This page is a starting-point resource – one we expect to evolve and grow over time – to provide webmasters with tips for ways to remove badware and other badware behaviors from your website and to help keep it free of badware in the future.
Please note that this resource is by no means comprehensive or exhaustive and is intended only as a first step for webmasters concerned about badware. We encourage webmasters and hosting providers to research website security independently, beyond the suggestions offered here. It is the responsibility of individual webmasters and hosting providers to stay informed of news relating to website security issues.
There are three basic steps to maintaining a clean site:
- Identifying badware behavior on your site
- Removing badware behavior from your site
- Preventing badware behaviors in the future
Identifying badware on your site
The first step to keeping your website badware-free is to check for any badware or badware behaviors that may already be on your site. Badware is software that fundamentally disregards a user’s choice over how his or her computer will be used. Many sites with badware problems are not actually hosting badware themselves, but instead exhibit other “badware behaviors” such as automatic redirects or prominent links to badware on other sites. Often these badware behaviors are the result of hacking attacks or compromised third-party content, such as ads, rather than any deliberate actions by the website’s owner. You can learn more about badware and badware behaviors in our Guidelines.
When looking for badware on your site, especially badware due to hacking attacks, please remember to check the source code of your site as it is currently hosted on your web servers. Many site owners mistakenly look just at the website files they have on their own computers, and so miss seeing the evidence of attacks to the site itself.
If your site has been flagged with a malware warning by Google, check the Google Diagnostics page for your site for more information about the problems Google found.
Here are some common types of badware to look for:
1. Badware available for download on your site
Evaluate the software that you are offering for download – including any third-party applications that are bundled with your software – based on StopBadware’s Software Guidelines. If the software that you are offering for download violates our guidelines, then it constitutes badware.
If your software is bundled with third-party applications, you may also want to check whether the bundled applications install any dangerous or deceptive code. One method for detecting this is to download the entire software bundle onto a virtual machine and scan it using anti-virus or anti-spyware programs.
2. Badware available on sites that you link to
If your website links to badware, your site’s visitors may be in danger, even when the bad software or code exploits are not actually hosted on your site. Your web pages may violate our Website Guidelines if they automatically redirect to a website that hosts or distributes badware; directly link to executable files that are badware; link to another website that automatically attempts to install badware by exploit onto the user’s computer; or contain substantial links to other website(s) that predominantly host or distribute badware.
Some ways to determine whether the links on your site violate our guidelines would be to check whether any of your links lead to bad software available for download on another site, or whether they lead to an infected page on another site. (We recommend that, when looking for badware, you use a virtual machine to avoid damaging your own computer.) It may also be useful to search through your site’s source code and look for links to unknown sites, especially if the links are to executable files. Executable files include files with extensions such as .exe, .bat, .cmd, .scr, and .pif. There are also applications available that will allow you to scan for malicious links within a web page, and you can use these applications to help decide whether to link to that page.
You can also use the StopBadware application alerts and our Badware Website Clearinghouse as a resource to search for information on the sites and software to which you link or are planning to link.
3. Badware distributed through ads running on your site
Advertising displayed on your site is another potential source of badware, since most ads include direct links to an external web page. Please see section 1.2 above for general information about our guidelines for badware found via links. If you display third-party ads on your website, check that the links do not lead to bad software or to a badware-infected web page. The methods for evaluating the software that is available through ads are similar to those described in section 1.1.
Use internet searches to check out the ad networks you use to learn whether other websites have had badware problems with those ad providers.
4. Badware links posted in user-generated areas of your site
If there are any areas of your site where users can post or upload content, these areas may be a potential source of badware or badware links. Please see sections 1.1 and 1.2 above for information about badware and badware links.
5. Hacking attacks to your site
Another common source of badware on websites is hacking attacks, which allow third parties to insert code or executables onto poorly secured websites. A common example is the “injection attack,” in which a hacker uses a security vulnerability to inject harmful code into one of your web pages. Usually this code will be invisible to visitors to your site, but can trigger a silent badware download in the background of a visitor’s computer. You can often detect whether this kind of attack has occurred by looking at the source code of your web pages and determining if contains any code that you did not place there. Be sure to look at the code as it is appearing live on your web server.
Two common types of “injection attack” are:
Iframe tags are one of the many kinds of HTML tag codes that can be used as part of the source code that creates a website. An iframe creates a small window on a webpage so that another page can load inside the embedded window. Iframes are not always used for nefarious purposes; one frequent use, for example, is to embed remotely hosted dynamic content such as online maps into web pages. When used by malicious attackers, an iframe can be made so small that it is invisible, and the visitor to the infected page never knows that another page is also loading in the tiny iframe window.
If you see code for an iframe with width=“0” and height=“0” in the source code of any page on your website, you have found an invisible iframe. Iframes are most commonly inserted at the very top or the very bottom of a web page’s source code. A good first place to check for iframes is before the initial tag that starts a web page’s standard code, or after the final that ends a page’s code.
