Thanks for prompt and helpful responses!
In future, I’ll be mindful of inserting xxx in URLs.
Busy as she was with Store glitches, our webmaster DID manage to clean up, and I too was able to reach the site with no warning from Avast! a few minutes ago.
Here’s what she said:
1- It is prudent to avoid visiting any site your browser warns you
about. The hidden links that were on the nyng.org site, were most likely
there in order to make third party sites look more legitimate and
popular to search engines when they indexed the site. They may also have
simulated “clicks” on ads a way for unscrupulous website owners to
generate ad income.
All of the links have been cleaned and you should no longer get any
warnings. Sometimes it is useful to hold shift while reloading the page
in order to insure that your browser does not use cached data.
2-One site “unmaskparasites.com” seems to have the most comprehensive
account of the particular attack that has affected sites in the past few
days. The likely goal was ad revenue generation. It is important to note
that all of the payment information is handled on Paypal’s site. Our
store keeps track of who paid (and does not seem to have been affected
in any way), but does not hold onto or use any of the financial
information that would be valuable. In other words credit card numbers,
paypal acount access, etc, are all handled by Paypal, which maintains
their site as carefully as any bank.
3-There were additional legacy scripts and programs used for generating
dynamic parts of the site such as registration forms, and these may have
been the vector. Unlike static web pages, dyanamic ones have execution
priviledged, meaning that they are like small applications, and
something sufficiently out of date, may have had a vulnerability that
was widely known. This was likely an automated attack that found any
website with these old scripts, then exploited them.
According to the timestamps on files it looked like they were doing this
in the middle of the night. All of the legacy code we are no longer
using has been completely removed, and there was no evidence of any
attempts to make changes last night.
4&5-The site is not currently affected, and it seems that the
vulnerability has been closed. There are other services such as Google
webmaster tools which will alert you if your site shows evidence of any
similar new attacks in the future, and that service has been enlisted.
6-It is possible that a sophisticated hacker captured the password to
gain the ability to edit files. The nature of the edits looked like an
automated program, and the nyng site is a relatively low value site for
someone to exert significant effort. Regardless the password has been
changed. Additionally, this computer has anti-virus software that is up
to date, and the timestamps on edited files were at a different times
than legitimate were made.