Need some help please ?
Getting this on a clients site :
Advisory provided by
Safe Browsing
Diagnostic page for afridevo.co.za
What is the current listing status for afridevo.co.za?
Site is listed as suspicious – visiting this web site may harm your computer.
What happened when Google visited this site?
Of the 8 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-20, and the last time suspicious content was found on this site was on 2010-01-20.
Malicious software includes 11 scripting exploit(s).
Malicious software is hosted on 1 domain(s), including gumblar.cn/.
This site was hosted on 1 network(s) including AS2905 (TICSA-).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, afridevo.co.za did not appear to function as an intermediary for the infection of any sites.
Has this site hosted malware?
No, this site has not hosted malicious software over the past 90 days.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Next steps:
Return to the previous page.
If you are the owner of this web site, you can request a review of your site using Google Webmaster Tools. More information about the review process is available in Google’s Webmaster Help Center.
Updated 6 hours ago
©2008 Google – Google Home
Are you the hosting provider?
If so, you’ll have to scan the entire server for infectious files. Check all .php files for a string that contains:
eval(base64_decode( then a long string of characters.
If you’re not the hosting provider, then you should contact them immediately and have them scan the entire server for the above string.
Here is some further reading on this:
http://blog.unmaskparasites.com/2009/10/23/revenge-of-gumblar-zombies/
http://www.wewatchyourwebsite.com/wordpress/?p=202
Post back here with questions or updates please.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Do you have the entire website downloaded to your computer?
You’ll really need that in order to clean all the files and check them for backdoors.
If so, you can use a free product like grepWin to search for malicious strings and remove them. However, you have to have the exact string first.
If you need outside assistance, please contact me off-list at the email below.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Download the entire site to your computer.
Download grepWin (http://code.google.com/p/grepwin/downloads/list)
Install it.
Then in grepWin use this as your regex search string:
<script language=javascript><!--\s*\(function\(OR5n\)\{var dvk=.*?eval\(uXp\)\}\)\(\/\.\/g\);\s*--><\/script><script language=javascript><!--\s*\(function\(CTuK\).*?\s*--><\/script>
Set your “Search in” to where you’ve downloaded the website to. Click on “Regex search” and set the following:
Search case-sensitive (unchecked)
Dot matches newline (checked)
Create backup files (checked)
Treat files as UTF8 (unchecked)
Limit search:
All sizes (selected)
Include system items (checked)
Include hidden items (checked)
Include subfolders (checked)
Then first time through, just hit Search. Then look at the files in the Search results at the bottom of grepWin.
When you’re ready, hit Replace. Any files listed in the bottom Search results are now clean of that infection. Please keep in mind that this process can only remove one infection at a time. The above search string will only remove the infectious code found in your “Page not found” response page and any other pages that have that same exact malscript.
Then you’re ready to upload those clean files to the website.
If you have questions or updates, please post back here.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
