It was a quiet evening last night. I’d successfully repaired the leak in our cedar hot tub and had enjoyed the fruits of my efforts with a short simmering. Afterwards I sat by our fire with a nice McLaren Vale Shiraz, watching Youtube docos using the iPad & AppleTV. I love that combo. Just before midnight Melbourne time I did my customary email check before trundling off to the land of “sleepy bo bo”. The subject line “Your help Jim – Malware on davidmeermanscott.com” immediately pushed any thoughts of sleep to the back of my mind.
If you’re a regular reader here you’ll know that David is a client of ours. I quickly checked the Google index and sure enough there was the message no site owner wants to see.
I’ve talked about malware before and how badly it can affect your rankings, however having Google announce to the world that your site “may harm their computer” really sucks. In addition to the Google warning, browsers will also warn users that they maybe going to sites with malicious code and block them with big red danger signs.
In most of my encounters with website malware exploits, signs of their existence can usually be found in the webpages themselves, which wasn’t the case last night. After digging around a bit, it became clear that this malware was different. It seemed to be affecting other sites hosted with GoDaddy like David’s is. As an SEO company these are the sorts of things we want to fix quickly, not only for ranking reasons, but also because an e-commerce site can be missing out on sales, putting it right up there with a server crash. Site owners that fail to respond quickly to these sorts of attacks will soon be cast into Google purgatory and disappear from the rankings.
There wasn’t much else I could do last night as I needed one of our developers @krigsi, who knew the intricacies of the site better than I did. Early this morning he started Googling the malware as described by Google on its Safe browsing diagnostic tool, finding the answer pretty quickly thanks to its non-competitive search term: sokoloperkovuskeci-com. A blog post by “dd” over at Securi.net outlined exactly what was going on. Without going into details, it turned out that the compromise was indeed across a lot of GoDaddy shared hosting, potentially affecting thousands of sites. The malware re-wrote a file called .htaccess which redirected users to another site which would then have its digital way with you.
Getting rid of the “This site may harm your computer” message in Google once you have fixed any malware problem on your site is very straightforward and can be done through the Google Webmaster tools interface. Make sure you check out http://www.stopbadware.org/home/security for tips on securing and cleaning your website.
It’s one thing to fix the problem but it’s another thing altogether to fix the vulnerability. At this stage we know David’s site is fine and that Google has removed the malware warning but we do not know HOW this file was hacked and GoDaddy is not giving us much information at this stage.