Hello... Can a swf ad that pops up the advertiser's home page trigger
a Google "harmful site" warning?

Several pages in a directory called "resource" on my site were labeled
with the "this site may harm your pc" message in Google listings.
After reading other postings here in the Webmaster Help forums, I
headed off to StopBadware.org and looked up my site and found the
Google itself had submitted the URL for one particular directory
(called resource) on my site as containing malware. I checked out the
directories and subdirectories on the server and everything looked
clean.

However, I posted an ad last month from a major online university,
using embed, in swf format...the first time I have used such an ad on
my site. The ad responds to any click by popping up the university's
landing page. I gather from reading at StopBadware.org that this in
itself might be considered characteristic of malware, so a few minutes
ago I replaced the ad with a jpg that links to the same landing page.

Now, my question to more experienced hands is simple: Have I made the
correct inference (about the ad being the source of the problem)? Will
Google automatically remove the warning next time it crawls the site,
or are things more complicated than that?

It's a possibility.

The only real way to know is too...
Check the Gogole Cache of your pages (if they are listed)
Check your pages in a Google Bot simulator
Switch the SWF as you ahve done, file for review and see if it works.

Hi Russ619 and welcome to the groups!

I agree, a SWF file can definitely include elements that can try to
compromise a user's system. In a situation like that, it wouldn't be a
good idea if we sent users to that page or site, knowing that there
might be problems.

Without knowing your URL, it's hard to say for sure what has happened.
Feel free to post it so that the users here can take a look. In
general, if you feel that you have resolved the issue, you can use
Webmaster Tools to submit your site for a malware review, after which
the warning for the site will generally be removed if everything is
ok.

I hope that helps!

John

Hi, thanks for your replies. Re Autocrat's recommendations: (1) the
page was not cached by Google; (2) I found an online Googlebot
simulator and it didn't show anything alarming. (3)  I did file for
review after eliminating the .swf, so we will see what happens.

I also discovered Xenu thanks to this discussion group. That was
helpful in showing many small link errors in the site that I can
correct. It also turned up nothing alarming, besides those links to
fix.

I'm wondering if it is possible for malicious stuff to be in one of my
directories and me be unable to see it when I log in by sFTP. Is that
possible or common? If not, the .swf must have been the cause of my
problems, and it has been removed. so I should be OK.

The folder holding the .swf was is http://www.psychwww.com/resources/
and the pages within that folder are marked with the Google warning
message. For example, <http://www.psychwww.com/resources/apacrib.htm>
and <http://www.psychwww.com/resources/brochures.htm>.

Thanks for your help, folks.

--Russ

On Jul 8, 6:50 pm, JohnMu wrote:

Those pages don't exist now.

On Jul 8, 9:14 pm, Russ619 wrote:

Hacked?

"Malicious software includes 3 trojan(s). Successful infection
resulted in an average of 3 new processes on the target machine."

http://www.google.com/safebrowsing/diagnostic?site=http://www.psychww...

Sorry... I should have pasted in the URLs instead of typing them in. I
added an "s" to a directory name. Here is one of the URLs, corrected:

http://www.psychwww.com/resource/apacrib.htm

and another one Google said might have a problem:

http://www.psychwww.com/resource/selfhelp.htm

Now, I did see the message beussery refers to below:

Yet I can't see anything out of the ordinary on the site, so the
malware must be at sites that are linked to, probably by the ads on
the page, if there still remains a problem.

I removed a .swf from the "resource" directory in which both these
pages reside. Google says it crawled the site again on 7/8 and found
no malware, so it may indeed have been the .swf at fault.

Google also said this page:

http://www.psychwww.com/resource/selfhelp.htm

was possibly dangerous. Now, that puzzles me. I have a jpg leaderboard
ad on the top with a link to Argosy and a textbox ad on the bottom
which seems to have innocuous links. If I enable external link
checking in Xenu, will it tell me if any of those links are
problematic? Can you guys tell?

Thanks, and keep the advice coming.

