How did my site become infected?

Websites are normally infected by hackers who manage to gain access to the server or content management system (CMS).

Ad banner, counter or any other third-party codes you've embedded on your site may lead to it becoming infected. Don't forget that banner systems may also be hacked just like any other site, while their owners may not even be aware of the malicious nature of the code generated.

One of your users may have intentionally or unintentionally uploaded an infected file if your site lets users post messages or upload files.

How do I know which pages are infected?

You can find a list of infected pages on Yandex.Webmaster under Security.

The list may not be comprehensive as only a sample of the webpages are tested. It is also worth noting that the malware may be embedded in code that is used on all your pages, such as the title or footer.

How often are sites checked?

The time between checks varies so we cannot say for sure when a site will be scanned. Therefore, there may be a delay before information about an infected site is updated.

Any site on which Yandex detects malware will be rechecked. However, the period between checks will increase if the site is still infected after each one. The quicker the malware is removed from the site, the quicker Yandex will find out and remove the warning tag displayed next to the site in the search results.

How can I find malware on my site?

Look for any code that was not added by you personally.

Pay attention to the following:

  • <script> tags that contain links to resources unknown to you (e.g. <script src="h__p://evil.com/1.js">;

  • <script> tags with obfuscated text (i.e. with the text that is encrypted, such as this:

  • scripts that are disguised as counters or banner systems, in which the code is preceded by a comment saying that this is a counter, but which performs obscure actions or link to unknown sites;

  • <iframe>, <object>, <embed> tags that link to pages unknown to you; pay special attention to tags with attributes that hide the tag when the page is viewed. For example: small width/height values 0-10 pixels; invisibility: position:absolute; display:none etc.

  • expression attributes in page styles containing text unknown to you, for example: <img style="top: expression(....) !important" >;

  • unacceptable elements in content published by users (comments, articles, forum posts): strange code snippets, flash clips, <iframe>, <object>, <embed> tags.

Often a page may contain several such elements, sometimes they are different and link to different sources.

I've fixed my site, how do I remove the warning tag?

The warning tag will be removed if no malware is detected the next time Yandex checks your site. You can send a recheck request in the Security section of Yandex.Webmaster to speed up the process.

What are the benefits of registering with Yandex.Webmaster?

Yandex.Webmaster lists the pages on which malware has been detected, displays the antivirus results for each page and show the chain of infection. The service also lets you request a recheck for your site once the malware has been cleared to remove the warning tag as quickly as possible.

We don't want information about your site to be spread around willy-nilly. Therefore, you must register and confirm your ownership rights before being able to use all the service features.

Yandex.Webmaster registration is optional and you can search for and remove the malware yourself. Yandex will still recheck your site automatically and remove the warning tag that appears in the search results if no malware is detected.

Why is my site tagged as infected in Yandex search results but there are no infected pages listed on Webmaster?

Pages on different domains are checked for malware independently of each other. Therefore, if different domains of the same site (for example, www.site.ru and site.ru), are not registered as mirrors on Yandex, Yandex.Webmaster may not be aware of the full picture. A domain registered on Yandex.Webmaster may not be tagged as infected, while the unregistered domain maybe tagged as containing malware.

We recommend you register the second domain on Yandex.Webmaster to solve this issue. You will then be able to see infection information about both infected domains and request rechecks for both.

Why do I receive so many repeat notifications about my site being infected?

These messages normally mean that the malware is attempting to conceal itself from the antivirus system: the code may reemerge from time to time or under specific circumstances (for example, when users are directed to your site from search results or use a certain browser).

Contradictory messages may also indicate an infection and you should thoroughly check all the files on your site.