I was greeted with a nice message from Firefox in the morning

Firefox's Warning That A Site Might Be Harmful

If someone was searching Google and came across one of my results, there was a clear warning that my site was dangerous, and if they clicked through on a result they would be greeted with this.

Googles Hacked Warning From Search Results

What Affect Does This Have On Search Traffic

What do you think? Kills it dead…

Search Traffic Killed By Security Warnings

Over 90% of Google search traffic was wiped out

How Dare They Do That

The first reaction by many people is probably shock, horror, outrage… I mean how dare they take away all that free traffic.

My first reaction was to upload a new index.php file that shut off the blog, gave a warning, and a 503 header (that I checked to make sure that it was being sent correctly)

I don’t want anyone to suffer from visiting my site due to injected iframes for suspicious sites injected into my pages.

I renamed my existing index.php

I then uploaded a new index.php with the following code

<?php
ob_start();
header('HTTP/1.1 503 Service Temporarily Unavailable');
header('Status: 503 Service Temporarily Unavailable');
header('Retry-After: 3600');
header('X-Powered-By:');
?><!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Temporarily Unavailable</title>
</head><body>
<h1>Service Temporarily Unavailable</h1>
<p>Cleaning up a hacked server, might be a while</p>
</body></html>

This wasn’t a total cure… there were a few extreme situations where this wouldn’t have been effective such as a few static files, but it was a very good fast measure, and the next step would probably have been to use htaccess to redirect all traffic to that page that was outside WordPress.

Fixing Hacked WordPress Installation

Lorelle has a great recent compilation of how to diagnose a hacked WordPress blog, and how to fix it.

I determined that what happened to my site wasn’t the new worm based attack, and that my database wasn’t affected.

Here is the procedure I used:-

1. Backed up database – I already have backups sent daily to Gmail – I don’t store backups using WordPress plugins for S3 etc as these can actually introduce another attack vector.
2. Backed up server image – one of the advantages of using VPS Hosting is often the ability to create an immediate snapshot of the whole server.
3. Rolled back to previous server snapshot – I have daily, weekly and monthly snapshots of the whole server backed up, and the best option was the weekly one taken Sunday night.
4. Uploaded backed up database to server
5. Restored database using simple mysql command via terminal
6. Tons of passwords changed

The WordPress export is a useful alternative to what I did, but just imagine using that cleanup method suggested by Lorelle if you were running a busy membership site using WordPress, or have lots of SEO and other special tweaks not supported by WordPress export.
Ultimately solutions for cleaning a database would be a lot more appropriate.

Google Reinclusion Request?

The final step is a reinclusion request with Google which in theory might take 4 or 5 days for them to take a look at, but here is an interesting chain of events.

I filed a reinclusion request with Google possibly 8 hours after I discovered I had been hacked – I was a little busy with other offline events so fixing server took a little more time than I would otherwise expect.

Some feedback for the Google Webmaster team if they read this

• When you file a reinclusion request, currently a copy of what you send Google is not CCed back to you, even in the webmaster interface
• The form for filing reinclusion requests has some very wierd scrolling/focusing events going on, so it is impossible to use when filing a long request with the detailed information asked.
• 6 hours after I filed my reinclusion request, I recieved notification in Webmaster Tools from the Google Search Quality Team that my website had been spotted by Google as compromised. That is at least 14 hours after it happened.

Malware notification regarding http://andybeard.eu/ September 16, 2009

Dear site owner or webmaster of http://andybeard.eu/,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are one or more example URLs on your site which can cause users to be infected:

http://andybeard.eu/

http://andybeard.eu/1297/

http://andybeard.eu/1298/

Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://andybeard.eu/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised

2) the site doesn’t monitor for malicious user-contributed content

3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites: http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting this Webmaster Help Center article and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,

Google Search Quality Team

You would think if Google are notifying Stopbadware.org who in turn are notifying other sites such as I noticed Tweetmeme blocked my site very quickly, that somehow the notification to the webmaster would be listed in Webmaster tools at around the same time.
I can understand 15mins difference, even an hour, but attentive webmasters are going to have their servers rectified before this notification is sent.

You Might Not Need The Reinclusion Request Any More

Better safe than sorry, but here is the normal series of events for a reinclusion request.

1. You file it and get sent a message that you filed it (without the details of what you sent attached)

Reconsideration request for http://andybeard.eu/ {Date}

We’ve received a request from a site owner to reconsider how we index the following site: http://andybeard.eu/

We’ll review the site. If we find that it’s no longer in violation of our Webmaster Guidelines, we’ll reconsider our indexing of the site. Please allow several weeks for the reconsideration request. We do review all requests, but unfortunately we can’t reply individually to each request.

2. Some time passes
3. Google send you notification that they have looked at the request

We’ve processed your reconsideration request for http://andybeard.eu/ {date}

We received a request from a site owner to reconsider how we index the following site: http://andybeard.eu/.

We’ve now reviewed your site. When we review a site, we check to see if it’s in violation of our Webmaster Guidelines. If we don’t find any problems, we’ll reconsider our indexing of your site. If your site still doesn’t appear in our search results, check our Help Center for steps you can take.

But I am still at the “some time passes” stage, which I honestly expected to last 4-5 days, and felt was quite reasonable – even Google don’t have unlimited resources.

• I filed my reinclusion request sometime around 9am PST (6pm CET) Wednesday
• By 10am CET Thursday my site was no longer being blocked.

This is somehow now being automated.

There wasn’t any exceptional crawl activity, but Google average crawling over 800 pages of my site every day anyway. A big enough cross-section to detect anything unusual.

Other than the feedback items I noted above, Google are doing a great job with handling hacked sites, at least based upon the experience I have just undergone.

Effectively 24hrs from seeing my site being blocked, fixing the hacked site, notifying Google, and finally having my site back without horrible security warnings everywhere is amazingly efficient.
The data seems to have also been pushed out to those that use it extremely fast, as all my Tweetmeme buttons are already active again.

This post hopefully can act as a bit of a counter-balance to all the stories of dread you will find if searching of how hard it is to fix a site after it has been hacked, and what it takes to get Google to reconsider your site after it has happened.

Bravo Google Webmaster and Search Quality team & Stopbadware