This page is a starting-point resource -- one we expect to evolve and grow over time -- to provide webmasters with tips for ways to remove badware from your website and to keep it free of badware. Please note that this resource is by no means comprehensive or exhaustive, and is intended only as a first step for webmasters concerned about badware. We encourage webmasters and hosting providers to research website security independently, beyond the suggestions offered here. It is the responsibility of individual webmasters and hosting providers to stay informed of news relating to website security issues.

There are three basic steps to maintaining a clean site:

1. Identifying badware on your site
2. Removing badware from your site
3. Preventing badware in the future

Identifying badware on your site

The first step to keeping your website badware-free is to check for any badware that may already be on your site. Badware is software that fundamentally disregards a user's choice over how his or her computer will be used. Some applications are badware because they act deceptively or irreversibly (for example, an application that secretly installs spyware or that is difficult or impossible to uninstall). Other applications are badware because they have objectionable behaviors (such as displaying pop-up ads or changing a user's homepage) without fully and prominently disclosing those behaviors to the user in advance and seeking his or her consent. You can learn more about badware in our Software Guidelines.

Here are some common types of badware to look for:

1. Badware available for download on your site

Evaluate the software that you are offering for download -- including any third-party applications that are bundled with your software -- based on StopBadware's Software Guidelines. If the software that you are offering for download violates our guidelines, then it constitutes badware.

If your software is bundled with third-party applications, you may also want to check whether the bundled applications install any dangerous or deceptive code. One method for detecting this is to download the entire software bundle onto a virtual machine and scan it using anti-virus or anti-spyware programs.

2. Badware available on sites that you link to

If your website links to badware, your site's visitors may be in danger, even when the bad software or code exploits are not actually hosted on your site. Your web pages may violate our Website Guidelines if they automatically redirect to a website that hosts or distributes badware; directly link to executable files that are badware; link to another website that automatically attempts to install badware by exploit onto the user's computer; or contain substantial links to other website(s) that predominantly host or distribute badware.

Some ways to determine whether the links on your site violate our guidelines would be to check whether any of your links lead to bad software available for download on another site, or whether they lead to an infected page on another site. (We recommend that, when looking for badware, you use a virtual machine to avoid damaging your own computer.) It may also be useful to search through your site's source code and look for links to unknown sites, especially if the links are to executable files. Executable files include files with extensions such as .exe, .bat, .cmd, .scr, and .pif. There are also applications available that will allow you to scan for malicious links within a web page, and you can use these applications to help decide whether to link to that page.

You can also use the StopBadware reports and our Badware Website Clearinghouse as a resource -- search our database for information on the sites and software to which you link or are planning to link.

3. Badware distributed through ads running on your site

Advertising displayed on your site is another potential source of badware, since most ads include direct links to an external web page. Please see section 1.2 above for general information about our guidelines for badware found via links. If you display third-party ads on your website, check that the links do not lead to bad software or to a badware-infected web page. The methods for evaluating the software that is available through ads are similar to those described in section 1.1 above ("Badware available for download on your site").

You can use the StopBadware in-depth reports and our Badware Website Clearinghouse as a resource. Check the ad networks you are considering using in our database to learn whether other websites have had badware problems with those ad providers.

4. Badware links posted in user-generated areas of your site

If there are any areas of your site where users can post or upload content, these areas may be a potential source of badware or badware links. Please see sections 1.1 and 1.2 above for information about badware and badware links.

5. Hacking attacks to your site

Another common source of badware on websites is hacking attacks, which allow third parties to insert code or executables onto poorly secured websites. A common example is the "injection attack," in which a hacker uses a security vulnerability to inject harmful code into one of your web pages. Usually this code will be invisible on your site to you and to any site visitors, but will trigger the download of badware in the background of a visitor's computer. You can often detect whether this kind of attack has occurred by looking at the source code of your web pages and determining whether it contains any code that you did not place there.

Two common types of "injection attack" are:

Invisible iframes

Iframe tags are a kind of HTML tag. An iframe creates a small "window" on a webpage so that another webpage can load within the embedded window. Iframes are not always used for nefarious purposes; one frequent use, for example, is to embed a video into a blog post. When used by malicious hackers, an iframe can be made so small that it is invisible, and the visitor to the infected web page never knows that another page is also loading in the tiny iframe window. If you see code for an iframe with width="0" and height="0" in the source code of any page on your website, you have found an invisible iframe. Iframes are most commonly inserted at the very top or the very bottom of a web page's source code. A good first place to check for iframes is before the initial <html> tag that starts a web page's standard code, or after the final </html> that ends a page's code.

Obfuscated Code

Obfuscated code or scripts are designed to be hidden within the normal code for your site, so they can be hard to detect. The code is written specifically to prevent automated tools from discovering its purpose. Obfuscated code is not necessarily badware; some legitimate coders obfuscate in order to prevent others from copying their work. However, if you write the code on your site and you do not intentionally obfuscate, finding a block of obfuscated code may indicate an injection attack. The two most common ways code is obfuscated are through encoding and encrypting.

Encoding can sometimes be easy to spot because the encoding uses either "hex" or "unicode/wide" characters. For hex characters, you will see strings of javascript code that consists of percent signs with two character combinations after them (e.g. %AA%BB%CC). For unicode characters, you will see strings that consist of "\u" with four characters after (e.g. \u0048\u0069\u0021). Generally, blocks of code that have been encoded in this fashion will take up several paragraphs. If you find large blocks of text in your web page source code with either of the above patterns, it is likely to be obfuscated code.

