The Beladen Attack or what happened to Houseboys.net in October 2010

From: adwords-support@google.com
Date: October 18, 2010 11:28:07 AM EDT
To: houseboys.net
Subject: Google Ads Account Suspension Notification

Dear AdWords Advertiser,

Your account xxx has been suspended because we’ve determined
there’s a high probability your site may be hosting or distributing
malicious software.

Please visit
https://adwords.google.com/support/bin/answer.py?hl=en&answer=141633 if
you feel your site has been mistakenly identified, need help
understanding the issue and how to address it. Contact us through

http://adwords.google.com/support/bin/request.py?display=form&contact_type=malware

if you’ve made changes to your site so that it no longer hosts or
distributes malicious software and you’ve secured your site so that it
is no longer vulnerable to the insertion of malware.

Currently, our tests indicate that the following URLs may contain code
which installs malicious software:

hxxp://www.houseboys.net/07.html

These URLs are located in your account within the following campaign(s)
and ad group(s): SUMMER2010 – feminization
SUMMER2010 – hypnosis
PAGES2010 – 04MISTRESS.html

In order to protect your visitors, we recommend that you check these
specific pages immediately, as well as the rest of your website.
Although some sites intentionally distribute malicious software, there
are many cases where the webmaster or advertiser is unaware of the
dangerous link due to any of the following reasons:

1) The site was compromised.
2) The site doesn’t monitor for malicious user-contributed content.
3) The site displays content from an ad network that has an advertiser
distributing malicious software.

If your site was compromised, it’s important to not only remove the
malicious (and usually hidden) content from your pages, but to also
identify and fix the vulnerability. We suggest contacting your hosting
provider if you’re unsure of how to proceed. StopBadware also has a
resource page for securing compromised sites at
http://www.stopbadware.org/home/security. Google uses its own criteria,
procedures, and tools to identify sites that host or distribute malware.
Sincerely,

The Google AdWords Team

On 10/18/2010 3:21 PM, houseboys.net wrote:
[Glowhost]!

I am sorry for sending so many help messages BUT my site has been accused of conveying malware and I don’t know what to do to CLEAN it, check it, or get it back on line. At this point there is a red notice coming up when anyone tries to access it.

I read stopmalware.org and they advise that I take the site offline through adding some code to my htaccess page.

Please help me understand what I am supposed to do to fix this mess.

houseboys.net

***********************
Dear houseboys.net
from: glowhost sysadmin

Firefox takes advice from google that is why firefox is blocking the page…because google is too. I have seen a lot of false positives lately with google which makes me think that googles systems have been hacked or are on the fritz. The screen you sent us from google said that they have not found any problems. If they have not found any problems, then why are they blocking the site?

As one of the other techs mentioned you need to contact google they are the only ones who can do anything about the problem. In the mean time it would not hurt to update your cpanel and script passwords if you have not done so already. Then remove any FTP users that you do not use and update their passwords if you have any FTP users besides the main one.

Then finally make sure all the scripts re the latest versions. from our side, our anti-virus did not find anything but that does not mean that you should not examine the files on your own antivirus or manually as well.

If you do not have information or know what to do, google for others that have the problem, you can also make a thread on our forum if you want general suggestions from us or our community users.

Matt

**********

(form on Google’s Webmaster Tools site)
> > ————————
> > From: houseboys.net
> > Subject: Malware
> > Date: Mon, 18 Oct 2010 23:25:45 +0000
> >
> >>
> >>
> >> AWCID:
> >> AutoDetectedBrowser: Safari 4
> >> AutoDetectedOS: iPhone 4.0
> >> IssueType: malware
> >> Language: en
> >> Login_Email:
> >> Topic: malware
> >> adsl: s
> >> displayedAnswer:
> >> experiment:
> >> full_name:
> >> origin:
> >> report_malware_removed: checked
> >> source: cuf

————————
From: me
Subject: Re: [#705433931] Malware
Date: Tue, 19 Oct 2010 09:42:12 -0400
To: Adwords

