My web site has been announced and marked by Google as an "Attack site". Besides the verification of the site ownership, which still did not work, I have another question, if some one here knows it:
They don't tell you which page or which script or which file is infected. Any ideas to find the infected file (s) at the web site easily? Thanks.
Regards
Gspot

---

ankaraHHH.com
On On
G*

Well, if you follow through on your sites google selection, and follow through the messages and read whats there, you can find a link to this page:

http://www.google.com...

It tells you why your site was marked as malware...  looks like some bastards were using your site to try and infect some people...  could happen to any forum type scripted site...

See if you can find where its coming from and let us know if its a web-app issue or a 3rd party issue...

............................................................

From what I see here:

What is the current listing status for ankarahhh.com?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 5 time(s) over the past 90 days.

What happened when Google visited this site?

Of the 30 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-06-26, and the last time suspicious content was found on this site was on 2010-06-25.
Malicious software includes 1 scripting exploit(s).

Malicious software is hosted on 2 domain(s), including fancycake.net/, websiteget.com/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including fancycake.net/.

This site was hosted on 1 network(s) including AS29873 (BIZLAND).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, ankarahhh.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

No, this site has not hosted malicious software over the past 90 days.

..............................................................

Looks like your site is on the same server as a couple of domains that are hacker/exploit sites which are trying to infect people...  could be more, I would make a complete backup of the site and check through everything to see if there is anything odd on your site....

Guilty by association it seems...

---

Beta-Tester Extraordinaire.

Testing on various platforms and operating systems...

http://www.2xlnt.com...
http://www.themeapp.com...

Thanks anyway, Meanwhile I've found the malicious infected file, (however, it may there other infected files as well):
/index.html is hacked obviously, before the redirect to /hashapp/. I've changed the index.html file, and replaced it with a clean one and we shall see. If any of interest I can send you the infected file.
My question was actually, how we find easily such kind of infected files? Is there any available software, to scan the web site? I couldn't find any.
The other matter is, that Google puts the site just like that as an attack site, BUT the verification of the ownership of the site does not work, although all requirements are fulfilled. And you can NOT reply to any of this annoying emails, as they are no-reply. You are confined to forums etc...my site looses also the reputation, which is Google to blame, as their tool works only in one way but not from the victim site site.

---

ankaraHHH.com
On On
G*

---

gspot said Today, 4 hours and 12 minutes ago.:
Thanks anyway, Meanwhile I've found the malicious infected file, (however, it may there other infected files as well):
/index.html is hacked obviously, before the redirect to /hashapp/. I've changed the index.html file, and replaced it with a clean one and we shall see. If any of interest I can send you the infected file.

---

Can you pls. send it to on@web-app.net

I work on some script that monitors changed db/ files for another purpose. It could be applied also for other files.

How come they managed to change the index.html file? Was your host hacked? What host are you using?

---

[user:On]
on@web-app.net

WebAPP CMS - Ethos and Logos but no thanks to Pathos!
GC/CS/E/H/IT/L/M/MU/PA/P/S/SS/TW/O d(+++)>+ s: a+>++>+++$ C++++$ UBAHS*++++$ P+++++(--)$ L !E? W+>++ N+++@ K+++>++++++@ w$ !O M->+ V--() PS+(-) PE(++) Y+ PGP->+ t+() 5 X? R>* tv@ b++>+++ DI+++ D? G(-) e++>+++@ h----() r+++ y++++ (Words of wisdom from Larry Wall, 1993)

Aron? Are you alive?

---

[user:On]
on@web-app.net

WebAPP CMS - Ethos and Logos but no thanks to Pathos!
GC/CS/E/H/IT/L/M/MU/PA/P/S/SS/TW/O d(+++)>+ s: a+>++>+++$ C++++$ UBAHS*++++$ P+++++(--)$ L !E? W+>++ N+++@ K+++>++++++@ w$ !O M->+ V--() PS+(-) PE(++) Y+ PGP->+ t+() 5 X? R>* tv@ b++>+++ DI+++ D? G(-) e++>+++@ h----() r+++ y++++ (Words of wisdom from Larry Wall, 1993)

On, I will send the file to you, however, obviously there are also other files
infected. The host is Powweb.com..The host was not hacked, otherwise I could not enter
the host server, or?
I don't know how the index.html file was infected...

