Virus at homepage

Hello everyone :slight_smile:

Users of my homepage reported, that they got a virus (malware) from my homepage. Seems to be program which simulate, that other infects happened and would sell a program called Vista Total Security.
I have avast and avast reported: Malware blocked, Infection: HTML:Iframe-inf.

I used http://www.unmaskparasites.com/ for a check and got following message back:
External References

  • rthlsinks.cz.cc suspicious :arrow_upper_right: - displaying 1 of 1

It still show on Sucuri as infected with Malware entry: MW:JS:488 http://sucuri.net/malware/malware-entry-mwjs488

The redirect link looks dead

why this happens if you have removed the website…have no idea

you should make the redirect link you posted above unclickable, edit the post and change http to hxxp

Same attack, “Web Attack: Blackhole Toolkit Website detected”, discussed here: http://dingwallguitars.com/community/viewtopic.php?f=17&p=20265&sid=fa85414eb80e06655deac9b86746f444
Still infected: htxp://www.cracovie.org.pl/upload/Image/CZERWIEC

polonus

Hi Nyy, welcome to the forum :slight_smile:

It seems that more than just the one page is infected…

Trying to visit the site, produces a 403 forbidden error, and it seems that even this page has the script attached…

I would look for the script in all of the pages on your site, as it is most likely elsewhere as well.

Script detection rate: http://www.virustotal.com/file-scan/report.html?id=06d8613bababa914d6a7733e91f3623366f10f1e5d460705ba9c0f6b90e60d0e-1302984178
(403 page source in text file)

Scott

If you use PHP or other content management software it is possible it could be in your templates, etc.

In taking down the home page, there is obviously some checking going on as, Scott said you are getting a 403 page that is also got the malicious iframe tag in it. So it might be worth putting a placeholder page as the Home, index.htm, page etc. with something like Site under maintenance, etc. until you get control of it.

You would however need to sort the permission issue and clean the 403 error page, I suspect that if you have a 404 page that too will have an iframe in it, also check the favicon.ico file too.

Hi Nyy,

Important also to check and eventually upgrade and update your website software to protect against re-infection,
2 issues here, says sucuri: “Known javascript malware. Details: http://sucuri.net/malware/malware-entry-mwjs488”
and “Javascript included from a blacklisted domain. Details: http://sucuri.net/malware/entry/MW:BLK:2
Javascript::rthlsinks.cz.cc ->Javascript included from a .co.cc domain\ remote include of blacklist site – cross- site,
warning)” hidden iframes is a most popular form of infection still,

polonus

Thanks all for your comments!
I could in the meanwhile solve the issue. Infected were a few html document which were provided by the hosting company and saved in a separate folder. I could clean them and now it works without warnings.
Best regards
Nyy

Hi Nyy,

Youre’welcome, glad to hear you’ve solved the issue,

polonus

You’re welcome.

Cleaning is a good first step, but ideally you have to find how those pages were infected (usually out of date content management software as I mentioned) or this could be exploited again.