Hello everybody,
One of my client’s sites was hacked into and malware was put on it, which Avast! alerted me to and I aborted the script. How do I clear the Avast! web scanner cache so that I can rescan the site. I know it doesn’t rescan an infected domain after the script is aborted because I’ve visited the site more than once, and it only scanned it the first time and never again after I aborted. Please advise. Thank you very much.
The web scanner doesn’t have a cache as such, it scans files in the avast4 folder in wherever your Windows Temp is located, these files begin with unp and a string of numbers and .tmp. After avast has scanned the file and it is found to be clear it is removed, should a file be considered infected avast alerts and you get the Abort Connection pop-up once you click on that the unp123456.tmp file is also removed from that folder.
Clear your browsers cache (temporary internet files). However, nothing should have got into the cache if it was detected by the web shield, but if your browser uses your cache to load the site again it may well load without alerting as the infected element won’t be in the cache…
Thanks for your reply. I did clear my cache and all temporary files using CCleaner, and it deleted all temp and cached files, but that didn’t cause Avast to alert me when I went to the web page again. I had been to the page about a week ago, and it alerted me to the virus, then it didn’t for a few days when I went to the site because it was automatically blocking the spyware. But then after a few days it alerted me again, and again I clicked abort and it stopped warning me for a few days, but eventually alerted me again. So there is an expiration or something that I need to reset so I can do trial and error testing. Thanks again for your reply.
I think it more likely that simply cleaning the site of the hacked entries only lasts for a short period of time before it gets hacked again.
If the underlying reason how it got hacked in the first place aren’t resolved it will happen again and again.
This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.