> I never found the so called malwAre and my server admin says neither my
site nor any of the other sites on the server has any malwRw. In addition
my site DOES NOT have any links at all except for the first page and the
blog. Your informatipn is not ecact enough for me to focus on any
particular problem — but the consequences of your blacklisting my site
can put me out of business despite 12 years of an unblemished record. Is this
the new GOOGLE fAirness doctrine?
>
> Sent from my iPhone
>
> On Oct 19, 2010, at 7:09 AM, “AdWords Support”
wrote:
>
> > Hello Houseboys.net
> >
> > Thank you for your email confirming your removing malware from your
> > computer. I’ve now requested our specialists for a review of your
account
> > post this action, and I’ll get back to you shortly with an update on
the
> > account status. Thank you for your patience in the meanwhile.
> >
> > Sincerely,
> >
> > Venkat Ramakrishnan
> > The Google AdWords Team
> >
> >
> > —————-
> > Want more info on AdWords? Check out the official AdWords Blog,
“Inside
> > AdWords,” at http://adwords.blogspot.com to get the latest news,
> > information and tips.
> >
> >
> >
> >

>From:
Date: Tue, Oct 19, 2010 at 5:26 PM
Subject: Your Account Has Been Unsuspended
To: me

Dear AdWords Advertiser,

After re-reviewing your site, our tests have found that your site no
longer appears to distribute malicious software.
I’ve confirmed that your account ID xxx has been unsuspended.
I have updated the status of your site in our system and your account
should not be suspended again, unless another issue is present.
Thank you for your cooperation and efforts to protect users from
malware.

Sincerely,

The Google AdWords Team

On Wed, Oct 20, 2010 at 12:52 AM, AdWords Support wrote:
Hello Houseboys.net

I’m sorry about the inconvenience caused to you due to your account being
suspended for a malware investigation when you’ve found no evidence of the
same. On checking with our specialists, I learned that malware had been
identified in your ad groups promoting URL
http://www.houseboys.net/07.html. However, post your confirmation of
scanning your computer and changing your password, our specialists have
now re-enabled this account, and your ads are showing as normal again.
I’ve attached a screenshot of this for your reference. In future, you can
also search on your keywords using the Ad Preview Tool
(http://adwords.google.com/support/aw/bin/answer.py?hl=en&answer=46454) to
check whether your ads are showing without accruing impressions (as the
clicking and impressions-counting functions have been disabled for this
tool; this helps your CTR and consequently, your Quality Scores).

We apologize again for the interruption to your ad delivery during the
course of this investigation. However, to ensure users’ security, the
system regularly scans accounts and websites to see if they’re affected by
malware, and if the same is confirmed, we request you to scan your
computer(s) and change your password to remove all traces of the same,
pending which, after a re-assessment of your account, our specialists may
re-enable it. Please let me know if you have any further account-related
concerns, and I’ll be glad to look into the same.

Sincerely,

Venkat Ramakrishnan
The Google AdWords Team

—————-
Want more info on AdWords? Check out the official AdWords Blog, “Inside
AdWords,” at http://adwords.blogspot.com to get the latest news,
information and tips.

> >
On Wed, Oct 20, 2010 at 12:11 PM, houseboys.net wrote:
To: Glowhost Sysadmin, etc.:

First of all, thank you for your intelligent support throughout this mini-ordeal. I don’t know what I would do without you.

Second, here is the notice I discovered in my email yesterday (note that it is addressed to emails other than m… god knows why) — I wanted you to see that the issue (which never existed) is now “resolved”.

Unfortunately, I have no idea why I was persecuted/blacklisted in the first place.

Again, many many thanks for your outstanding support. me

Original Message Follows:
————————
From: “AdWords Support”
Subject: Re: [#705433931] Malware
Date: Thu, 21 Oct 2010 06:23:25 -0000

Hello houseboys.net,

Im sorry about your dissatisfaction with the information
provided in
my
previous response. I’ve contacted our policy specialists
regarding
your
queries, and I’ll get back to you shortly with the relevant
information.
Thank you for your patience in the meanwhile.

Sincerely,

Venkat Ramakrishnan
The Google AdWords Team

me

On Fri, Oct 22, 2010 at 6:16 AM, AdWords Support < adwords-support@google.com> wrote:

Hello,

I’m sorry to hear that your site again has a website attack warning,
in
spite of your account being recently cleared for malware. I’ve again
consulted the concerned specialist team in this regard, and I’ll let
you
know their opinions on this shortly. Thank you for your patience.

Sincerely,

Venkat Ramakrishnan
The Google AdWords Team

—————-
Want more info on AdWords? Check out the official AdWords Blog,
“Inside
AdWords,” at http://adwords.blogspot.com to get the latest news,
information and tips.

Malware notification regarding http://houseboys.net/ October 22, 2010
Dear site owner or webmaster of http://houseboys.net/,

We recently discovered that some of your pages can cause users to be infected with malicious software. We have begun showing a warning page to users who visit these pages by clicking a search result on Google.com.