Obfuscated code is not necessarily bad; for example, some developers use encoding to make it harder for automated programs to detect email addresses displayed on a site, protecting the addresses from spam harvesters. However, if you write the code on your site and you do not intentionally obfuscate, a block of obfuscated code on your site may indicate an injection attack. The two most common ways code is obfuscated are through encoding and encrypting.
Encoding can sometimes be easy to spot because the encoding uses either “hex” or “unicode/wide” characters. For hex characters, you will see strings of percent signs with two characters after them (e.g. %AA%BB%CC). For unicode characters, you will see strings of “\u” with four characters after (e.g. \u0048\u0069\u0021). These blocks of encoded text can take up several paragraphs.
Removing badware from your site
How you should go about removing badware from your site will depend on what kind(s) of badware your site is hosting or linking to. Our general recommendation is to take your website offline while you clean and secure it, to prevent your site’s visitors from being unwittingly infected in the interim.
1. If your site is hosting bad software for download
Remove the bad software from your website and don’t make it available for download again unless you can be sure that it is no longer badware. You can learn more about what makes a piece of software badware in our guidelines. If you are the creator of the software in question, StopBadware may be able to offer recommendations for bringing your software into compliance with our guidelines.
2. If your site links to badware
Remove all badware links from your website.
3. If ads on your site are linking to badware
Remove all ads that link to badware. If you use an ad network, this may mean removing all the network’s ads from your site until you can be sure the network is clean. You may also want to contact your ad provider and let them know that one or more of their ads is causing badware to be linked from your site.
4. If badware is linked in user-generated areas of your site
Remove the badware links from your site. This may involve editing user posts to remove the badware content, or deleting entire user posts.
5. If your site has been hacked
Take the site offline in order to keep from putting your site’s visitors and your customers at risk. Then remove all of the offending code and fix all underlying security vulnerabilities before putting your site back online. Finding and removing a specific block of bad code that a hacker has inserted can clean your site for a time, but keeping your site from being infected in the future will require fixing the security vulnerabilities that allowed the hacker to insert the code in the first place. As such, be sure to check for and remove any backdoors left by the attacker. A backdoor will allow an attacker to get back into your site even after you have locked down the site.
Your hosting provider should also be able to help you figure out where the underlying vulnerabilities on your site are, so contacting them should be a top priority if you think your site has been hacked. You can also check your hosting provider’s forums to see if any other webmasters using that host have been compromised. Checking user forums for the software used by your site can also help you see if other users have been compromised through flaws in the software, or if there are security updates which your site does not yet have in place.
Preventing badware in the future
1. Check software for badware before making it available for download
See section 1.1 above for general information on badware and our software guidelines.
2. Check links for badware before posting them to your site
See section 1.2 above for general information and our guidelines about badware in links.
3. Use only reputable, conscientious ad providers and regularly monitor them to be sure they stay clean
Make sure your ad network is reputable and actively screens for badware from advertisers. If not, switch and tell them why you switched. Remember that an ad shown on your site, even if provided and hosted by a third party, is still a part of your web page. You should only accept ads from providers that you are confident are diligent about protecting clients from badware. Use internet searches to check out the ad networks you are considering using to learn whether other websites have had badware problems with those ad providers.
4. Monitor user-generated areas of your site
5. Close security loopholes to secure your site against hacking
Some basic steps that can be taken to make your site more secure include the following:
- Use strong passwords.
- Use SSH and SFTP protocols, instead of telnet or FTP. Telnet and FTP are both considered insecure because of their use of plain text protocols. They transmit usernames and passwords in a way that anyone with access to the network can read. SSH and SFTP are based on an encrypted protocol which prevents eavesdropping.
- Scan your site for security vulnerabilities using a vulnerability auditing scanner (both free and commercial versions are available). Use security update management tools to detect missing patches and then apply those patches immediately. The StopBadware online community has created a page of suggestions from our community members here].
- Keep up to date on news relating to any software you or your host use on your site, and make sure you are always running the most recent versions, including security patches. Subscribe to, and regularly read, any newsletters or alerts offered by your hosting provider and software providers.
- Make sure your hosting provider keeps all software updated, including security patches. If they do not, urge them to do so or switch to a hosting provider that you are confident does its best to keep its clients’ websites secure.
When your site is clean, secure, and back online, you may want to notify your site visitors about the badware problem, and the steps you’ve taken to address it. If a user has become infected with badware after visiting your site, knowing what you’ve found will help them clean up their own computer. And telling your story can help other webmasters deal with similar situations on their own sites. If you’d like to share your story of how you cleaned your site with other webmasters, or would like to share tips for keeping websites secure, please visit our online community
This page is an evolving resource. If you have further questions or suggestions for additions, please join our online community and share your ideas.