First, this is NOT a WordPress security issue. It is all about malware being inserted by third party ad services. For my fellow WordPress folks, this is not the same issue dealt with at that hosting company that will remain unnamed.

The Red Screen of Death

When Google crawls a site and detects malware, they issue a warning which results in that red screen. They also add a warning within their search results right under the link to your site that says ‘This site may harm your computer’. All pretty scary stuff for a visitor finding your site for the first time.

So,assuming at the time that it came from Google, it seemed strange to me that Google could stick a red screen on a site. How could they do that? Well, they can’t of course. So I looked into the code of the warning itself and saw that it was coming from mozilla.org, the company that makes Firefox, meaning it was something in the browser itself.

Checking the security settings, I saw a check box for ‘Block reported attack sites’. So I unchecked that and tried the site again. It loaded just fine. No warning. Same in Safari. They have a setting to block sites and send a warning. Problem was these were defaults, so essentially everyone is seeing these red screens.

Removing the Red Screen

The only way to get rid of the warning screen is to remove all the malware, and get Google to re-crawl your site. You can either wait for that or re-submit your site using Webmaster Tools Reconsideration. Even with both myself and the client submitting for reconsideration, the process took about 18 hours which I feel is pretty quick form stories I have heard. In fact we were getting ready to redirect the domain to a clean url if the warning hadn’t gone away within another hour or two.

All said, it was about 48 hours of the site being blocked with this red screen.

Then after it was fixed, we had to clear the cache in our own browsers to make the warning go away, meaning that anyone who saw the site in the last day or two was most likely STILL seeing the warning even though Google had removed the warning and the site had been totally clean for close to 24 hours. And who knows when everyone’s cache would reload the cleaned pages?

The Hypocrisy of Google

Here is the problem… The malware appeared after a third party ad service started using Adsense of all things. The stunning thing to me is the possible hypocrisy of Google Adsense sending malware and then using its malware warning to essentially shut down a site for close to 48 hours.

When you see that red screen do you ever click ignore? Probably not since it warns you that your computer may be harmed. After I fixed the problem, the warning was still there and I still felt cautious about clicking, feeling that maybe it was still detecting something I didn’t find.  This is when I figured out that it was the browser settings I described above.

So… The timeline went something like this:

• Site is infected with malware at some point. This could have gone undetected for a while. Hard to tell.
• Google detects it and adds the warning.
• Browsers see that warning and visitors get the warning screen.
• Regular readers of the site start sending emails and tweets to the client.
• About 24 hours AFTER all this, the client gets an email from Google telling them about the problem.
• Client contacts me and within a number of hours we clean the site and submit for reconsideration. This is only because I was out at the time. The actual process of fixing took about an hour.
• 18 hours later the site is recrawled and put back to normal.
• Visitors whose cache is not emptied are still receiving the warning.

So…

• 24-36 hours – site is down before being able to fix it.
• 1 hour – fixing time
• 18 hours – re-crawl and remove the warning.

Ignore Bad advice from the Hosting Company

The client’s host was saying that the process might be 2-3 weeks! Not only that… They recommended removing the URL from Google because of that little warning, suggesting that people shouldn’t see that because it made the site look bad.

Remove the URL form Google? That would lose all search ranking and everything, I have never heard of worse advice. The site was back up within an hour or tow of getting that advice and if the client had listened they could have lost all their search rankings.

How to fix it

As with any changes to a site – BACKUP EVERYTHING first.

• Export your WordPress content from the backend.
• Backup your database.
• Backup you wp-content folder

Finding the Malware

This can come in a few forms:

• It can be added to files you already have.
• It can be added as new files that were not there before.
• It can be injected into the database.

But is actually fairly easy to spot once you know what to look for. It is almost always something known as obfuscated javascript or something embedded in an iframe. Obfuscated javascript looks like a bunch of random letters, numbers and symbols, like this: ‘JGs9MTQzOyRtPWV4cGxvZGUoIjsiLCIyMzQ7MjUzOzI1MzsyMjQ’. It is totally meaningless until decoded. An iFrame is used to embed another page into a site. It is used by Facebook and any other number of legitmate sites, so iFrames are not by themselves bad. On the other hand any apperance of that obfuscated javascript is cause for concern, especially in an open source project like WordPress where all code must be readable.

To find the bad code:

• Search your files for the word ‘base64_decode’ where you find something like this ‘<?eval(base64_decode(“JGs9MTQzOyRtPWV4cGxvZG…’ and that string of characters will go on for a while and end with something like ‘==”));?>’
• Delete all occurances from the opening ‘<?’ to the closing ‘?>’
• Search your database for ‘base64_decode’
• Delete that same line (it will probably not have the ‘<?’ or ‘?>’, just the ‘eval(base64_decode)’
• Search all your pages for ‘iframe’
• Search the database for ‘iframe’
• Before deleting any iframes, look at the content and see if it is something you recognize. It might be fine.

Specifically in this case, there was a series of files that were somewhat easy to spot, since they were in the main directory and not part of the core WordPress files. Here are the names:

• A folder called ‘.files’ which will be hard to spot unless you are able to view hidden files because of the ‘.’ at the beginning of the folder name.
• The folder contained a huge number of files, all ending in .html, all with spammy search titles.
• A file called ‘hobard_ebeneser.php’ whose only contents were the javascript described above.
• A file called ‘spite_kerk.php’ whose only contents were the javascript described above.
• A file called ‘vhfjp.php’ whose only contents were the javascript described above.

Another post about a similar set of files they called the ‘Movie Review’ infection and how to fix it. Essentially the same as here.

After the Malware is Gone

So the malware is gone and 18 hours later Google has approved the site again. According to Webmaster Tools no malware was found.

BUT… we are still getting the warning until emptying our browser’s cache and refreshing a few times. This is a problem since most people who saw the site with the warning will still see the warning but would not bother refreshing or deleting their cache. So there needs to be a way to FORCE the visitor to load a new version of the page.

I used the php function called header() which must be called before anything is output to the screen. To make sure of this I placed it right in ‘index.php’. Not the one in the WordPress theme, the main index.php of the whole site, the one contains about 3 lines of code and opens WordPress itself. I wanted to make sure this was the very first thing a browser saw when opening the page.

Here is exactly what I used:
[sourcecode lang="php"]
header(“Cache-Control: no-cache, must-revalidate”); // HTTP/1.1
header(“Expires: Sat, 26 Jul 1997 05:00:00 GMT”); // Date in the past
[/sourcecode]

I pasted that right above the line:
[sourcecode lang="php"]
define(‘WP_USE_THEMES’, true);
[/sourcecode]

Now eventually we will remove this. Pages are cached for a reason. It speeds up page load time, etc. So we don’t want to make everyone lodd a new version indefinitely, but for a couple days we are going to make sure everyone gets the clean version.

Final Note – AVOID AD SERVICES that use javascript

There have been a HUGE number of ad services compromised by these attacks lately. Unless you are making enough to justify going through this, I would recommend not using these ad services that place javascript on your site. The same goes for affiliate links that use javascript. Most will offer an HTML version that is just an image and a link. If you see the word ‘javascript’ in the line of code they want you to copy, I would stay away.