Rebecca the Webmaster - this is my story, no tears, no glory...- A StopBadWare Case Study (English version)

Introduction;
This is a success story for Rebecca and StopBadWare, - no tears, no glory! This is written by me and 'El Jart' to assist other webmasters and written in a case study format as a step by step guide from a website getting flagged by Google, not only to the lifting of the warning, but added measures to hopefully reduce the chances of ever getting flagged again, with hidden traps for any unwary exploiter in the future.

(Note: No staff of StopBadWare or Google was involved, and the review process was as for any website.)

This case study is in 3 parts; English language version (this post), Spanish version, Tech version and descriptions of tools and in-depth analysis of code and script issues we used. This is to demonstrate how a newbie webmaster with help from the community, can get it done, hopefully any webmaster can follow "Rebecca's Guide"

Backgound;
The specific web domain itself is not relevant for this study; however the site is a popular Spanish language community fanzine; news, sharing stories, pictures, multimedia and an active forum. Based in a small town in Northern Spain, Rebecca started off 2 years ago as a forum moderator; "without even an internet connection at home but when she got one her dial-up she was ready to get into de administration, so “I personally decided to change the website looks, and start spanking the others to do their job properly. The web site really started to take off, not just the news section the designing and all the info was starting to be what it was meant to be, then the problems started."

Being Flagged by Google;
The Google warning story... one of the members of the site team was testing our rank in Google when he found out we were flagged, so that's when the story begins... May 3rd 07. We asked Google, who told us to remove certain code and told us to ask for review in StopBadWare. After some time trying to clean it myself... I decided to ask for help at the StopBadWare forum July 28th 07... Lucky me! I found help from the community!! How I have found out that we did get a Google mail warning us, but I did not have access to that accounts till I asked another team member for the passwords and all that stuff, he doesn't even know how to enter that accounts I'm not blaming him for that, so I'm not sure for how long we were flagged 'till May 3rd." Having requested a review the Google flag was clear August 2nd 07... Happy team, site, and users.

How we fixed it;
The first strange stuff, after reading the StopBadWare guidelines I could see was a reference in the HTML index page was to iframe ....., relating to some .swf and 'RuneScape' and as we do not have such files on the site! I just deleted, but I was not sure if that was it?

Found out it is used by hackers to trick users into downloading malware from a fake Adobe Shockwave Player download site. Prospective users who stray onto a game site are presented with broken icons in an attempt to convince them that their copy of Shockwave (if already installed) isn't working properly.

Then we found another iFrame src "quickcnt” hidden iFrame in the Administracion directory there is a file called "index.php" so we got rid of that too, with two other .swf fake player downloads. Ok I thought this was all done until 'Jart' told me to search all the server log files for strange activity on the site, after he found them for me, he was right! Lots of funny IP addresses (web bots) coming to call, linked to the stuff I had got rid of but also for the forum.

So I went to work on the PhpBB forum, cleaned off any spam, and banned all the IP and domains linked to the spam and the logs. We then also added a 'robots.txt' especially for the forum and patched various php files for the forum.

Finished I thought, then 'El Jart' asked me about the SQL database files, did not even know where they were. So Jart pushed me again (El Jart can be more Bad than the BadWare!) what did we find? A forum that I did not even know existed. This had SQL injections, with only spam addressed to bad websites. Also administrators with passwords for the whole site, who had nothing to do with the site, and spam that, attached its self to any proper post on the real forum. This is how we got hacked in the first place and if we had not dug down deep enough, we could have easily been infected again.

Conclusions and a happy ending;
When we first found out we were flagged by Google I was first frustrated and after getting rid of the first bad iFrame, I was annoyed we had to wait. Thanks for the StopBadWare forum and really finding out what was wrong and really fixing it, I can only tell any other webmaster it was worth the wait.

So check your website if you get flagged or even better check your website before you get flagged - check;

1. For any iFrame code especially where it has the name of a website you do not know, and says "hidden".

2. In any PHP or other files for this, as well as any calls for downloads of multimedia players, PDF, or other files you do not recognize.

3. Look at your server log files, for all contact with your web site is within them, might take a bit of learning but worth it.

4. Check these database files (SQL) for anything unusual.

5. Go to the StopBadWare forum and ask, I did and it helped me. For a little more practice, El Jart is going to take me on some of his next "help visits" then I will assist other webmasters!

So in all "a few tears but a lot of glory", one further happy ending is, Jart showed me how to add a few further "patches" which he made me promise not to tell anyone, but apparently they are "BadWare Hacker" traps, which if someone tries to hack our site again, their "bot" goes back to its dark place with a bad headache ;-) Hope this helps others.

Rebecca AKA "The BadWare Avenger" & with an El Jart assist.