Google Search Quality Team say my site was compromised

Well, if your blog was at wordpress.com, then you can cancel your account there.

If your blog was on your website, then you’ll need to delete the WordPress files from your web hosting account.

That said, we can’t tell what comprising had been done to the blog. What files did you check?

We deleted the files from our hosting server after searching through every file we could open with notepad. We could not find any spurious code. It took hours! Bit annoying we cannot remove the search references on Google though – people finding our blog pages get this malware warning page from Google.

Must admit, that not being used to this sort of thing we panicked a bit and only thought about contacting WordPress later after removing our WordPress blog. I realise you cannot help now, although we have a backup of the site I don’t want to get on the wrong side of Google by putting it up on the server again. Fact remains, someone hacked into our WordPress site and compromised it.

Fact remains, someone hacked into our WordPress site and compromised it.

Fact remains, you arent the first, and wont be the last. You dont indicate what version you were running, etc..

The blog is gone. Google webmaster tools allows you to submit urls for deletion from their index.

Done deal.

—

I dont mean to sound hasty, but it sounds like water under a very big bridge.

I do not want this slur attached to our bona fide business. How can I cancel my WordPress blog from the internet and remove all postings?

Why are you giving up so fast? Plenty of decent, good quality businesses get hacked and then delisted from Google. You aren’t the first and you won’t be the last, so don’t feel like your reputation has been besmirched forever.

Once you figure out the problem and notify Google, they’re pretty good about putting you back into their listings.

What version were you running? The 2.5.1 upgrade had some important fixes.

You might find these links interesting, as they will give you some ideas of what to look for.

Security Issue, Multiple Sites

Has Your Blog Been Hacked Recently?

We deleted the files from our hosting server after searching through every file we could open with notepad. We could not find any spurious code. It took hours!

You need some kind of grep tool.

Hello Rosie,

Appreciate the reply. Our problem is, we are a publishing company – not an IT company and it seems you need a high-level of technical expertise (and a lot of time) to sort out these security issues on WordPress sites. I’m sure sure we can handle it. We were running 2.5.1.

Just out of interest, there is another element to this. We ran a blog criticising Google’s latest gambit of linking with the UK and US libraries to scan all their books and make the contents freely available on-line. We think this compromises the copyright of authors so we used our blog to make this point. A few days after we ran it, Google effectively closed us down via their Quality Search Team advising us our site had been compromised. Could be a coincidence??

Assuming the site was genuinely compromised and Google is not playing Big Brother – if we put the site back up again, we could not even log onto the admin area because Google has blocked the site. So, if we did put it back up, how could we log onto it and how is it possible for not-very-technical-people to find out if there is spurious or invisible code added to the programs?

So, if we did put it back up, how could we log onto it and how is it possible for not-very-technical-people to find out if there is spurious or invisible code added to the programs?

You must be somewhat technical, because you had upgraded to 2.5.1, right?

Actually, I’m kind of wondering if you really were running 2.5.1. Certainly many people were running 2.3 when hacked by the people who insert “running WordPress 2.5” into the source code, so you may have thought you were running 2.5.

And how did you back up your site? Did you back up the wp-config file? The wp-content folder? Most importantly, did you make a database backup, too?

You won’t be able to put the site back up unless you did at least the last item; you can reconstruct it without the first two, but it will be much harder.

These are the WordPress backup instructions: “Backing Up Your Database.”

Did you follow them to back up your database?

If so, here are the WordPress instructions to restore your database: “Restoring Your Database.”

You should also read the two links I referenced in the above threads. If they are too technical for you, then I would just recreate the WordPress site from scratch, however you did it the first time.

NOTE: If you use an automatic installer, make sure they are installing the latest version, found here. A lot of automatic installers are behind on versions, leaving you vulnerable.

And frankly, if you can’t (and you don’t have anybody on your team who can) upgrade WordPress whenever a new version comes out, you probably shouldn’t use WordPress. It’s free, sure, but that zero price tag comes with the obligation to maintain your site properly. If you can’t do it, you need to pay someone to do it for you.

