Google reports "This site may be hacked"

My client www.labinsky.com is listed in google along with the warning "This site may be hacked." I connected the site to google Webmaster Tools, but there is no warning of malware from the control panel. I also connected it to BING webmaster tools, and also no warning of malware (Bing SEARCH never reported a problem with hacking).

The site is a wordpress site, running the latest version of wordpress 3.6.1

Why is google issuing a warning on this site, and how do I get rid of the warning?

Thank you.
Lev SeltzerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

dec0mpileCommented:
This message appears in Google search results when Google crawls a page (or pages) that contain malicious code. Your website is compromised that is the reason you are seeing this.
I confirmed that by using a security scan tool that you can run yourself to verify at:
http://sucuri.net/

scr
To answer your original question, once your site is clean go to Google webmaster tools - crawl - fetch page as Google and that will update the status.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GaryCommented:
Look at the source code for your site, and you will see the spam.
One of your plugins is hijacked - very common on WP sites, disable them all, check for updates.
Will have a look through js code later.
0
Lev SeltzerAuthor Commented:
I looked at some of the source code and actually could not find the spam! WHat code do you think is hacked?

I disabled ALL the plugins, but securi.net still reports malware.

Interestingly, securi.net says that google does NOT blacklist the site.

What should I do now?
0
Webinar: What were the top threats in Q2 2018?

Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that describes and analyzes the top threat trends impacting companies around the world. Are you ready to learn more about the top threats of Q2 2018? Register for our Sept. 26th webinar to learn more!

GaryCommented:
View the source from your browser and search for
"Information about defaults and once approved loans Levitra"
Will get back to this in a short while.
0
Lev SeltzerAuthor Commented:
I open a page (such as http://labinsky.com/financial-planning/goal-setting/, which is listed in sucuri) in MSIE10, click on view source, and then search for "levi" - nothing found. I scan the source file with my eyes and don't see anything.

I know the code is buried somewhere on the site, but I can't figure out where.
0
meb_santosoCommented:
It's not in the plugins, it's injected in your pages.

A quick search on google: viagra site:labinsky.com reveal these results:

https://www.google.com/search?q=viagra+site%3Ahttp%3A%2F%2Flabinsky.com%2F&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a

Screenshot: google
** Proceed your search & replace with EXTRA care; MAKE BACKUPS BEFORE PROCEEDING **

Go to your database administration page (PHPmyAdmin ?) and search and destroy everything that contained by 'static2' (see screenshot).

Screenshot: injected content
You can use this plugin: http://wordpress.org/plugins/search-regex/
and execute it using the following regex:

\<<div class=\"static2\"> \>{.@}\</div\>

Open in new window


and then search & replace
<div class="static2"></div>

Open in new window


with emptyness (mass delete it)
0
meb_santosoCommented:
Errata:
I wrote: " It's not in the plugins, it's injected in your pages."

If you have disabled all of your plugins, and if it's not in your theme, and if it's also not in your database, it can also be in one of the javascripts of your theme.
0
GaryCommented:
Have a look in your header.php for any strange code, also sort your files by date and see if any have been modified recently - check them as well.
0
Lev SeltzerAuthor Commented:
I didn't find anything in the wp_posts table.
Still trying to duplicate the image you received in firebug with the levitra! I can't find it at all.

Will look in header.php shortly....
0
dec0mpileCommented:
You can also try to scan using a plugin that can make the identification process simpler:

http://wordpress.org/plugins/wordfence/

This is the sucuri wordperss plugin:
http://wordpress.org/plugins/sucuri-scanner/
0
Lev SeltzerAuthor Commented:
sucuri scanner comes up blank! someone else reported the same problem on the plugin support page.  1-click hardening and wp integrity are all OK.
WordFence reports no problems.
I looked at header.php and found no problems.
header.php
0
Jason C. LevineNo oneCommented:
One of your plugins is hijacked - very common on WP sites

It's probably not the plugin given the injection.  More likely is the core is compromised and is making remote calls to a spam server via an injected or modified core file.

I didn't find anything in the wp_posts table.

Nope.  The code is being generated on-the-fly by remote injection when the page is accessed.  

Still trying to duplicate the image

If you are logged in to the site, you may not see the spam.  Well-written attacks don't activate when Editors or Administrators are viewing the site.  It keeps the attack going for an extra few hours or days.

I wrote an article on how to clean and recover from an attack and tips to secure the site.

http://www.experts-exchange.com/Web_Development/Blogs/WordPress/A_10806-Recovering-From-and-Preventing-WordPress-Site-Hacks.html
0
Lev SeltzerAuthor Commented:
This is getting too complicated for me, as I am still not able to see even the malicious code.

Would anyone that has responded recommend sucuri's $89 plan to get clean? Or a competing plan? I will then propose this to my client, rather than spending more and more time on this.

Thank you.
0
Jason C. LevineNo oneCommented:
Sucuri and StopTheHacker are both worth the money if you don't have the ability to clean it yourself.

VaultPress's mid-level plan is also a good choice as it combines live backup with security monitoring.

But the Sucuri folks are great and reasonably fast (1 to 4 hours to fix after initial report).
0
dec0mpileCommented:
I would definitely recommend Sucuri. The service is very good and the $89 price is for one year which I think is very responsible for business sites.
0
Lev SeltzerAuthor Commented:
Thank you all for your help. I am going to recommend sucuri to my client. I think that will end up being cheaper than my continuing to search for the hack.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.