avast says that my site is infected

system · January 10, 2010, 1:22am

hello, I’m using Avast 4 antivirus says that my site has a trojan. I checked it and is clean, I also did tests with some antivirus websites and did not detect any threat. This happens to me and all users of my site using Avast. Moreover, this problem is random, not always detect an infection.
this is my website: http://www.hardware-tech.com.ar/

Sorry for my english,
best wishes,
Nicolas

system · January 10, 2010, 1:40am

Welcome

Can you make the link non-clickable by changing www to wxw to prevent other people accessing the site.

Please read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414/

system · January 10, 2010, 1:46am

Hi masterl1nk, welcome to the forum

Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected. (like I have done in the code box.

This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

Unfortunately it would appear that an image file has been hacked. When visiting the site I get:

1/10/2010	1:40:49 AM	1263087649	SYSTEM	1512	Sign of "HTML:IFrame-IG [Trj]" has been found in "hXXp://www.hardware-tech.com.ar/styles/melankolia/theme/images/portal/portal_link_us.png" file.

You will see in the image I posted that there is a script in what looks to be a fake 404 error page…which seems to be disguised as the .png file.

A post worth reading by DavidR

DavidR post:2:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn’t clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

– HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:

check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.

Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

Check all .htaccess files, as hackers like to load re-directs into them.

Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

-Scott-

ShiwLiang · January 10, 2010, 3:13am

I’ve tried to enter Avast 5.0 didn’t said anything
Plus WOT rate his website as unknown

avast says that my site is infected

Announcements