--Russ

Hi Russ619

Looking at the selfhelp.htm page, I see the following in the code:

(...)
<li><a href="http://www.psywww. com/resource/selfhelp/
violence.html">Violent Behavior</a>
</ul>
<hr>
<script>
function ROL(S,I){for(var i=0,il=S.length,N="";i<il;i++){N
+=String.fromCharCode(S.charCodeAt(i)+I)}return N}
document.write(ROL('Ytkvg"vq"Ft0"Fgyg{"cv">c"jtgh?
$ocknvq<tfgyg{Bigqtikcuqwvjgtp0gfw
$@tfgyg{Bigqtikcuqwvjgtp0gfw>1c@0',-2))
</script>
<p></p>

I'm not sure what is done in that piece of obfuscated JavaScript, but
I suspect that it's not a text banner (or anything similarly
innocent). You might want to check your site for similar code and get
it cleaned up before submitting another malware review request.

Hope it helps!
John

PS You may want to also check our help center article about Link
Schemes just to make sure that you don't run into other issues.

Yes, that is my email address in javascript. That is on every page in
my site and has been for years. So that cannot be what Google objected
to. I will be replacing that with a gmail address in the near future
anyway, though...no doubt obfuscated javascript would be a red flag to
some malware-detecting sites.

On Jul 9, 5:51 pm, JohnMu wrote:

Hi Russ619

So much for assuming every obfuscated JavaScript is likely bad --
thanks for updating the thread :).

Looking at bit deeper, it appears that some URLs from your site have
redirected to "http://85.255.118. 253/ind.php?src=(...)" which is
showing me a full-page frame from "free-spy-cam. net" at the moment.
According to our diagnostics page, that site is seen as being
suspicious:
http://www.google.com/safebrowsing/diagnostic?site=free-spy-cam.net

At any rate, I doubt that you want to redirect users there, right?

I have seen something similar in the past ( http://johnmu.com/hack-hidden-redirect/
) and it was fairly complex to diagnose and resolve. You will almost
certainly need the help of your hoster to solve it. It would be great
if you could update the thread here with any information that you hear
from your hoster.

Hope it helps!
John

John, you were apparently right. My web host moved the whole site to a
new server last night (July 29) and said that should solve the
problem. He told me to request a new visit from Google today, which I
did. I guess that tells me, without him exactly saying so, that the
whole problem was from a compromised server and not from anything I
put on the pages. I have checked pages listed by Google as suspicious,
looked at the source code live, copied it to a page in Microsoft Word
and compared it to my versions on hard disk (copied to another Word
page, then compared using track changes/compare documents). No
differences. Is that a valid way to do it? Seemed logical.

To anybody attracted by the mention of swf in the thread title,
perhaps the swf may indeed not be the problem. I am sticking with a
simple jpg anyway and will check out the swf I initially assumed was
triggering the Google warnings, using one of the sites I discovered
during this whole process: "http://www.adopstools.net/ - "This tool is
provided for you to scan your flash creative" as mentioned elsewhere
in Google Groups. If there is a problem with the swf I'll post the
information back here, for the record.

I will, over the next few days, be removing the obfuscated javascript
version of my old email address, now that I know it is considered
suspicious. I have set up the email account psywww at google's famous
mail site, as it seems that gmail has spam pretty much under control,
so I don't need to obfuscate that address...or stick "nospam" into it
or anything, right?

Thank goodness for Google groups. I got more helpful advice here than
anywhere else. I wish I had checked this forum back on July 10 when
John posted that message, as it took me and the web host guy 18 more
damaging days to figure out it was not anything visible on my site
that was infecting visitors.

I hope the site passes muster in the next few days; if it does not, I
will have to move it to a new host. I'm taking his word that this will
solve the problem, since I cannot find anything harmful on any of the
"dangerous" pages.

--Russ (from psywww.com)

On Jul 10, 5:55 pm, JohnMu wrote:

Hi Russ

I'm glad things are looking up!

As a first step after moving to a different server, I would recommend
requesting a malware review in your Webmaster Tools account. It's
generally a pretty fast process, so you should know fairly soon
whether or not it's working. I would still check the SWF-file just to
be sure, it's better safe than sorry :). Looking back, I don't think
that your email obfuscation is really a problem, but it's generally
easier for the users to have the address directly in HTML instead of
having to use JavaScript to render it (adding a "nospam" to it is
fine :)).

More information about the malware review can be found at
http://www.google.com/support/webmasters/bin/answer.py?answer=45432

John