While I clicked a site link from a search-query on BLING image search, it landed me on www dot guylumbardot dot com, where I was flagged for a {gzip} file and feed/atom/ and feed/rss/{gzip} file-
analyzing with unmasked parasites I found:
1 suspicious inline script found
iFrame - KU [Trj] or Trojan-Downloader.JS.Twetti.a, is in 17th place on viruslist.com , is a very interesting example of cybercrime creativity. Lots of legitimate sites have been infected with this malware and it’s worth taking a closer look at how it works. Once decrypted, there is no trace of a link to the main executable file and no exploits or links to them! Analysis shows that the script uses an API (application programming interface) popular with both cybercriminals and Twitter,
You really should have started your own new topic, so we can deal with your question in isolation. I have given some basic information that should put you on the right path. If you need anything else, you should start a new topic and answer the question in that post.
What is the URL detected ?
Please ‘modify’ any URL you post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
I found three file index.html infected by trojan and I have deleted that.
I have also removed a javascript in index.php but the error is still there. When I go on my site Avast found the trojan.
How can I find the trojan?
Sorry for my bad english and for not having opened a new thread
EDIT: I solved. I had not deleted alla javasript, now is all ok. Thank you very much! ;D
But simply removing the infected code, will be only half of the problem. You have to close the vulnerability that allowed the pages to be infected (the quoted text in my last post).