HI,
I have several sites on one host and all of them was attack with malware (iFrame issue inside all my .html, php and .js scripts).
In all my infected sites, I have delete database, delete all files on server and upload everything again. I have change all passwords and then I have request review on stopbadware.org, they have see that sites are not more infected and they have remove alert.
All my sites are working fine now except one. When I insert blank.html on my server I still get alert, but site is empty, without ANY file on server and stopbadware.org are showing that this site is no more infected.
Why is still showing this alert?
On my previous sites, I have done the same steps, all my actions and “healing steps” were the same, so why is here showing alert again, and other my sites are still ok, with many .html, .php and other files on it?
Thanks
It looks like a new scan was processed today, and I do not see “This site may harm your computer” in the search results.
The current, updated Safe Browsing Report says that the site is not currently suspicious.
http://www.google.com/safebrowsing/diagnostic?site=www.duga-vrtic.hr
Please, try now. I have upload index.html that is empty, just with 2 lines of text. this is what I get when I press on “d0lphin.biz” inside “this site may harm your computer” screen:
“What is the current listing status for d0lphin.biz?
Site is listed as suspicious – visiting this web site may harm your computer.
What happened when Google visited this site?
Of the 8 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-08-24, and the last time suspicious content was found on this site was on 2009-08-24.
Malicious software includes 115 exploit(s), 84 trojan(s).
This site was hosted on 1 network(s) including AS8584 (BARAK).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, d0lphin.biz did not appear to function as an intermediary for the infection of any sites."
Now, on self diagnostic, I get also this:
“What is the current listing status for www.duga-vrtic.hr?
This site is not currently listed as suspicious.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 5 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-08-24, and the last time suspicious content was found on this site was on 2009-08-03.
Malicious software is hosted on 2 domain(s), including q5m.ru/, bigappletopworld.cn/.
This site was hosted on 1 network(s) including AS15456 (INTERNETX)."
You have a malscript right after your opening body tag.
It starts with: < sc rip t>q="=hgs…</s cr ipt>
This obfuscated code creates an infectious iframe that points to d0lphin. biz
You might have a virus on your PC since you stated that you removed this page from your site, then added it back again.
These viruses know how to steal FTP credentials – username and passwords, by a few different methods.
First, the virus knows what files the popular FTP programs store their saved passwords. The virus searches for those files and steals all FTP credentials and sends them to a server controlled by the cybercriminal.
Second, the virus can also view the FTP traffic as it leaves your PC and sniffs the FTP credentials that way because FTP transmits all data in plain text.
Third, the virus can use the infected PC to inject it’s malscripts into the FTP traffic as it leaves your PC. This is evident in the logs we’ve seen where the only FTP traffic was from a known source.
Fourth, the virus is also a keyboard logger. This allows the virus to steal all login information as you type it on your keyboard.
The viruses have been fast and furious and able to evade detection when they are first released and then they’re smart enough to detect the current anti-virus software and evade detection from there as well.
What you need to do is to install a new anti-virus program on each PC with FTP access to your site – even outside developers if you use any.
Many have had good success with the free versions of: AVG, Avast, Avira or Malwarebytes. If you already use one of these, then select another to install but it has to be something different than what’s currently being used.
Then scan each PC and remove any and all viruses and trojans.
Then you can upload clean files to your site if you have a good clean back-up. If you don’t have a known good back-up then you’ll have to edit each file. These malscripts are usually only in index.* files and are inserted immediately following the opening body tag and are iframes so they’re easy to spot. Remove the entire iframe from start tag to end tag.
Then you can upload to your site and your site has probably been flagged by Google so you’ll have to login to your Google Webmaster Tools and request a review – not a reconsideration, but a review.
Then just wait. You should be clean after that.
We have blogged about this: http://www.wewatchyourwebsite.com/wordpress/?p=228
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thanks for this great response. I am quite sure that I do not have virus on my computer, because I am using Mac OS. I suppose you know that all of this viruses are written for windows platform, so they can not “survive” on Mac OS. It can not enter on Mac either, so it can not be distributed from that computer and can not infect anything on my MacBook.
Everything now I am doing trough MacBook (Mac OS), but this site was infected by other (Windows) computer.
I have remove this index.html from site, that it can’t harm even more to this site, also, I will run some test trough Google Webmaster Tools.
Also, I will change all my passwords again.
Thanks a lot to all of you.
Um, don’t be so sure about Macs:
http://voices.washingtonpost.com/securityfix/2009/08/malware_writers_will_that_be_o.html
This is just one article out of many that report on the new target of hackers being Macs because of so many people with the belief that, “I have a Mac, therefore I cannot be hacked”.
You should download some Mac anti-virus software and run it just to be sure.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Do you know what this script on [ www .duga-vrtic .hr ] does?
<scr>q="=hgs`ld!rsb<iuuq;..e1mqih . . .Something related to that page is referencing [ d0lphin .biz ] which is bad.
Edit: I see I wasn’t quick enough … you are in good hands with WeWatch. :-)
Edit again: To add one more thing. At the present time, Google is not flagging your site. Your browser is alerting you to a cross-site scripting issue. As long as Google does not flag your site with “This site may harm your computer” in the search results, you will not need to “Request a Review” through Webmaster Tools.
Removing this script, and preventing it from coming back, should clear the browser warning.
I have looked my index.html and there was no this:
<scr>q="=hgs`ld!rsb<iuuq;..e1mqih . . .or any other strange code. there was only my code, my “normal” index that I have made trough Dreamwaver with two lines of text.
I have tried now on Webmaster Tools and my site is verified and it seems that everything is OK.
Hope that tomorrow or this days this warning will disappear… =(
Thank you all for this help! ;)
Damn! (Sorry for my bad word). I am really pissed now. I have checked on every site (unmaskparasites.com, stopbadware.org, etc) and site is clean. When I insert BLANK html file, I get error like I have post you before…
Should I contact google or can I fix this inserting robots.txt and block all inside Webmaster Tools?
EDIT: btw. I have changed all my passwords again just to be sure…
You’re no longer on Google’s blacklist, but when I visit your index.html page I still see the code from above which is malicious.
Where are seeing this error?
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
I have remove index.html
It is still same d0lphin.biz problem. Like I said, index.html was blank, I will upload it again blank and you will see the error. Sorry for all this trouble, but I do not understand this. I have checked my computer, no viruses, also, every day I am working with 2 more sites and they are still clean, so that means my computer is really Malware-free.
I do not know what to do anymore… =)
(OK, I have upload blank index.html on www.duga-vrtic.hr)
I see the empty webpage, but it has the d0lphin.biz code from above again. That is the only text in the page.
I’ve checked other sites on the same server as yours and I don’t see the same infection.
Can you contact me off-list so we can get this resolved faster? I am curious and know you’re frustrated so I’d like to help you get this resolved.
Thank you.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
THOMAS IS THE MAN!!!! I can not believe that persons like this still exist! HE WAS HELPING ME PERSONALLY AND HE GAVE HIS OWN PERSONAL TIME TO HELP ME!!!
AND HE DID! HE MANAGE TO HELP ME!!!
Many, many, many thanks to Thomas! If you need malware help, this is the forum/site where you will get it!
My site is clean now and I can not describe my happiness! Thomas, thank you 1000000 times and more.
THANKS!
Pejo from Croatia
pejo@humagum.com
