I’ve downloaded the entire site. Searched (windows and grep) for anything looking like the url above, and cannot find anything. I’ve included all .html, .php, .js files and have used pieces (e.g. cinn, .ru, fason, nex, etc).
I bought the full version of avast! Have done all the upgrades on Windows 7 64bit, Explorer 9, and Firefox 9. The blocked url does NOT occur on my 32 bit Windows XP Pro, Explorer 8, FireFox 9 system.
The site was recently altered (today… using WebSite Builder @ Network Solutions) to use a new Template and I’ve also added the javascript and links to include nsSafe monitoring and SSL Assurance.
This wouldn’t bother me too much if it weren’t my own site… I’m at a loss on what to look for going forward. Any help would be greatly appreciated. I can always restore a previous version and start over on the alteration, but …
I have an image on one of the pages with a link: (Copied from page in Firefox using Firebug)
Clicking on this link will produce a Firefox “Reported Attack Page!” for the url=“cinnex.ru/fason/index.php”
also do not post pontentially malware code in the forum, as those entering may get a virus warning from it…so please remove it
if you want to post code, take a screen shot of it and attach the screen shot
Funny thing… I went back to the XP box and found that during page loading the mal url IS showing up in the flashing downloading connections at the bottom of Firefox, but avast is NOT blocking it!
Late last night I decided to restore a backup copy of the site. Everything worked as expected then! But this morning, I now have the same mal url and a new one has appeared.
I have found that by using the site address above and navigating to Support and trying to download the PDF file (which does NOT exist) that a mal url is generated and caught by avast!
Here you can see why it is being blocked and why is given infected:
)failure: <urlopen error [Errno -2] Name or service not known> http://sitecheck.sucuri.net/results/http://kaup.com
This error happens when your hosting company disabled your site due to security or payment reasons.
I have six friends who have “used the site” and have no problems. The PDF link on the Support page even does what it is supposed to… No File Found. So the consensus seems to be that I have two computers that are infected with the same malware.
It was advised that I run some more anti virus, rootkit software…
I have run avast! in Safe Mode.
Malwarebytes
TDSKiller
All with no incidents. Any other ideas would be greatly appreciated.
When going to the site with GoogleChrome I get a GoogleSafeBrowsing warning page with an alert for malware being detected, kaup dot com contains parts of cinnex dot ru, a site known to distribute malware. For me that is enough not to visit the site or ignore that warning. How can your 6 friends say that they can normally visit the site, if they had not circumvented that general Google warning page? It is true that I do not get the warning with the Internet Explorer browser. Are you aware that malcreants make browser dependant malware, that only will infect certain browsers, so we would end into a discusssion like we have here. If GoogleSafeBrowsing listing of your site is false, you should take up the matter with them and you are barking at the wrong tree.
For the moment because of the following scan results I cannot say the site is clean. See yourself why your website is listed as a malware site (also for Google UA): http://sitecheck.sucuri.net/results/http://kaup.com/
Malware is on your website: This attack uses the .htaccess file to redirect users to a site serving malware (or spam). In some cases, the index.php is also modified to do the redirection as well. Remove offending code from .htaccess and/or index.ph or ask this to be performed for you.
When I run a Fiddler session under my browser and then try to go to your website, I get this,
that is what is being alerted when the Google Safebrowsing alert page is being shown! See attached image of what fiddler caught,