AdWords
2.2K members online now
2.2K members online now
Understand Google's advertising policies, including ad approval status and account suspension
Guide Me
star_border
Reply

How to remove malware that doesn't exist?

[ Edited ]
Follower ✭ ☆ ☆
# 1
Follower ✭ ☆ ☆

So, my client's site: [URL edited] was suspended from AdWords for malware being present on the site (according to AdWords).

 

After doing an initial evaluation via FTP, looking at cached pages, and the source code, I couldn't find anything. So, I ran the site through 3 different scans, all of which indicated no malware:

 

Sucuri did observe that the Wordpress version is out of date, but that's a bit of a complex issue because the theme is not fully compatible with newer versions of Wordpress. In any event, to my understanding having an old version of WP does not equal "malware."

 

Lastly, I check Google Webmaster Tools, and they do not currently detect (nor have they ever detected) malware on the site:

 

“Currently, we haven't detected any security issues with your site's content. If you want to learn more about security issues and how they could affect your site, review our resources for hacked sites.”

 

So... I've spoken with 3 different Google reps since last week (2 were nice and 1 was incredibly rude and unhelpful), and a 4th rep via online chat. All of them (except the rude one) have told me the issue will be escalated and that they will respond to me by email. I have yet to receive any emails, and the site has been suspended for a week now.

 

How do I remove malware that by every account I've tried does not exist? Is there some other vulnerability or tool I can use to check for it that I haven't listed above? Or is it possible (I know this sounds crazy!) that Google made a mistake here?

 

At wits end with this. Any advice would be appreciated.

 

Regards,

 

AA

 

NOTE: This post has been edited by a Community Manager in order to protect user safety, per our Community Posting Guidelines. 

2 Expert replyverified_user
1 ACCEPTED SOLUTION

Accepted Solutions
Marked as Best Answer.
Solution
Accepted by topic author Francisco K
September 2015

Re: How to remove malware that doesn't exist?

[ Edited ]
Top Contributor
# 5
Top Contributor

first, you're welcome.

the (hxxp) results should not be generated by redleg --

typically only the line-count and highlighting are redleg's.

hxxp can sometimes be a sign of code-injection --
typically from another (linked) website or script
or as a result of malicious (.htaccess) redirects;
often, only under certain specific circumstances.

 

check the server's log files at the time the redleg scan is running.

one possible course is to contact adwords directly
and also post within the webmaster-help forums --
where redleg sometimes participates.
https://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites

View solution in original post

Re: How to remove malware that doesn't exist?

Top Contributor
# 2

Re: How to remove malware that doesn't exist?

[ Edited ]
Follower ✭ ☆ ☆
# 3
Follower ✭ ☆ ☆

Well... I *may* have solved the problem.. I continued looking around this forum, and found a link to the following page which i had read several times, but needed to read again I guess: https://support.google.com/adwordspolicy/answer/1308246.

I noted the following quote about sites not permitted: "Sites that incorporate content (images, Flash, iframes, etc.) from infected sites"

Although the site did not have any existing malware on it's own pages, I did find the following snippet of legacy code in the header.php file that makes reference to a "class" that is on another webpage:

[edited]

As it turns out, [URL edited] IS infected with malware, so I'm assuming this was the root cause of the issue. The offending line now simply says:

[edited]

I'm cautiously optimistic that this will resolve the issue. I'll post an update when one is available.

 

NOTE: This post has been edited by a Community Manager in order to protect user safety, per our Community Posting Guidelines. 

Re: How to remove malware that doesn't exist?

Follower ✭ ☆ ☆
# 4
Follower ✭ ☆ ☆
Hey Celebird,

The hxxp thing is throwing me off a bit... When I use WMT to "fetch as Googlebot" with the home page, I don't see any http links listed as hxxp. Is the result generated by Redleg indicating that there is still an issue at hand.

Apologies for being a noob here perhaps.

Thanks.
Marked as Best Answer.
Solution
Accepted by topic author Francisco K
September 2015

Re: How to remove malware that doesn't exist?

[ Edited ]
Top Contributor
# 5
Top Contributor

first, you're welcome.

the (hxxp) results should not be generated by redleg --

typically only the line-count and highlighting are redleg's.

hxxp can sometimes be a sign of code-injection --
typically from another (linked) website or script
or as a result of malicious (.htaccess) redirects;
often, only under certain specific circumstances.

 

check the server's log files at the time the redleg scan is running.

one possible course is to contact adwords directly
and also post within the webmaster-help forums --
where redleg sometimes participates.
https://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites

Re: How to remove malware that doesn't exist?

Follower ✭ ☆ ☆
# 6
Follower ✭ ☆ ☆
Thanks again. I'll continue to investigate this and hopefully there aren't more problems left to uncover.

Re: How to remove malware that doesn't exist?

Follower ✭ ☆ ☆
# 7
Follower ✭ ☆ ☆
Follow up on this.... I installed Sucuri server-side malware scanning and removal ($89.99/year) and have sent Google multiple screenshots showing that the site is 100% clean of malware. Wordpress has also been updated to the latest version along with all plug-ins, and I installed iThemes Security for WordPress to reduce future exposure to all vulnerabilities.

This was all done over a week ago. Despite a phone call (I was promised a response within 24 hours that never came), and a follow up email to my original ticket (no response), I've received no follow up from Google and our ads are still down.

This is simply SHOCKING customer service. I went to an event for agencies at Google's San Francisco office last year, and I remember a Google employee waxing poetic about how "small business is the lifeblood of Google" and a "key part of their future". Based on this experience over the last 2+ weeks, it is evident that Google's priority still is enterprise level business, as they are happy to let small businesses twist in the wind for weeks at a time.

Re: How to remove malware that doesn't exist?

Top Contributor
# 8
Top Contributor

does the software check specifically for malicious
.htaccess redirects or related injection practices?

Re: How to remove malware that doesn't exist?

Follower ✭ ☆ ☆
# 9
Follower ✭ ☆ ☆
Per the support rep I just spoke with via their online chat system:

Brandon: hi there
Brandon: yes we will check for all malicious code during our cleanups

Re: How to remove malware that doesn't exist?

Top Contributor
# 10
Top Contributor

not malicious code -- .htaccess attacks.

also, did the scan flag the hxxp injections?