Some clients have recently received a notice from Google advising that the Google Safe Browsing system had detected pages on your website that might have been hacked or contain malicious third party resources. Further Google advised that the website had been demoted in the search index and that a warning notice was being displayed on some browsers when visiting the suspect pages it had identified.

This action by Google is important as it affects your search engine ranking regardless of whether or not the pages are "dangerous" or not, whether you know about it or not. The bottom line is that responsibility for any suspect activity that can be connected to your domain in any way fall back on to you, which is why Internet security is a big deal and why you need to understand it and act to defend yourself.

Our investigation of several websites recently affected revealed the following;

- The URLs Google claimed to be dangerous all include a "~" character. This is commonly used on shared hosting systems to enable access to website before domain names propagate.

- When followed, warning notices were diaplayed and on bypassing, visitors would end up at an "Account Suspended" page.

- The URL strings following the "~" character were typical of a account username and server path and quite unlike any URL that anybody would sensibly use or be likely to guess.

This raises several further questions;

1. How did Google find these URLs?

2. The folders/files in the URL do not exist, why doesn't an error message display?

3. Why do these URLs redirect to the "Account Suspended" page?

4. What is dangerous about an "Account Suspended" page anyway?

The answers are respectively;

1. The links are not a natural address for any website and are obscure enough not to be the product of a guess or programmed search. Google has detected deliberately placed links during indexing of some unknown sites.

2. cPanel accounts on shared hosting use the tilde character (~) to indicate an account username. This allows hosting accounts to be accessed before domain names propagate. Parsing of URLs with these characters bypasses the usual error routines.

3. The URLs redirect to "Account Suspended" pages because the accounts associated with the user names in the URLs are suspended accounts.

4. It is possible to hide malicious code in the "Account Suspended" page. Consider the scenario - hackers open an account, infect the "account suspended" page then allow the account to become suspended for whatever reason. Hackers then promote the link via a URL such as the one Google has found relating to your site and entice many people to click the link. It looks harmless and is generally ignored by anyone landing on it. It could stay that way for months or years, silently infecting many visitors.

None of the "Account Suspended" pages detected on clickonIT were infected. All suspended accounts have been dealt with.

What Should You Do About It?

Definitely advise your hosting provider through a support ticket as soon as you get teh notice. They need to know and may be able to help you further. Security of your site is ultimately your responsiblity however and you need to take action for your own direct benefit. Whether you do it yourself or get it done for you, you must act.

Google advises;

- Check Search Console (in Google Webmasters) for infected files.

- Remove any deceptive content (or malware infections).

- Secure your site from future attacks

- Request a security review, advising what you have done to fix the problem and prevent it happening in future.

Detailed instructions on how to complete these requirements can be found in our knowledgebase article Removing Google-Found "Social Engineering Content". This article is freely available to clickonIT customers. Just login to your client area and check the knowlegdebase under the "Security" category. The tasks required are straightfoward and most people will have no difficulty with them by following the instructions.

Important: Whether or not you have received a warning message from Google, all shared host websites are susceptible to this issue and taking the action detailed in this knowledgebase article will provide protection for your website from this compromise.

Alternative Solutions

clickonIT Virtual Assistants can quickly and efficiently take all the technical action required on this situation to restore and preserve your online reputation including submitting your site to Google for review if required. Book a virtual assistant now...

VPS or Dedicated Server
This problem only exists on shared hosting environments. Hosting on a VPS or Dedicated Server you will not be affected by this problem. Contact clickonIT to discuss the benefits for your situation.


- Many shared hosting accounts in their default provision are vulnerable to a security breach using particular URLs. The URLs are not easy to determine or test prior to being found, but they do present a risk to all shared host websites.

- A security threat may be found by Google which then takes action against yoru domain until the threat is removed.

- You can significantly reduce your expsoure to the threat immediately and use the same techniques to clear your reputation with Google.

- Every shared hosting account holder should act on this security vulnerability either by taking the required action themselevs or getting it done for them.

Thursday, July 14, 2016

« Back

Powered by WHMCompleteSolution