---

ankaraHHH.com
On On
G*

---

gspot said Today, 1 hour and 23 minutes ago.:
On, I will send the file to you, however, obviously there are also other files
infected. The host is Powweb.com..The host was not hacked, otherwise I could not enter
the host server, or?
I don't know how the index.html file was infected...

---

You can not edit the index.html directly as an administrator user on webapp.
Thus, someone must have either used root access to your ftp account or probably exploited some server vulnerability on your hosted account. You should inform your webhost about it. You should also join the webmaster tools program from google to get specific information of what the problem was and how you can remove the blacklisting.

Either way, it will not do any good to delete all files, as the exploit is in the server configuration.

It looks like they have exploited windows extensions folders on your hosted account-probably to remote edit the file. Would be nice to see the server log, if you want I can take a look there and set 000 permissions to the suspected folders.

Otherwise replace the file you sent me with this:





rename it with the name of the file sent, and upload it where it was.

---

[user:On]
on@web-app.net

WebAPP CMS - Ethos and Logos but no thanks to Pathos!
GC/CS/E/H/IT/L/M/MU/PA/P/S/SS/TW/O d(+++)>+ s: a+>++>+++$ C++++$ UBAHS*++++$ P+++++(--)$ L !E? W+>++ N+++@ K+++>++++++@ w$ !O M->+ V--() PS+(-) PE(++) Y+ PGP->+ t+() 5 X? R>* tv@ b++>+++ DI+++ D? G(-) e++>+++@ h----() r+++ y++++ (Words of wisdom from Larry Wall, 1993)

Well, I have done the cleaning and sent the index.html file already 5 hours ago,
actually exactly like you've suggested now...I can send you the server log, where do
I find the log actually? I have a look later...Can you find out which files/folders
are the suspect ones?..Meanwhile, I did the whole action with Google, hard job, poor
explanation in all aspects, help pages were NOT efficient, all planed as to make the
people confuse, for verification and request to consideration for review, they said
it will take several weeks, although they are very quick to block the site, see as
below, but the site can be still infected...!
***************
We've received a request from a site owner to reconsider how we index the following
site: http://ankarahhh.com... /

We'll review the site. If we find that it's no longer in violation of our Webmaster
Guidelines, we'll reconsider our indexing of the site. Please allow several weeks for
the reconsideration request. We do review all requests, but unfortunately we can't
reply individually to each request

***************

---

ankaraHHH.com
On On
G*

Strangely enough when I open your Forum page after entering my password, (where my link
is: ankarahhh dot com), your Forum page too shows the Googles's warning window, see
below. I wonder is it me only or is it visible to everyone?..:

X2    X4

---

ankaraHHH.com
On On
G*

---

gspot said Today, 2 hours and 55 minutes ago.:
Strangely enough when I open your Forum page after entering my password, (where my link
is: ankarahhh dot com), your Forum page too shows the Googles's warning window, see
below. I wonder is it me only or is it visible to everyone?..:
http://www.web-app.net...

---

Sorry (actually not..), but I can NOT reproduce the issue here

---

[user:On]
on@web-app.net

WebAPP CMS - Ethos and Logos but no thanks to Pathos!
GC/CS/E/H/IT/L/M/MU/PA/P/S/SS/TW/O d(+++)>+ s: a+>++>+++$ C++++$ UBAHS*++++$ P+++++(--)$ L !E? W+>++ N+++@ K+++>++++++@ w$ !O M->+ V--() PS+(-) PE(++) Y+ PGP->+ t+() 5 X? R>* tv@ b++>+++ DI+++ D? G(-) e++>+++@ h----() r+++ y++++ (Words of wisdom from Larry Wall, 1993)

Thats funny...

once your on their list, your site name alone with some code on a page can get other sites screwed...

give it time, this form of censorship will continue until all torrent sites and discussions of them are added in as well as anything google deems unfit content...

Google has lost alot of credibility in my eyes on various areas...

from their joke open source android that they claim is being used illegally by augen which is funny since its open source... to their business practices in other areas...

Chrome as a browser is the buggiest piece of crap.  Based off of Apples Safari, stick with Safari, as chrome likes to mess with video card drivers on PCs and screw up your display as you use it...

---

Beta-Tester Extraordinaire.

Testing on various platforms and operating systems...

http://www.2xlnt.com...
http://www.themeapp.com...