Malware detected on website, need to remove

My friends website seems to have malware on it, however, I am unsure exactly how to remove it. They are using a javascript which reads from another infected site, and this in turn loads the malware. the function seems to be obfuscated in some way. Also, this javascript is present on any page which I view on the website. Sorry for vague details, but the function starts like this

Code:

---

<!-- Google analitics BEGIN -->

<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));

---

After which there is a large section which doesnt make any sense. The main thing is actually finding exactly where they've inserted the function, as its not just inserted simply on index.php. If someone very trusted is willing to help me out, I can discuss more in private.

Quote:

---

My friends website seems to have malware on it, however, I am unsure exactly how to remove it.

---

Why bother?..........................until you have found and fixed the site's vulnerability you are just wasting your time IMO. It would be a bit like banging your head against a wall and taking aspirin because you have a headache?:)

You should be able to recover from an uninfected backup? but it will still come back because you are obviously vulnerable?

For anyone to really help you they will need to visit the site and have a look. I would ask anyone interested to PM shad0w7 to get the relevant information..............thanks :)

Thats not really a problem, because we know how we got hacked, the admin was keylogged... Passwords have been changed,etc, but we still have this problem. Please if anyone is willing to have a look through the code and figure out where its hidden then pm me.

Send me a PM, i'd be happy to spend a lil time checking it out, the Moderator's here can verify i'm trust worthy. :)

edit , actually tell your friend to change the admin password on he's hosting cpanel on a different machine, also tell him to check all FTP accounts and change there' passwords and lock down permission settings on them.

Now he will need to browse he's file manager in he's cpanel account, and manually right click and edit on each file located in the file manager hunder public_html submenu. he will find that every file will have an iframe with the javascript that calls the malware for a drive by install when users visit the website.

also manually check the chmod permissions on each file and correct as necessary.

Personally i would just delete everything in the file manager and up-load a backup that isn't tainted.

in the future don't download programs etc from bittorent and randomly open suspicious programs etc, and keep your firewall and anti virrii defintions upto date and to regular scans.

I could link you to the actual malware but meh i'd prob get banned for infecting n00bs. do'h

The problem is the main owner is away, and we cant get contact with him, so we only have FTP access for now. Also, it is not manually inserted in every page, we have checked. It is somehow inserted in some important function which is called by every page in its source. I will pm you a few details.

BE CAREFUL FOLKS.................THIS MALWARE IS MALICIOUS!:xbones::xbones:

It appears to flash your BIOS and leave you with a brick! :mad: but it doesn't recognise dual BIOS MoBos...............and I did use a pretty cool ARV to go look...........none of the antimalware saw anything!:mad:


shad0w7, I don't know what country you are in mate, but if it is the USA then take the site down and report the problem to the local (State) CIB, the FBI and the Secret Service. Whoever did that is looking at 5 years minimum :lildevil: it is a felony offense:)

Very Interesting