"THIS SITE MAY HARM YOUR COMPUTER"

Donna Dodd · Post by **Donna Dodd** » 23 Apr 2009 2:18 am

Wiz,

We recently sent out a broadcast email about our upcoming show in June, and included a link to our GaSGA website: www.georgiasteelguitar.com

Several of our members responded, saying they had received a malware warning against our site. I contacted LeadingEdge Hosting about this. They ran multiple detections, yet came up with nothing to indicate this issue.

I'm attaching the actual warning we received from one user.

Tommy Dodd · Post by **Tommy Dodd** » 23 Apr 2009 8:44 am

Hey Wiz,

Do you have any ideas on what could be cause certain visitors to get this message and not others?

Ken Lang · Post by **Ken Lang** » 23 Apr 2009 3:53 pm

I recieved the same screen when I went to the site. In fact that is my screen.
I did see it at a couple of other sites I believe. Have no idea what it means.

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Apr 2009 4:36 pm

I'll wager that all of you are browsing with the McAfee SiteAdvisor plugin enabled and set to kill. The SiteAdvisor toolbar add-on is known to be up to one year behind in its detections. I recommend using Firefox 3.x, without the SiteAdvisor plugin (uninstall it), as FF now ships with an anti-phishing, anti-malware plug-in that is maintained by Google itself.

John Cipriano · Post by **John Cipriano** » 23 Apr 2009 8:01 pm

I get it too. Firefox, Safari and Chrome will all automatically display this notice if a site is listed as dangerous by Google. I don't know about IE.

This is what Google says:

Code: Select all

Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-04-12, and the last time suspicious content was found on this site was on 2009-04-12.

Malicious software includes 1 scripting exploit(s).

The full report is here. The request for review is here.

Donna, check with your administrator. My guess is that the scripts on your site are vulnerable to what are called cross-site scripting or XSS attacks. It's just a guess, though.

First you need to check all of your scripts for vulnerabilities and then make sure that nothing is on the server that doesn't belong there. Then you need to follow Google's instructions on how to remove the page from the suspicious sites list. They are in the two pages I linked above. I've never actually had to do it so I don't know the details, but hopefully it's not too difficult. I see a lot of scripts on the page that are just for loading images and I'd imagine you could get by without them. Sorry for the bad news and I wish you luck in fixing it.

Doug Beaumier · Post by **Doug Beaumier** » 23 Apr 2009 9:42 pm

The site works fine for me.

Wiz Feinberg · Post by **Wiz Feinberg** » 23 Apr 2009 9:45 pm

I answered too fast! After visiting the georgasteel.com website I also got a blocked warning box. It is eay enough to click on Ignore this warning and enter the site.

When I used Internet Explorer 7 I got into the site without any warnings at all. Evidentally, John C is correct, Google's filters are mis-identifying the website as having hosted a malware download. I think that the Flash player's attributes may be triggering the false positive warning.

John Cipriano · Post by **John Cipriano** » 28 Apr 2009 9:55 pm

Unfortunately www.tommydodd.com is being flagged as well. Did Leading Edge code the pages as well? If so I think you guys are going to need to lean on them a little bit more. Tell them they need to create an account with Google Webmaster Tools and then request a review of the two sites. Best of luck.

Also, I can't help but mention Tommy that your avatar on the forum is a really nice photo, very classy

Wiz Feinberg · Post by **Wiz Feinberg** » 29 Apr 2009 12:04 pm

Unfortunately, both the Georgia Steel Guitar and Tommy Dodd websites have been hacked with 1x1 iframes that redirect browsers to another redirection website, where victims are infected by exploit codes to receive malware.

Right now it is unsafe to view these websites unless you have the NoScript plug-in for Firefox and the most recent version of Firefox. The iframe will redirect any other browser to the source of the infection (unless iframes are turned off).

Donny Hinson · Post by **Donny Hinson** » 8 May 2009 7:22 pm

I didn't have any trouble accessing the site, but then again,,,,I don't use FF, IE, or GC.

Ken Lang · Post by **Ken Lang** » 9 May 2009 8:33 pm

Interesting. I just went to both sites with Google chrome and then Opera. Neither had the red flag any longer. Must be fixed.

Wiz Feinberg · Post by **Wiz Feinberg** » 9 May 2009 10:56 pm

The malicious codes have been removed for about a week now. Their webmaster is investigating the cause of the code injection.