There is an irritating error that pops up when you visit some sites using Firefox. This same error does not appear on IE. There maybe a variation of the same error on Google’s Chrome browser and others.

The error says, The site at ********.com has been reported as an attack site and has been blocked based on your security preferences.


This is quite a disturbing error to users browsing your site. A lot has been said about why this error comes up. We do however know that it is a ‘google safebrowsing initiative‘ error.

Here are some of the solutions to try first before you panic:

  1. Check your the offending site vs the google diagnosis tool : http://www.google.com/safebrowsing/diagnostic?site=www.offendingsite.com [replace offendingsite with the url of the site afore mentioned in the error]
  2. Check your site on http://www.unmaskparasites.com/security-report/?page=www.offendingsite.com
  3. If your site is not listed as an offender site on the safebrowsing diagnosis tool or unmaskparasites is clean of bugs, check for small things that may be making referencing to the offending site, like:
    1. Javascripts
    2. Javascript Libraries
    3. Iframes
    4. Flash Objects
    5. Images
    6. XML / RSS links or feeds
    7. External Ads, anything external really.
  4. If your site is clean of the above. Check browser items that maybe referencing the offendingsite. Start with:
    1. Feeds
    2. Plugins
    3. Tools
    4. or any additional resources that do not come with your browser. Pay close attention to fake ‘SEO tools’
  5. If there’s no luck remove the security warnings from firefox, since they are Firefox built in errors. You can turn them off by going to tools>options>security and unchecking “tell me if the site I’m visiting is a suspected attack site”.

More reading resources (particularly useful for webmasters)

  • http://googlewebmastercentral.blogspot.com/2008/08/hey-google-i-no-longer-have-badware.html
  • http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html
  • http://googlewebmastercentral.blogspot.com/2007/08/malware-reviews-via-webmaster-tools.html
  • http://stopbadware.org/home/security

Interesting enough on my client’s site the error was because I had a <script> after the </html> tag!

Perhaps someone may find this helpful.

An update (5 June 2009)

So it turns out that this thing that hit me a few weeks ago, has a name. its called GUMBLAR.

In tech speak Gumblar is a combination of exploit scripts and malware, it embeds into the websites html, php and js files and when a user goes to the site, it loads 3rd party code on the viewers computer. It does this by stealing FTP details from the victims computer which then allows it to spead and infect any websites that the user FTP’s to.

If you visit an infected site, you get infected, it steals the FTP details of any sites you manage and infects those sites. This causes this virus to spread at an alarming pace.

some expercts have tested several antivirus packages against this attack and found Norton picked it up, but NOD32 didnt. Some packages do not detect it effectively because they dont have a malware scanner.

Some steps to check/clean your machine of this issue:

  1. Run antivirus with malware checking and remove any instances of this virus
  2. Change ALL your FTP passwords on any websites you manage, really we mean ALL.
  3. Clean your websites
    1. Check your file permissions are not open to abuse – make all files mod 755 so they arent publicly writeable (unless the need to be)
    2. Check your php-includes havent been modified
    3. Check your .htaccess file isnt modified
  4. An infected PC may experience the following issues:
    1. Applications crashing a lot
    2. Firefox – every search would redirect to a bogus advert page, but clicking the search result once more would open the real page.
    3. Not being able to start the cmd function from the start/run menu.
  5. Remember to protect yourself against these kinds of issues by keeping your antivirus updated, run superantispyware or spybot.

Some other sites that seem to be talking of practical ways to further protect yourself:

  • http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
  • http://www.guardian.co.uk/technology/2009/may/22/gumblar-google-malware
  • http://blog.unmaskparasites.com/2009/05/15/a-few-more-facts-about-the-gumblar-attack-from-sophoslab-and-scansafe/
  • http://blog.unmaskparasites.com/2009/05/18/martuz-cn-is-a-new-incarnation-of-gumblar-exploit/
  • http://blog.unmaskparasites.com/
Bookmark and Share