Once Upon a Time … There’s Some Malware on Your Site

malwareThis isn’t actually funny at all.

I don’t know if you noticed this, but my site got infected with some malware about a week ago.

The malware was not a result of my reckless behavior or anything. Just some malicious Apache module sitting on the server at my web host (cheers, WPWebHost, we’re probably not going to do business any more).

First of all, here’s how it all started.

One day I received a friendly email from Google:

Dear site owner or webmaster of newinternetorder.com,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

[…]

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn’t monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed.

[…]

Sincerely,
Google Search Quality Team

Now, the tone is very friendly, yet what it actually means is this:

Your site is infected. We’re banning it from the search engine results. Get it fixed now!

And this is something my SEOmoz monitor confirmed a while after. Here are the rankings for my main keywords:

rank

Nice, huh?

And of course, whenever there’s malware on any site, every major browser starts to display a warning message when someone tries to visit it. Which means that what followed shortly afterwards was a decline in traffic.

stats

Well, it was about time to do something.

So I started digging and found that the malware was only visible on http://newinternetorder.com/tag/business/ which was funny because the template file responsible for this URL is archive.php – and this is a file that also runs my date archives and category archives. Besides, there are also tens of other tags on the site, yet only this one was infected.

This was clearly not a problem with any of the template files. The problem was sitting somewhere deeper.

Since I’m an engineer and have a Master’s Degree in computer science I have to say that this malware was a nice piece of coding.

It didn’t come up during every scanning attempt (it only presented itself once every X times), it banned the most often used IPs (so whenever someone tried to visit the page more than X times the malware was no longer active), and as I said before it didn’t put any suspicious code inside any of the WordPress files.

While doing my research I stumbled upon this great post: Malicious Apache Module Injects Iframes.

It describes the exact problem I was experiencing. Here’s a screenshot from one of my Sucuri scans:

scan

There’s an iframe located outside of the visible area. The URLs and the method is the exact same one as described in the article.

Hosting problems

Now the best part.

The support team at WPWebHost is crap.

Here’s the usual scenario when you contact them:

Me: hey, there’s a problem with my site.

Them: no, there’s not.

Me: yeah, there is, {explanation}.

Them: no, we did one single test, there’s not.

Me: there is; here’s {evidence #1}, {evidence #2}, and {evidence #3}.

Them: okay, there is, I’m transferring your ticket to our upper level support.

Them (upper level): hey, we did one single test, there’s no problem.

What. The. Hell?!

Anyway, after going back and forth a number of times they were finally able to fix it. Without even explaining what happened. And without saying anything about what I can do to prevent similar situations in the future.

But that’s not the end of the story.

Here’s my downtime graph:

downtime

The red spots indicate the downtime.

Oh, and there’s also one more problem about my emails not reaching their destinations…

Long story short… Sorry guys, but it’s time for me to move on. And make sure that this post ranks well for phrases like “is WPWebHost any good” or something similar.

The current situation

Well, everything’s fixed. I’m in the middle of transferring my account to HostGator, and hoping that my rankings will return soon.

There’s no longer any malware on my site and I hope it stays this way.

[UPDATE]

As it turns out, Google works quite quickly to recognize every change. What this means is that my site is back in the ranking, which is great. Check this updated graph by SEOmoz:

seomoz-new