My blog developed a problem and I deleted it. However, I lost connection and part of the blog was left up. After a while I found out someone had hacked in with iframe:inf. I completely removed the folder on my website, deleted the DB and all users connected to it. Basically it is gone.
I use IE8 and have completely cleaned out my cache.
Yet when I go to the blog I get a virus warning, on another pc I get 404 not found???
What should I check for this error message…as it definitely isn’t the site.
And exactly what does the browser you use have to do with a site having been hacked, answer nothing.
If you think what you post will provoke a flame war then don’t post it, especially when it isn’t relevant to the problem.
@ DaveBenn
This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rogue” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
What is the URL of the blog ?
When you post it, ‘modify’ the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Other pc in my house gets a 404. If you get a warning, then maybe it is an actual server error and not a problem on my machine as you have Avast and my other pc doesn’t.
According to this there is an external reference on your site to this site : squidoo.com and google safe browsing says, so there is a malicious script on that site.
Try removing it temporarily and check with avast again.
Thanks for spotting that, but WHERE is it? the entire folder is deleted from the server, the db is deleted and no users left. So where is that Iframe to be deleted from?
Superb!! Fixed it. Some low crawling scumbag has hacked my website and obviously left one of those in the standard 404 page. They also screwed all the index pages which I am working through now.
No alert in firefox 3.6.2, so presumably this posts was before clearing out the critter, I just get the standard HTTP 404 error and not any custom 404 page, which is regularly hacked also.
It is always better to use an image when pointing out code, even if you have edited the http, as the whole page is scanned in text mode by the web shield (the network shield may also be hunting out domain names in its list) and it could well alert on inserted samples, see image.
So, what is this software that lifts the source code? I have JS:Illredir-AK splattered all over my server, so would like to see if I can find it without having to check every single page.
I have one major problem with a site that is 95% PHP so will take decades to check every file.
Thanks for the suggestion sir DavidR. I will surely do that next time. You had once, previously, warned me regarding this. Will surely take care of it next time.
@ DaveBenn
Well the software, which I use, cant help much in cleaning up stuff on your site. I guess, there are others. I will ask one of my forum friends helping you in this regard. So kindly wait.
There is this script there and this has/had a suspicious history:
hxtp://s9.addthis.com/js/widget.php?v=10
Last time suspicious behavior was found there was on 2010-03-06.
This site was hosted on 23 network(s) including AS20940 (AKAMAI), AS1299 (TELIANET), AS7843 (ADELPHIA). Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 4 domains, including recipeeworld.com/, mapsofworld.com/, mensherbalpills.com/. Comments for these sites: "People, you should go on that site, they want people to see it and then catch a virus", that is clear as it is, isn't it?