Malware alert on thoughtworks.com

We seem to have a shy but annoying piece of malware hanging out on thoughtworks.com. As far as we can tell, it manifests itself as a hidden iframe that redirects you to a site that hosts malware. We’re a bit vague on this, as it only appears rarely so only a couple of people have seen it.

Our biggest sign of it is via google. Google reported our site on Jan 7th as having problems, we looked into it, didn’t find anything, and Google’s complaint went away very quickly. The flag went up again on Jan 31st and this time they emailed our webmaster. We looked again for a problem, without any success, so we asked them to re-review our site. Since then various Google diagnostics have raising and lowering the suspicious flag at a dizzying rate. As I write this the site is considered safe, but given the volatility of the opinion, we aren’t sure about how things will go. (If you’re concerned you can check Google’s safebrowsing link.)

Clearly this is a bit of malware that’s set to only show itself occasionally, which makes it harder to deal with. The tricky bit is to find how it’s getting into the site. We’ve checked all our content and not found anything suspicious, but it could be third party javascript libraries, could be our Drupal instance, could even be a problem with our apache installation - but we don’t know for sure.

We’re investigating this further (including following the recommendations of stopbadware) but haven’t yet found the root cause, although we do have some strong suspects. If you see anything suspicious on our site or would like to pass on any suggestions, please contact Andy Yates.

As far as I know, this problem does not affect martinfowler.com - which is a static site built with my custom scripts, so is less likely to attract such a problem. But do let me know if you see anything.

Martin Fowler: 03 Feb 2011