Virus on the site - what to do and our story
On January 19, we received a message from Yandex: «Yandex found malicious code on life-trip.ru». After that, a note appeared in Yandex.webmaster: «The site is currently displayed in search results with the mark «This site may threaten the security of your computer.». Within 3-4 days the site was still marked as dangerous, although everything was fixed a couple of hours later. Some browsers also use information from Yandex, so they also blocked our site. The traffic fell several times and the income, accordingly, also. In these minutes you understand how bad it is when the tie goes to one site and to search traffic. A little that the search engines did not like it and that's it ...
But now everything is alright!
The content of the article
Checking the site for viruses online
Few links to help, although none of the antiviruses showed anything. And only those sites that check the presence of a site in the databases of dangerous sites showed that Yandex marked us.
http://webmaster.yandex.ru - Yandex.webmaster shows which pages are infected
https://www.google.com/webmasters/tools/ - Google's webmaster panel (in the Diagnostics / Malware section
https://www.virustotal.com/ - checks what search engines and other systems are saying
http://2ip.ru/site-virus-scaner/ - the same thing, but check only by Google and Yandex
https://www.stopbadware.org/clearinghouse/search - this service informs google and mozilla about viruses
http://vms.drweb.com/online/ - doctor web antivirus, online check
http://sitecheck.sucuri.net/scanner/# - virus scan, unlike the previous one, the virus showed
http://antivirus-alarm.ru/proverka/ - check against several anti-virus databases
http://virusscan.jotti.org/ru - only files will be scanned (you can save the site page as html and load it) for various antiviruses
http://www.bertal.ru/ - you can see the page code of your site, as it is seen by search engines, a useful thing
And the best thing is to write to the hoster, we have solved this issue in this way. We were unable to find the malicious code on our own. I will not write any manuals, here it is written quite well about it.
The main method is to view the page code for the presence of any nonsense there, and then check all the loaded js scripts and php files of your theme to see if anything has changed inside them, the easiest way is to look at the file size, if the code is added there, the size will be larger, than the originals. Ideally, you need to check all the files on the hosting in general, for their changes, as well as the appearance of new left files. Alternatively, download all the files of your hosting account on your computer and check with several antiviruses, but not the fact that they will find something.
Our story with the virus
The jquery.cycle.js in our wordpress template has been modified somehow. After removing it and uploading it from the backup, the hoster said that there were no more malicious codes. Everything happened quickly enough. The problem most likely was not serious, rather it was not a virus, but just sabotage, otherwise it would have taken longer to mess around. I read different stories about how people clean up the virus, and it appears again.
How it happened with our blog remains a mystery. If I saved passwords for ftp Total Commander, it would be clear where the legs grow from, but I know that this cannot be done.
On the same day, I changed passwords on all blogs, on ftp-account and hosting, on sql-databases of sites and ran the laptop with two antiviruses. I hope that nothing else will slip by. But you will need to read more on this topic..
It may well be that the problem was that in our template jquery is loaded from ajax.googleapis.com, even on Habré this topic surfaced, and almost on the same day, which is suggestive. Just in case I downloaded jquery to the hosting so that it can be loaded from there.
Rechecking the site by Yandex
Submitted for rechecking in Yandex.webmaster: «An application has been submitted (03/19/2012 00:00) to recheck the site, it will take several days.» And only on the 4th day this long-awaited recheck took place. For someone, judging by the forums, it can happen in a month, and for someone in 2 hours.
What is advised to speed up:
- I wrote to technical support on the same day, but they only replied after 4 days, just along with the removal of the block.
- We need to get the attention of bots, which is why I released two articles this week.
- You can also attract the attention of bots through this service http://www.imtalk.org/ or drive them out using some social bookmarks, but did not have time to do this.
Something like that. I hope that some of the above will help in the fight against viruses. Something recently attacks have become more frequent occurrences :(