Below are one or more example URLs on your site which can cause users to be infected:

http://houseboys.net/

http://www.houseboys.net/

http://houseboys.net/03.html

Here is a link to a sample warning page: http://www.google.com/interstitial?url=http://houseboys.net/

We strongly encourage you to investigate this immediately to protect your visitors. Although some sites intentionally distribute malicious software, in many cases the webmaster is unaware because:

1) the site was compromised

2) the site doesn’t monitor for malicious user-contributed content

3) the site displays content from an ad network that has a malicious advertiser

If your site was compromised, it’s important to not only remove the malicious (and usually hidden) content from your pages, but to also identify and fix the vulnerability. We suggest contacting your hosting provider if you are unsure of how to proceed. StopBadware also has a resource page for securing compromised sites: http://www.stopbadware.org/home/security

Once you’ve secured your site, you can request that the warning be removed by visiting this Webmaster Help Center article and requesting a review. If your site is no longer harmful to users, we will remove the warning.

Sincerely,

Google Search Quality Team

1600 Amphitheatre Parkway

Mountain View, CA 94043

You are receiving this email because you are a verified site owner of this site within Google Webmaster Tools. If you do not wish to receive notifications of this nature for this site, you may remove yourself as a verified site owner within the Webmaster Tools console.

Original Message Follows:
————————
From: me
Subject: Re: [#705433931] Malware — I NEED IMMEDIATE ACTION ON THIS
Date: Fri, 22 Oct 2010 15:18:16 -0400

THE FOLLOWING IS FROM the SYS ADMIN, of glowhost.com which hosts
thousands
of sites, including mine.

This is one of dozens of messages communicating to me that there is
nothing
wrong with my site and that you, GOOGLE, are using software to scan my
site
and others which gives you a FALSE POSITIVE. Please take you unfair
incorrect notice OFF my site OR prove that there is more than “a
probability” that I have anything to do with malware!!!

me
houseboys.net

Hello,

I’ve spent an hour checking your website’s content and found nothing.
Moreover, it looks strange that parked domain doesn’t show any warnings
while they display the same content. You address this to Google too. Web
is
full of the complains that Google displays false positive results.

In case the server is compromised, which is extremely high unlikely to
happen, a lot of websites would have the same problem. But your website
is
the only one on the whole server with hundreds of websites there.

The only recommendation I think of is to contact Google requesting for
more
information, since I can’t seen anything harmful there.

Please, let us know the results.
Thank You
Alexander S
GlowHost Technical Support

On Fri, Oct 22, 2010 at 11:07 AM, me wrote:

I am losing business every minute your notice is up on my site — also
my
readers will fear returning to my site if they have seen your notices.
THERE
IS NO MALWARE ON MY SITE. Below please find my correspondence with the
administrator of the server, and indeed, the CEO of glowhost.com, who
assures me that there is nothing wrong with the site or the server,
and that
he cannot reproduce the “redirection to a malware site” — I WANT THIS
MATTER TO GO TO A SUPERVISOR WHO CAN RESOLVE THIS ONCE AND FOR ALL!!!!

————————

Date: Oct. 22 2010
Dear Adwords
From: me

The following situation has resulted from Google’s false accusation of malware on my site (note that the site is taken down since 10/22/2010 and Webmaster Tools continues to find malware on an empty site!

1. I had to relocate the EXACT SAME PAGES to sissyphone.com

2. Sissyphone.com is rated so low on the Adwords Quality Score scale (despite the fact that it is the EXACT SAME SITE) that I can no longer afford to advertise my site.

This letter is to note this unfair practice in the hope that someone in Google is paying attention.

You are doing harm.

P.S. I own a Mac which is virus and malware free and the only way I access my site.

Sent from my iPhone

Begin forwarded message:

From: “AdWords Support”
Date: October 25, 2010 12:31:26 AM EDT

Subject: Re: [#705433931] Malware — I NEED IMMEDIATE ACTION ON THIS

Hello

Apologies for the delay in replying due to the weekend. I understand
you’ve corresponded with the server administrator as well as CEO of your
website hosting services provider and confirmed that there are no
instances of malware on your site. I’ve consulted our policy specialists
twice in this regard, and they’d like to reaffirm that instances of
malware detected in your account is separate from malware found on your
site when clicked on from search results. As you may be aware, whenever we
find instances of malware in your website, your account is immediately
suspended for a malware investigation, post which you’re asked to scan all
the computers through which you access your AdWords account to free them
of malware as well as change your account password, after which your
account is reactivated. Currently, your account is active and your ads are
active and running as normal. I’ve attached a screenshot of this for your
reference.

