Yesterday I received an email from stopbadware.org. They reviewed my site and found no problems anymore:

Google’s most recent test of your website found no badware behaviors on the site.  As such, the Google warning page for your site has either already been removed or should be removed shortly.  In addition, if your site has been listed in our Badware Website Clearinghouse, we will remove your site from the Clearinghouse list.

So far so good, a bit late maybe since my site has been unblocked since about a week. However the last paragraph of the email reads:

Please note that we will be retesting your website at periodic intervals in order to monitor that it remains free from badware. If we find that you are hosting or distributing badware in the future, the reviews process may take considerably longer than the original review.

Now this really made me laugh. The next review process might take even longer? Due to the lack of information provided by stopbadware.org and Google, my site has been marked as a badware site for approximately 2 and half weeks. It took stopbadware.org another week to review my site, after Google found it was clean. But when I get hacked again, it even might take them longer to respond than they already needed?

Considering the cooperation between firefox and stopbadware.org I might have to switch to Opera, or god help me, even Internet Explorer.

On February the 5th Wordpress released version 2.3.3 of their blog software. This release fixed the following issue:

WordPress 2.3.3 is an urgent security release. If you have registration enabled a flaw was found in the XML-RPC implementation such that a specially crafted request would allow a user to edit posts of other users on that blog.

On February the 10th I applied the version 2.3.3 to my site.

Three days later Ubuntu Hardy installed the new firefox 3.0 beta. This version of Firefox works very closely with stopbadware.org to prevent users from accessing malware or badware sites. I found this feature when I used Firefox to visit my own site. I was informed of the fact that my site actively distributes or promotes malware and Firefox will not allow access to it. Disabling one of the security features in Firefox restored the access to my site. I instantly understood that my site was hacked  (again) in the last couple of days.

Trying to find out what was going on I read a lot of information on the stopbadware.org pages. Stopbadware.org is founded by Google so it is not surprising they use Google techniques to decide which sites are badware (or malware). A google search for my site today gives the following result (I also tried the same search on Yahoo, MSN and ASK.COM. Those engines have no problem with my site since they do not try to block access to malware sites):

Doing some more research I found that Google’s webmaster tools will give me an option to let Google do a review of my site. The bad thing I found was that Google does not tell you what is wrong with your site. They only state that there is something wrong. This makes it very hard to debug the site and fix the problem. I ended up going through all the pages and have a look at the source of each.

I found two hidden links. The links were hidden in <noscript> tags, so they were not accessible for the visitors of my webpage, they were just there for search engines to enjoy (I guess the person who inserted the links hopes to gain more attention if his site gets linked to a lot). So I removed the links, did some queries on my database and decided my site was completely clean. Then I asked Google to re-evaluate my site.
Read the rest of this entry »