    craigedmonds, Sep 4, 2012 IP
  4. MilesWeb

    MilesWeb Well-Known Member

    Messages:
    869
    Likes Received:
    35
    Best Answers:
    7
    Trophy Points:
    173
    #4
    Did you re submit the website from google's webmaster tool ? Does it still shows that .jpg files are infected with malicious code ?
     
    MilesWeb, Sep 25, 2012 IP
  5. RTHosting

    RTHosting Greenhorn

    Messages:
    26
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    13
    #5
    Try resubmitting the website and post results.

    Kind Regards,
    RTH.
     
    RTHosting, Sep 25, 2012 IP
  6. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #6
    After posting this thread I submitted a couple more times and still google was saying "MALWARE MALWARE".

    So I wrote in the resubmission that my client would possibly be taking legal advice as google was redirecting visitors to a scary page giving the impression that my client was a phishing site and he was potentially losing business.

    I did not see anything for two days but sods law, client did not renew the domain name so the web page got taken down and an enom landing page was there for a couple of days.

    When the client alerted me about the domain, I renewed it.

    Then I logged into webmasters tool and there were no more malware warnings since then.

    I kind of doubt that mighty google will have trembled at our feeble legal threats so it must have been the domain expiry that did the trick.

    Really odd situation though and its amazing how google throughout the whole process did not reply personally once and have the power to totally destroy your business.
     
    craigedmonds, Sep 25, 2012 IP
  7. CoastWeb

    CoastWeb Greenhorn

    Messages:
    6
    Likes Received:
    1
    Best Answers:
    1
    Trophy Points:
    23
    #7
    The site IS infected. The site DOES redirect to a malware site at a certain URL. I wont linked it for obvious reasons.

    Threatening legal action against a free service provided by google? Maybe they should just drop the site completely from the search results?

    You need to check the .htaccess file in the uploads directory, and any other htaccess files that may have been compromised. Oh, and maybe apologies to google ;)
     
    CoastWeb, Sep 25, 2012 IP
  8. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #8
    Thank you for your comments but just a few points.

    1. The pages and files google were saying that were infected were NOT infected.

    2. There is no htaccess file in the uploads directory

    3. When google says "this file" is infected and its not, anyone with firefox, chrome etc cannot access the web site, whether they go through the search results or not. So the "free service" that google offers is detrimental to the business if there is a false positive. Its even worse when google is non responsive. All they do is send a automated scanner and they say "thats malware" without providing any additional details. Its wrong and noone should apologise.

    To be perfectly honest, your post is as bad as google. You are just saying "it is malware" without providing any helpful information at all. Just saying "I wont linked for the obvious reasons".

    Dont get me wrong, I appreciate comments and assistance but if you really wanted to help you would post more information or at the very least PM me with some details, not tell me that I should apologise to google and be thankful for them.

    I was here before google and I will be here after google.
     
    craigedmonds, Sep 26, 2012 IP
  9. #9
    I wont post links that may redirect to malware sites, sorry.

    As i said before: "and any other htaccess files that may have been compromised."

    If you are using an htaccess file to do pretty urls, so that would be my first place to investigate.

    Failing that check index.php

    I dont have access your your site source code obviously, so I dont know which dirs have htacces files in them.

    I scanned your site with this tool and it reported the issue (I got the same result weeks ago when you posted this thread, but wasn't a member so i couldn't reply then).

    http://sitecheck.sucuri.net/results/www.ardenestates.com/wp-content/uploads/exclusive.jpg

    and:

    http://labs.sucuri.net/db/malware/malware-entry-mwhta7

    Apparently it's a conditional redirect, so it doesn't seem to happen every time a visitor hits the site. Though it did redirect me this morning when I made the first post, isn't happening now, so either its fixed, or its very picky about who it redirects.

    "3. When google says "this file" is infected"... It means googlebot tried to retrieve the file, and got redirected to a malware site instead.

    Good hunting...
     
    CoastWeb, Sep 26, 2012 IP
  10. craigedmonds

    craigedmonds Notable Member

    Messages:
    703
    Likes Received:
    131
    Best Answers:
    0
    Trophy Points:
    235
    #10
    Coastweb, thats a much better answer and thank you for your contribution.
     
    craigedmonds, Sep 26, 2012 IP
  11. AstoundingHost

    AstoundingHost Peon

    Messages:
    34
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #11
    Is this issue resolved now, then?
     
    AstoundingHost, Sep 30, 2012 IP