To resolve this warning message, we recommend that you request a review
using Google Webmaster Tools. Learn more about this process at

http://www.google.com/support/webmasters/bin/answer.py?answer=45432.

Currently, as sissyphone.com seems to be showing as normal, please
continue promoting this site, till you’ve resolved the malware issue with
houseboys.net via following the procedure given in the above link.

We apologize again for the inconvenience caused to you in this matter.
Please let me know if you have further account concerns, and I’ll be glad
to look into the same.

Sincerely,

Venkat Ramakrishnan
The Google AdWords Team

—————-
Want more info on AdWords? Check out the official AdWords Blog, “Inside
AdWords,” at http://adwords.blogspot.com to get the latest news,
information and tips.

From: me
Subject: Re: [#705433931] Malware
Date: Thu, 21 Oct 2010 23:06:21 -0400

PLEASE explain why you have AGAIN blacklisted my site — I was
told
that my
listing on Google has “This site may harm your computer”.

Please advise.

YH
houseboys.net

On Thu, Oct 21, 2010 at 7:12 AM, AdWords Support
wrote:

Hello houseboys.net

Thank you for your patience. After considering your queries, our
specialists mention that malware was detected on your site after
one
of
our regular system checks found the same, and made your account
eligible
for investigation. As you may be aware, third parties can infect
legitimate sites, and that seems to be the case here. However, at
present,
your site and account are free of malware and your ads are
running as
normal.

We apologize for being unable to provide more information on
this. If
you
have any further account-related concerns, please let me know the
same
and
I'll look into it further.

Sincerely,

Venkat Ramakrishnan
The Google AdWords Team

----------------
Want more info on AdWords? Check out the official AdWords Blog,
"Inside
AdWords," at http://adwords.blogspot.com to get the latest news,
information and tips.

---------- Forwarded message ----------
From: Google Help
Date: Fri, Oct 29, 2010 at 9:53 AM
Subject: Re: [Webmaster Central Help] False positive malware results for houseboys.net, site review dysfunction, citing pages that don’t exist
To: me

2nd Try has posted an answer to the question “False positive malware results for houseboys.net, site review dysfunction, citing pages that don’t exist”:

Unfortunately it is not a false positive, the server your on, not your site has been hacked. What happens with this hack is when pages are requested from your site, whether the pages still exist or not they are randomly redirected to these malicious .in sites. I refer you to this thread

http://www.google.com/support/forum/p/Webmasters/thread?tid=144890cabd61fc54&hl=en

You need to contact your hosting service and refer them to the thread above. Hopefully they will be proactive and get the problem fixed. You might want to refer them to this thread also

http://www.google.com/support/forum/p/Webmasters/thread?tid=7adf6e00506c5bb0&hl=en

as the sites are on the same network.

View this question at the Google Help Forum
Unsubscribe from answers to this question

On 10/30/2010 2:34 AM,

Sent from my iPhone

Begin forwarded message:

From: Google Help
Date: October 30, 2010 1:50:27 AM EDT

Subject: Re: [Webmaster Central Help] False positive malware results for houseboys.net, site review dysfunction, citing pages that don’t exist

Lynn Gazis-Sax has posted an answer to the question “False positive malware results for houseboys.net, site review dysfunction, citing pages that don’t exist”:

Hi, houseboys.net: I’m the site owner for the thread to which 2nd Try directed you.

http://www.google.com/support/forum/p/Webmasters/thread?tid=144890cabd61fc54&hl=en

Since it looks as if we share the same problem, let’s combine information. What do, and don’t, we have in common:

1) We’re both with the same hosting provider. We are not both on the same actual host; you appear to be on xena, while I’m on izzy.

2) If I look at both our Google Safe Browsing pages, we show a similar warning:

Yours:

Malicious software is hosted on 11 domain(s), including vstgrigu.in/, ogouzkhm.net.in/, nrtkyqqr.in/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including vstgrigu.in/, nrtkyqqr.in/.

This site was hosted on 1 network(s) including AS3595 (GNAXNET).

Mine:

Malicious software is hosted on 9 domain(s), including nxzgzqiw.in/, pyzhua.net.in/, twzlxzjzu.in/.

2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including nxzgzqiw.in/, twzlxzjzu.in/.

This site was hosted on 1 network(s) including AS3595 (GNAXNET).

