I have a number of websites on the Interwebs. One of those sites (thefitblog.net) has been receiving fairly steady numbers of hits over the last few years and has been helpful in my adsense revenue stream. Not much money, of course, but still it pays for a daily coffee. Or perhaps “paid”.
That site has been neglected in recent days. In early June, the site was the target of a script injection due to, I assume, an outdated WordPress install or a dastardly plugin or something. I thought I resolved the issue, until the other day when it was again targeted. Here’s the details on what happened and how I “fixed” the problem.
4 days ago, I was notified by Google that my site was (once again) blacklisted due to it delivering malware to users. What this means is that when people stumble on my page through Google they get a scary warning. An even scarier warning is shown on the Chrome browser when someone tries to navigate to the page directly (or via link).
These warnings about malware on my site effectively cut off visitors (or more correctly, cut visitors to only 10 percent) and screwed me on getting any adsense revenue. There went my daily coffee.
I immediately went to the site, noticed the issue, removed the malware script injection on the index.php page, went about updating wordpress, deleting plugins, updating plugins, grepping for other issues, etc… Then I requested a “review” via Google’s webmaster tools.
The next day, the site was not only still blacklisted, Google’s malware scanner still found malware on it. Me: “What the heck!?”
Again, I checked everything, deleted even more plugins, rechecked directory permissions, even checked the site in sitecheck.securi.net. securi.net said that everything was cool… except of course for the fact that it was blacklisted in Google. So I again requested a site review via Google Webmaster Tools, politely suggesting that their malware scanner wasn’t actually working.
The next day, same result. Site blacklisted, sitecheck says all is good, but Google’s malware scanner is detecting badness. So this time I figure maybe it’s me and I go to the maleware Google Webmasters forum and ask what the problem could be. Someone immediately replied and told me that they were, in fact, seeing malicious script before the doc-type on the index page. But, of course, I still couldn’t see it. Here’s where it got interesting.
The replier suggested that it wasn’t consistently showing up. He only saw it maybe once or twice when looking, but also saw the index page looking perfectly fine in other attempts to request the source. I asked what tool he was using to pull the source and he pointed me to this super awesome webpage, Redleg’s File Viewer. This sweet page let’s you view a site’s source and change the agent header and referer, in case the source changes if, say, Googlebot were browsing versus the average IE6 user.
But despite the awesome link, no matter what, I simply could not find any malicious javascript on the supposedly infected files. But obviously something was wrong. So the search continued.
My next step was to use a combination of ls command and grep magic to recursively search from my root directory to find anything suspicious. I finally found a page in my theme directory that had a modified date very different than the rest of the files. Upon checking, it had the javascript injection. A really strange one too – uses a lot of comments to obfuscate the code further and is base64 encoded twice over.
Anyway, I removed it and once again requested a review. This time, only hours later, Google removed my site from the blacklist and I’m back in action baby! Already 85 cents richer 
