Howmun.dev

Google Safe Browsing Alert

Lee How Mun's photo
Lee How Mun
Jul 27, 2023·

3 min read

One of our websites was getting the Safe Browsing alert, first step to do is: Stop panicking.

Website got hacked?

After calming down:
1. go to your website and check on the damage, is it completely defaced such as showing a 'You are hacked' page? If so, Scenario A

2. if you can't find anything odd on the website, pages are still loading, features are running fine, it's likely to be some malicious code loaded, let's go to Scenario B

Scenario A

The damage is huge and it's hard to tell which file or data in the database is modified:

  1. Make a copy of the broken files and database for forensic purposes (if you wanna investigate it later)

  2. Restore to the latest backup you have, most likely your hosting service provider has an automated backup process.

  3. Once your website is up and running already, you need to put up a defense to avoid further attacks, a WAF (Web Application Firewall) is needed now, if you are using WordPress, just need to install plugins like Wordfence to put your defense up, the paid version is better to make sure latest vulnerability is covered as well/

  4. Cloudflare would be another layer of protection, subscribe to their service, and enable under-attack mode to put most malicious traffic away.

  5. Start working on the vulnerabilities, for WordPress, following all the suggestions provided by WordFence, and keep your CMS updated. If it's your code, would suggest using tools like Snyk to scan the repo for any vulnerability or engage any whitehats to do pentest on your site.

Scenario B

The damage is minor, data is intact but the team need to find out the details of the Safe Browsing Blockage.

  1. Use scanners such as the following to run a scan on your site :

  2. It should provide you the suspicious path, check on the code provided code sample:

    • Good case, It's our own JS code, scanners mistakenly treat it as malicious code: Remove the code if it's not in use anymore, and refactor the code so it doesn't match the malicious signature.

    • Bad case, It's some malware code uploaded to your code, the team will have to dig deep if it's coming from the application level or infra level

    • Application level: again use Snyk to help you scan for any vulnerabilities

    • Infra level: could be an FTP / SSH account leak, a modified .htaccess due to application level vulnerabilities, block the loop hole as soon as you identify it.

Submit a review request via Google Search Console

Either you have fixed the root cause or you need more details, submit a review request via Google Search Console.

From past experience, most reviews are done in 1-2 working days, and the blockage will be uplifted immediately if its a pass.