And frankly, if you can’t (and you don’t have anybody on your team who can) upgrade WordPress whenever a new version comes out, you probably shouldn’t use WordPress. It’s free, sure, but that zero price tag comes with the obligation to maintain your site properly. If you can’t do it, you need to pay someone to do it for you.

Fair comment. Perhaps WordPress is not for us. Thanks for your input.

I had similar happen on one of our newer blogs. Google actually flagged it right after we added it to webmasters tools.

I checked the site and nothing was wrong so I requested that it be re-checked with an explanation. A couple hours later they said we were clean and within 24 hours the message filtered out of the index.

The whole thing was some automated mistake of some sort. I would be careful about exposing EXEs for download or using forceful javascript for advertising/etc. Other than that it could just be a mistake.

If you’re a legit business it doesn’t cost much to have someone that knows what they are doing tend to upgrades and bug fixes for you. Other than that you could try WordPress.com.

Thanks for your comment. Actually, we used the blog mainly for support articles/tips/advice for new writers with no advertising etc. Apparantly, people are missing our blog so maybe we will try again and go the paid route. It could have been a mistake by Google – I guess we’ll never know now:)

Kind of you to reply, appreciate it.

No problem. Glad to see you give it another shot.

I was curious about this:

if we put the site back up again, we could not even log onto the admin area because Google has blocked the site

The admin area of your blog? You don’t need Google to get to that, so I’m confused as to what you’re referring to.

Hi Dianne, thanks for your interest. OK, I uploaded WP (http:www.burn-a-book.com/wordpress2/) again.

If you search for it on Google (Writers Cramp, burn-a-book) you see the Google warning.

I upgraded to WP 2.5.1

Before the upgrade the database was all there and all the postings were complete. After the upgrade all the postings are missing and I cannot log on to the admin area. My password is not recognised. When I use the “Lost password” email link and go to wp-login.php?action=rp&key=DJ*NaZPNzb9z I get the message: Sorry, that key is not valid.

So, some advice would be appreciated. I can upload the original again (the one Google claimed was compromised) if you would like to see that. Or, perhaps you could help me get version 2.5.1 running properly with all the archives and posts showing?

Really glad of your help,

James

Dianne – PLEASE NOTE:

After entering my WP site, I got a warning from Trend Micro warning me it had stopped a network virus:

MS02-039_SQL_SERVER_RESOLUTION_EXPLOIT

Vulnerability Identifier: CAN-2002-0649,CAN-2002-0650
Discovery Date: Jul 24, 2002
Risk: Critical
Related Malware: SQLSLAMMER.A
Affected Software:
Microsoft Desktop Engine 2000
Microsoft SQL Server 2000

Description:

This exploit attacks the unchecked buffer vulnerability that exists in the SQL Server Resolution Service.

SQL Server Resolution Service operates on UDP port 1434. It has been introduced in SQL Server 2000 to host multiple instances of SQL servers. When an SQL client attempts to connect to a certain server instance, it queries the resolution service, which in turn reports what port the requested instance is using.

By sending a malformed request to the Resolution service, the SQL server may fail resulting to a denial of service (DoS) or run any codes that an attacker prefers. The malformed request consists of a very long Instance Name of the SQL server, which the SQLSERV.EXE file fails to validate.

The Slammer worm, SQLSLAMMER.A, already exploited this vulnerability.

So perhaps Google were right and my site was compromised. Just to warn you!

Using the automatic upgrade plugin I have repeated the upgrade to 2.5.1. successfully and can now sign in on the admin panel. https://www.burn-a-book.com/wordpress2/ is now back online. I still have serious concerns about the previous breach of the site and Google’s blocking of the site as unsafe. Before attempting to have the site relisted by Google I would appreciate someone looking at it and telling me what more I can do to ensure the site is safe for people to view.

(Maybe it would help if I removed the last post critising Google???)

Looking at your last but one message, it looks more like a vulnerability in MS SQL Server 2000 – is your database fully patched?