Encrypted code is harder to find, because there are no set patterns. However, encrypted code will look like a block of unintelligible text. Even if you are not familiar with javascript coding, you will notice that normal javascript code on your site will use a syntax based on actual English words. Encoded or encrypted text will look like completely unintelligible blocks of letters, numbers, and symbols. Check your web logs for references to executable files that you don't recognize. Executable files include files with extensions such as .exe, .bat, .cmd, .scr, and .pif.

While most hacking attacks focus on html code, it is also possible for bad software itself to be uploaded onto a poorly secured site. Bad software can include unknown executables (such as files that end in .exe, .bat, .cmd, .scr, and .pif), javascript files, or even images uploaded to your site without your knowledge. Sometimes attackers will simply use your website to host badware and link to it from other victim sites. One method for detecting whether you are hosting bad software on your site is to download all of your source code from the live website onto a virtual machine and scan it using an anti-virus or anti-spyware program.

Removing badware from your site

How you should go about removing badware from your site will depend on what kind(s) of badware your site is hosting or linking to. Our general recommendation is to take your website offline while you clean and secure it, to prevent your site's visitors from being unwittingly infected in the interim.

1. If your site is hosting bad software for download

Remove the bad software from your website and don't make it available for download again unless you can be sure that it is no longer badware. You can learn more about what makes a piece of software badware in our guidelines. If you are the creator of the software in question, StopBadware may be able to offer recommendations for bringing your software into compliance with our guidelines.

2. If your site links to badware

Remove all badware links from your website.

3. If ads on your site are linking to badware

Remove all ads that link to badware. If you use an ad network, this may mean removing all the network's ads from your site until you can be sure the network is clean. You may also want to contact your ad provider and let them know that one or more of their ads is causing badware to be linked from your site.

4. If badware is linked in user-generated areas of your site

Remove the badware links from your site. This may involve editing user posts to remove the badware content, or deleting entire user posts.

5. If your site has been hacked

Take the site offline in order to keep from putting your site's visitors and your customers at risk. Then remove all of the offending code and fix all underlying security vulnerabilities before putting your site back online. Finding and removing a specific block of bad code that a hacker has inserted can clean your site for a time, but keeping your site from being infected in the future will require fixing the security vulnerabilities that allowed the hacker to insert the code in the first place. As such, be sure to check for and remove any backdoors left by the attacker. A backdoor will allow an attacker to get back into your site even after you have locked down the site.

Your hosting provider should also be able to help you figure out where the underlying vulnerabilities on your site are, so contacting them should be a top priority if you think your site has been hacked. You can also check your hosting provider's forums to see if any other webmasters using that host have been compromised. Checking user forums for the software used by your site can also help you see if other users have been compromised through flaws in the software, or if there are security updates which your site does not yet have in place.

Preventing badware in the future

1. Check software for badware before making it available for download

See section 1.1 above for general information on badware and our software guidelines.

2. Check links for badware before posting them to your site

See section 1.2 above for general information and our guidelines about badware in links.

3. Use only reputable, conscientious ad providers and regularly monitor them to be sure they stay clean

Make sure your ad network is reputable and actively screens for badware from advertisers. If not, switch and tell them why you switched. Remember that an ad hosted on your site, even if provided by a third party, is still a part of your web page. You should only accept ads from providers that you are confident are diligent about protecting clients from badware. You can use StopBadware's reports as a resource. StopBadware is working to bring the worst ad networks to light by posting reports showing websites that we've seen being victimized by ad providers.

4. Monitor user-generated areas of your site

Make sure your terms of use for posting to forums, blogs, and other user-generated areas of your site explicitly forbid posting links to badware. You may also choose not to allow users to link directly to any form of executable file or to insert javascript into forum messages or other user-generated content areas. Then actively monitor these areas of your site for suspicious links or executables. See section 1.2 above for general information and our guidelines about badware in links.

5. Close security loopholes to secure your site against hacking

Some basic steps that can be taken to make your site more secure include the following:

• Use strong passwords.
• Use SSH and SFTP protocols, instead of telnet or FTP. Telnet and FTP are both considered insecure because of their use of plain text protocols. They transmit usernames and passwords in a way that anyone with access to the network can read. SSH and SFTP are based on an encrypted protocol which prevents eavesdropping.
• Scan your site for security vulnerabilities using a vulnerability auditing scanner (both free and commercial versions are available). Use security update management tools to detect missing patches and then apply those patches immediately.
• Keep up to date on news relating to any software you or your host use on your site, and make sure you are always running the most recent versions, including security patches. Subscribe to, and regularly read, any newsletters or alerts offered by your hosting provider and software providers.
• Make sure your hosting provider keeps all software updated, including security patches. If they do not, urge them to do so or switch to a hosting provider that you are confident does its best to keep its clients' websites secure.

When your site is clean, secure, and back online, you may want to notify your site visitors about the badware problem, and the steps you've taken to address it. If a user has become infected with badware after visiting your site, knowing what you've found will help them clean up their own computer. And telling your story can help other webmasters deal with similar situations on their own sites. If you'd like to share your story of how you cleaned your site with other webmasters, or would like to share tips for keeping websites secure, please visit our discussion list.

This page is an evolving resource. If you have further questions or suggestions for additions, please join our discussion group and share your ideas.