I note the commonality of AS3595 (GNAXNET); though the domains (none of which I can currently find in my web page code) differ between our warning pages, the network is the same, which could indicate a common hack.

3) We differ in that you’ve gone farther in removing pages from your web site, so that you’re now getting warnings about pages that actually don’t exist (while my pages still exist; I just think I’ve sufficiently gone over them to be convinced I don’t have malware links on the ones I’m getting warnings about). So you’re a better test case; the failures for nonexistent pages *can’t* be a site level hack; they have to be *either* a false positive from Google *or* a server level hack (evidently hitting multiple servers on our hosting provider, if it’s there, since you and I are on different hosts, and since you’ve already moved your site from one host to another). But, since you seem to have the same problem as me, if we get to the source of your problem and get you fixed and back off the malware list, we can probably do the same for me.

My web browsing on the network associated with our Google Safe Browsing pages shows it as being associated with the Beladen exploit, which is a server level exploit; *if* 2nd Try is right about the problem being at the level of our hosting service, that seems to be what they should check. The person I last talked with in support said the server was clean, but it’s probably best we make sure they’ve checked explicitly for Beladen. So I’m copying here the links I found and saved on my thread about that exploit:

Half the web pages about this exploit seem, for more information, to direct people to be an old, broken link to David Wenzel’s attack description, that brings up some sort of browser error page written entirely in Czech.

Here’s what seems to be a more current web page with David Wenzel’s Beladen attack description (including information on how to find whether you’ve been a victim of the exploit and how to fix it): http://www.uptime.cz/100452-site-a-internet_Linux-Apache-Attack.html (if the link gets moved again, I note that I found it by Googling “david wenzel’s attack description” and ignoring all the references that went to the page I’d already found to be moved). This looks like the most detailed thing I can find on how to check whether your server’s been compromised by this exploit, and how to fix it

Here’s a websense.com discussion of the exploit: http://securitylabs.websense.com/content/Blogs/3408.aspx

Here’s an unmaskparasites.com discussion of the exploit: http://blog.unmaskparasites.com/2009/06/18/beladen-elusive-web-server-exploit/

Another link on Beladen: http://wewatchyourwebsite.com/wordpress/2009/07/another-round-of-beladen-or-the-new-go-infection/

I’m thinking we can check ask our hosting provider to check specifically the things in David Wenzel’s attack description (or, if they’ve checked that already, let us know that they have, and then we move on to the next possibility).

4) If it helps to have two cases that are getting malware warnings for nonexistent pages, I could remove some of the specific pages that are failing for my site. Those pages will still generate warnings after I remove them, if I’m now dealing with a server level attack, right, 2nd Try? And, if so, is there a way that I can request that Google simply retest specific now nonexistent pages (once I remove them) a sufficient number of times to know whether an intermittent problem persists, for help in diagnosing and resolving the problem, without having them go through a review of the whole site? Just in case this proves useful in demonstrating where exactly the problem is on my site?

5) If we wind up in a situation where the hosting provider thinks the server is clear of hacks and Google thinks there’s still a problem with the site (it looks as if in your case at least we can already rule out a problem caused by links at the site level), we need to come up with a test plan that can prove where the problem is, and demonstrate either that there is a real server hack or that there’s a false positive, so that we (who don’t have direct control over either possibility) don’t get stuck in between the two possibilities. Maybe others on Google Webmaster Forum can help with this, or we can check with the people at http://wewatchyourwebsite.com/blog, who say (in the post I linked) that they work with hosting providers and have a program that can check whether a particular web server is infected at the server level. Or else we can try to get the hosting provider directly in touch with someone at Google, to settle exactly where the problem is.

I think the first step, though, is to run that first Beladen link I listed by them, and make sure they check or have checked for this problem specifically, since it’s common and looks to be the one most associated with the network we’re supposed to be directing people to.

Feel free to copy/paste anything from this post that you think will be useful to your trouble ticket (I assume at this point you probably have one that’s either open or on hold). Keep me posted if you manage to get this fixed; if one of us can get cleared, then both of us probably can. I’ll update my ticket and see whether they’ve checked yet for Beladen.

View this question at the Google Help Forum
Unsubscribe from answers to this question

Thanks for these. I and a few others are pouring over the logs and everything else waiting to see if this is the case.

It’s going to take some time to find out if this is the case, due to the way this Apache hack works.

If we find it it will be removed and the server will be rebooted again. If we don’t find this we are still looking.

Regards

Matt