Wrong email or password! Try one more time.

Forgot password?

Username should only contain alpha-numeric characters.

An account with this email already exists.

Password should contain at least 6 characters.

An email with a confirmation link has been sent to you.

Did you forget your password? Don't panic. Enter your email address,
and we will email you a link where you may create a new password.

If this address exists, we will send you an email with further instructions.

Back to authentication

How to get rid of malware?

How to get rid of malware? - answered by Matt Cutts

Summary:

Malware and hacked sites are a very common thing and this sort of stuff can happen to anybody. There are some advices to combat them. A useful thing is something called the safe browsing diagnostic page where you can enter in a specific URL, and it will tell you if your page does have malware or it doesn’t. Another advice is to request a malware review from Google/webmaster. You can also do Fetch as Googlebot, another feature in Google's webmaster tools. It'll tell you if there was a redirect, like a 301. It'll tell you what the exact content was, so you can look through it, and you can look for any sort of stuff that looks like it's been hacked or is showing up malware. So keep your server patched, up-to-date, make sure you have strong passwords, look at SQL injection, look at HT access and you should change your passwords.

 

Matt's answer:

Today, we want to talk about malware and hacked sites. You would not believe how common it is. I don’t mind telling you that Donald Trump has had a website hacked. Al Gore has had a website hacked.

 

This sort of stuff can happen to anybody

So let’s talk about some of the free tools and resources that Google provides, as well as exists on the web, to help clean this stuff up. OK. So, first and foremost, there’s something called the safe browsing diagnostic page. So if you search for safe browsing diagnostic, you will basically find something where you can visit it, and you can say, OK, is this URL, or is this site infected with malware? And so you can enter in a specific URL, and it will tell you yes or no and what the statistics are as far as seeing the malware on the domain, all that sort of thing. The way that it works is actually pretty interesting.

 

If you search for, ghost in the browser, I believe is the phrase, they’ve talked about their methodology for that. It’s extremely precise. Like over the course of five years, I have never seen a false positive other than that one time when we marked everything on the web malware for like an hour. But that was a completely different glitch. So, safe browsing diagnostic page, it uses this data that the malware team, and the malware team is a different group than web spam. Although, we have great respect for each other. But the malware team basically computes the things that are suspected using malware and virus scanners to find pages on the web that we believe have malware. So you come to that page. You enter in, you know, example.com or whatever your domain name is, and look at the stats. Look at the information that it provides. In some cases, it will say this domain is actually infected. In some cases, you might find out that, maybe not your domain is infected, but a third party domain, if you were using ads or you were drawing in scripts or if you were using JavaScript or somehow you were including content from another domain, sometimes you can find information out about that. And then you can just remove that third party content or stop loading it, and then, you wouldn’t be showing any malware. And relatively quickly, the warning would clear up.

 

Safe browsing diagnostic page is really, really helpful

The second thing that you should know about is the ability to do a malware review. You should register your site in Google’s webmaster tools. That’s google.com/webmasters. Prove that you own or control the site, and then, you can click on the diagnostics page. And there will be a tab called malware. And once you’ve cleaned things up, you can click on something that says, request a review, and that doesn’t operate instantaneously. So it’s not as if that causes things to go get scanned in real-time. But it does tend to happen relatively quickly, like in an hour’s kind of timeframe, which is good. Because when you’re stressed and you’ve been hacked and you’re serving up malware, you don’t want to wait days and days. So it can take several hours, but it tends to operate pretty quickly. And what you can do is: when you request a review, we will actually show you URLs on your site that we believe have malware. So that’ll tell you exactly where to go to help diagnose what’s going on, how to debug it, how to clean it up, and then, if for some reason the scan fails and we think that you still have malware, we’ll continue to give you examples of stuff that we think is infected. So you can iterate pretty quickly to clean the malware up.

 

Now, there’s a third tool. It’s a little more useful for hacked sites than for malware, but you can also do Fetch as Googlebot. And Fetch as Googlebot, basically, is another feature in Google’s webmaster tools, so at google.com/webmasters. And you can say, OK, take a particular page that I have proved that I control or that I own. Fetch it as Googlebot. So Googlebot goes and actually gets the content of that page, and then, Googlebot will tell you exactly what was returned to it. So it’ll tell you if there was a redirect, like a 301. It’ll tell you what the exact content was, so you can look through it, and you can look for any sort of stuff that looks like it’s been hacked or is showing up malware. So that can be extremely useful. Especially for some hacked sites, they’ll show Googlebot the hacked content, but they will not show regular users the hacked content, which is kind of evil and mean and malicious.

 

There’s a few places where you can look. For example, a lot of people will put stuff in an HT access file. So if you look around, you might be able to find something there. You might also look for SQL injection. Sometimes, people will, if you don’t sanitize your URL parameters, your URL input correctly, then people can find ways to do drop tables, comma, insert malware, that kind of thing. So that’s something to be on the lookout for. It is hard, so don’t feel bad if you can’t find the problem straight off. But if you can look at, not just your source files, right? Because if you look at your source code, it might appear clean to you. You want to look at what is actually being returned in the browser, or fetch it as Googlebot and see what the end user really sees. Because there can be various ways where you think the source code looks clean. But whether it’s a mod rewrite or HT access or something along the way, is that in the malware, so that you only see it when you actually access it as an end user. So you want to pay attention to that as well.

 

Certainly, it’s the case that you want to keep your system up to date. So if you run WordPress, you want to make sure that you patch that. Whatever CMS you use, you want to make sure you use the most recent version. Because if you’ve made some mistake, you can be hacked again, which brings you to the next point, which is when you think you do have it all clean, and probably even before that, you should change your passwords. So find something that’s a really hard, difficult password. Don’t use 1, 2, 3, 4, 5, 6. Don’t use love. Don’t use God. Don’t use password. Don’t use let me in. Generate some random hash kind of passwords, something that’s really, really strong, because that’s a lot more likely to keep the hackers out.

 

You can also check out some free websites. For example, if you haven’t seen unmaskparasites.com, that can be a really useful place to talk about all the different attacks that are currently going on. There’s a guy there that’s doing a really good job of showing what some of the current malware stuff looks like.

 

So keep your server patched, up-to-date. Make sure you have strong passwords. If you do get these messages, you can figure out, is it on my site or is it on a third party site by using the safe browsing diagnostic pages and the malware review. Once you know the actual pages, you can clean them up. Make sure they’re really clean. Submit them, and then get a review back in a few hours from Google to say, OK, the malware’s gone. You can also check whether you’re hacked with Fetch as Googlebot. You can look at SQL injection. You can look at HT access. Those are some of the common ways that people get in. I know that it’s frustrating. I know that it’s really irritating.

 

Sometimes, it takes a little while to even accept that you have been hacked or that you do have malware. A lot of people, we hear the reaction, no, my site’s clean. I do view source, and I don’t see anything. But a lot of the times, it’s hiding in some really weird place like JavaScript that’s included, obfuscated JavaScript. So you look at it, and it looks like just weird blob. Things that look relatively normal like, they’ll include from a domain that looks like Google Analytics or looks like wherever you would load your normal JavaScript from, but it’s one character off. And it’s something malicious.

 

It can be a real pain to clean this stuff up

But Google takes this stuff very seriously, because if a webmaster accidentally exposes their users to malware, that’s a horrible experience, and they complain to us. So we’ve actually taken a bunch of different ways to try to protect the user, and hopefully, some of these tools will help you in getting rid of the mess and getting things cleaned up. And we hope that, after you get this all done, it’s smooth sailing from then on. Good luck.


by Matt Cutts - Google's Head of Search Quality Team

 

Original video: