HELP! 8 page site coded BY HAND - listed as badware???

40 views
Skip to first unread message

NatalieLynn

unread,
Nov 20, 2008, 10:10:09 AM11/20/08
to stopbadware
OK. I am new to all this. A site I coded by hand 4 years ago:
www.longlanehomeservices.com was listed as suspicious by google. I
have done everything http://25yearsofprogramming.com/blog/20071223.htm
says in order to have this site reconsidered and I have not received
any advice or guidance from the MIGHTY GOOGLE or stopBADware.org -
Thank goodness this is a tiny site - I downloaded all 8 html pages the
style sheet and javascripts and combed through EACH page... There is
ONLY ONE LINK to mapquest that links OUT - this is a simple web front
for a repair shop. This issue is REALLY affecting day to day
operations and I am having NO success getting someone to HELP me get
this site off of this RED HERRING LIST - and I don't have a clue what
placed it there to begin with...

Any advice would be greatly appreciated,
Natalie

UseShots

unread,
Nov 20, 2008, 11:05:58 AM11/20/08
to stopbadware
Hey Googlers,

That's really strange. Safe Browsing Diagnostics says:
http://www.google.com/safebrowsing/diagnostic?site=www.longlanehomeservices.com
"Of the 8 pages we tested on the site over the past 90 days, 0 page
(s) resulted in malicious software being downloaded and installed
without user consent."
"suspicious content was never found on this site within the past 90
days"
"Over the past 90 days, longlanehomeservices.com did not appear to
function as an intermediary for the infection of any sites."
"No, this site has not hosted malicious software over the past 90
days."

So how come this site is listed as suspicious?

Oliver, could you comment? I know your scanners are very accurate,
but this page doesn't contain any information that can help fix the
issue.

Denis
http://www.UnmaskParasites.com

CLB123

unread,
Nov 20, 2008, 3:37:01 PM11/20/08
to stopbadware
When doing a Google Search for site: longlanehomeservices.com per the
blog suggestions, to discover which pages are being flagged, I get the
following search results:

http://www.google.com/search?hl=en&q=site%3A+longlanehomeservices.com&btnG=Google+Search

It appears that there is a problem with the "Bedding" page.

On Nov 20, 9:10 am, NatalieLynn <nstea...@gmail.com> wrote:
> OK. I am new to all this. A site I coded by hand 4 years ago:www.longlanehomeservices.comwas listed as suspicious by google. I
> have done everythinghttp://25yearsofprogramming.com/blog/20071223.htm

NatalieLynn

unread,
Nov 20, 2008, 3:41:50 PM11/20/08
to stopbadware
OK - here is the source... Can I borrow an expert eye? What is wrong
here???

Eagerly awaiting advice - Natalie

------
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://
www.w3.org/TR/html4/loose.dtd">
<HTML>
<head>
<title>Long Lane Home Services - Appliances, Carpeting and Bedding</
title>
<meta name="description" content="Long Lane Home Services your one
stop shop for appliances, carpeting and bedding. Serving the Delaware
Valley, Pennsylvania, New Jersey and Delaware.">
<meta name="keywords" content="PA NJ DE Pennsylvania New Jersey
Delaware Philadelphia Swedesboro Mullica Hill Auburn appliances
dishwasher stove microwave range hood refidgerator fridge air
conditioners washer dryer vent exhaust bedding mattresses beds carpet
remnants discount dependability service parts repairs Long Lane Home
Services hardwood installation removal service">
<meta name="copyright" content="Copyright (c) Long Lane Home
Services, 2008">
<meta name="author" content="nste...@gmail.com">
<LINK href="style/llhs_style.css" rel="stylesheet" type="text/css">
<script language="JavaScript" src="style/slideshow.js"></script>
</head>

<body>
<div id="container">
<div id="header"></div>
<address>501 Auburn Ave. Swedesboro, New Jersey 08065
&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp; (856) 241-7726
&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp; Email: <a
href="mailto:in...@longlanehomeservices.com">in...@longlanehomeservices.com</
a></address>

<TABLE CELLPADDING=0 BORDER=0 WIDTH=100%><TR><TD valign=TOP>
<div id="contentB">
<h2>Bedding</h2>
<blockquote>Save up to 65% OFF department store prices!</blockquote>

<TABLE width=100% BORDER=0><TR>
<TD valign=TOP>
<H3>Stop by our <a href="location.html">showroom</a> TODAY and take a
test rest!</H3>
<p>Purchasing your next mattress from Long Lane could save you up to
<Special>65%</Special> off of department store prices.</p>
<p>Our team of trained service professionals will <Special>deliver</
Special>, <Special>install</Special> and <Special>remove</Special>
your old mattress.</p>
<p>We offer <Special>free</Special> in home estimates. Call to set up
an appointment today 856-241-7726, don't forget to mention that you
have visited our website.</p>
</TD><TD width=225 valign=CENTER><img src="images/matresses.jpg"
alt="" width="275" height="300" border="0"></TD>
</TR></TABLE>
</div>

</TD><TD valign=TOP>
<div id="nav">
<ul>
<li><a href="appliances.html">Appliances</a></li>
<li><a href="bedding.html">Bedding</a></li>
<li><a href="flooring.html">Flooring</a></li>
<li><a href="heating.html">Heating & Air Conditioning</a></li>
<li><a href="water.html">Hot Water Heaters</a></li>
<li><a href="index.html">Location & Hours</a></li>
<li><a href="service.html">Parts & Service</a></li>
</ul>
<div id="menu">
We sell quality mattresses made by reputable manufactures. We
feature: <CENTER><a href="http://www.symbolmatresses.com"><IMG
BORDER=0 SRC="images/brands/symbol.gif"></a><BR><special>Symbol of
Sleep</special><BR>and<BR><a href="http://www.serta.com"><IMG BORDER=0
SRC="images/brands/serta.gif"></a><BR><special>Serta's</special></
CENTER><BR>full line of mattresses at discount prices. </P>
</div>
</div>
</TD></TR></TABLE></div>

<CENTER><IMG SRC=images/LOGO.gif BORDER=0></CENTER>
<address><a href="appliances.html">Appliances</a> | <a
href="bedding.html">Bedding</a> | <a href="flooring.html">Flooring</a>
| <a href="heating.html">Heating & Air Conditioning</a> | <a
href="water.html">Hot Water Heaters</a> | <a
href="index.html">Location & Hours</a> | <a href="service.html">Parts
& Service</a><BR><BR>
Copyright &copy; Long Lane Home Services 2008</address>
</body>
</html>
----------

On Nov 20, 3:37 pm, CLB123 <mu3...@sbcglobal.net> wrote:
> When doing a Google Search for site: longlanehomeservices.com per the
> blog suggestions, to discover which pages are being flagged, I get the
> following search results:
>
> http://www.google.com/search?hl=en&q=site%3A+longlanehomeservices.com...
>
> It appears that there is a problem with the "Bedding" page.
>
> On Nov 20, 9:10 am, NatalieLynn <nstea...@gmail.com> wrote:
>
> > OK. I am new to all this. A site I coded by hand 4 years ago:www.longlanehomeservices.comwaslisted as suspicious by google. I

CLB123

unread,
Nov 20, 2008, 3:59:22 PM11/20/08
to stopbadware
I guess I should have said that the "Bedding" page was the one being
flagged ... not that there was a problem with it.

I don't have a clue if there is really a problem with it ... only that
the "site: longlanehomeservices.com" search drew attention to that
page. At least it is a starting point.

I will be watching for the results of an "expert eye." I don't 'do"
web-pages ... I just root around for information to help find
solutions to problems.

I'm definitely curious to know if that last entry in the search
results (that has the longlanehomeservices web address in it), has
anything to do with the site being flagged.

Oliver Fisher

unread,
Nov 20, 2008, 4:41:14 PM11/20/08
to stopbadware
Sorry to hear you're having problems, NatalieLynn.

Google's scanners picked up malware on the site back in May and
they've been rescanning the site since then - both because of review
requests and because of automatic rescans. The most recent scan was
on Nov 10 - an automatic rescan. Our scanners consistently see a
chunk of obfuscated script in the onload property of the body tag.
That appears to fetch malicious content from 81 . 176 . 237 . 140. I
submitted a review manually and the scanners are looking at the site
right now - so far so good so I assume something's changed with your
server in the past 10 days.

Denis, yes, that diagnostic page isn't very helpful. We're working on
it...

Hope that helps, NatalieLynn.

O.
Google Anti-Malware Team

On Nov 20, 11:05 am, UseShots <goo...@useshots.com> wrote:
> Hey Googlers,
>
>   That's really strange. Safe Browsing Diagnostics says:
>  http://www.google.com/safebrowsing/diagnostic?site=www.longlanehomese...

SteveW

unread,
Nov 20, 2008, 6:00:02 PM11/20/08
to stopbadware
I retrieved and looked at the bedding page, found no problem. Looked
at the one .js it loads. It's clean.

A search on
ipower hacked
turns up 21,000 results, some indicating that they have "a reputation"
for falling victim to mass attacks.

It does happen that host servers get hacked.
It sometimes happens that the host cleans it up and never tells
anyone.
If it happens over and over, it will look mysterious to you.
> > Eagerly awaiting advice - Natalie- Hide quoted text -
>
> - Show quoted text -

NatalieLynn

unread,
Nov 20, 2008, 8:18:40 PM11/20/08
to stopbadware
thank you Oliver!!!!

NatalieLynn

unread,
Nov 20, 2008, 8:22:14 PM11/20/08
to stopbadware
Thank you Steve!!! I should of searched for ipowerweb and the
issue.... I was just so confused.... I will ask ipower web to come
clean with me about the issues that they must have had... I will also
talk with the shop and see if they want me to look into another
hosting company... Is there any recommendations?

Thank you very much for calming me down,
Natalie

NatalieLynn

unread,
Nov 20, 2008, 8:31:23 PM11/20/08
to stopbadware
OK - this new information now begs the question

why isn't: 81 . 176 . 237 . 140 OR http://www3.malekal.com/exploit.txt

Flagged in the same manner? Is there any way to get these guys? I want
to help.

-Natalie



On Nov 20, 4:41 pm, Oliver Fisher <oliver.fis...@gmail.com> wrote:

Chris Wright

unread,
Nov 22, 2008, 7:33:22 AM11/22/08
to stopb...@googlegroups.com
NatalieLynn wrote:
> Thank you Steve!!! I should of searched for ipowerweb and the
> issue.... I was just so confused.... I will ask ipower web to come
> clean with me about the issues that they must have had... I will also
> talk with the shop and see if they want me to look into another
> hosting company... Is there any recommendations?
>
>
I'd personally stay with Ipower as they are one of the most pro-active
web hosts when it comes to dealing with Malware.
In the very early days of StopBadware they did get hit pretty hard with
many 1000's of sites (servers) compromised, but they installed a mass of
security to help prevent any future problems.
Unfortunately, as is the same for ANY web host, they cannot control each
and every users passwords and user names, and if a user installs their
own blogging platform, they cannot control the level of security (as is
the same for any application really).
They do have some great scanning in place that reduces the amount of
hacks, but keeping up to date with the latest and greatest is a massive
effort..
The point being, at least they try...

They are also very upfront when you present them with the fact that your
site has been hacked and will often work to try and put "things" into
place to prevent it from happening again in the future thereby protect
other users as well.

They do have a number of tutorials available on their help site that
provides instructions on how to reduce the chances of your site being
'hacked' but I don't have the link at present.
If you do a search on their help pages for "malware" it should show up.

I've dealt with a large number of web hosts over the years and iPower
were by far the most upfront of the lot...
Because iPower have a massive user base, there is always going to be a
high proportion of negative comments, since in reality, people don't
tend to actively post positive comments, i.e., they only complain when
something goes wrong.
As with any web host they have had their ups and downs, but I've had
less headaches with them than any others... My biggest headache with
them was support during the massive crossover to the new hosting
platforms, but that seems to have settled down in recent months now that
the process is all complete.

But this is just my own personal experience which so far has been very
positive with respect to Malware...
I'd say "better the devil you know, than the one you don't"... IMHO of
course...

Regards

Chris


SteveW

unread,
Nov 22, 2008, 6:43:33 PM11/22/08
to stopbadware
Chris,

Thanks for actively posting a positive comment. :) I agree that a
host being pro-active and up-front is a good thing.

Natalie,

Looking up reports about the host is something I do in cases like
yours where there's a small number of pages, all apparently HTML-only,
with no evidence of underlying PHP, database query activity, or web
applications like WordPress. That is, the most common avenues of
infection are absent.

Finding a lot of discussion about a particular host getting hacked
(especially the "mass attacks" rather than individual sites) is
unusual, but it's just one piece of evidence indicating that more
investigation is worthwhile. That investigation would include
searching forums for recent (not old) posts that might indicate you
are only one of many people experiencing problems *currently*. It
could also include locating the domain names of other sites on your
server (your "neighbors") and discovering whether any of them are
simultaneously experiencing the same problems you are (badware flag,
for example).

In other words, finding those reports online doesn't really justify
jumping to the conclusion:
> I will ask ipower web to come
> clean with me about the issues that they must have had

Has this been an ongoing recurrent problem since last May? If so,
there are other ways a site can get compromised besides the most
common ways listed above (PHP code, etc.).

Do a thorough antivirus and antispyware scan on your computer to make
sure nothing is grabbing your login IDs and passwords as you log in to
your site.

If you use a wireless internet connection, make sure it's encrypted so
no one can eavesdrop.

Use strong random passwords so no one can guess them.

However, your site isn't flagged today, so apparently something has
changed at least for now, but if this problem has been coming and
going for months, that's a real concern.

In your control panel, turn on "log archiviing" so that your access
logs (both regular and FTP) are preserved and not discarded each day.
If there is another incident in the future, that will be your best
source of clues.
Reply all
Reply to author
Forward
0 new messages