Warning of Malware in my website

Hello

I have a warning of malware in my website: htxp://www.habitat-outlet.com

Abansys (the server) gave mea list of all files infected (click here: http://urlquery.net/report.php?id=3304253)

I deleted all the ‘bad script’ in index.php and I changed all the files in include/js and include/css. But I still have problems…

I don’t know where to find the files of the following 3 errors. And if I don’t find the files, I cannot change or delete anything!

GET / HTTP/1.1
Host: wxw.habitat-outlet.com
(Does this error belong to the index.php file that I already cleaned?)

I cannot find the files for these 2 errors, but it says that the host is Google Analytics… How do I modify this?
GET /ga.js HTTP/1.1
Host: www.google-analytics.com

GET /__utm.gif?utmwv=5.4.3&utms=1&utmn=1344051814&utmhn=www.habitat-outlet.com&utmcs=UTF-8&utmsr=1176x885&utmvp=1159x778&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=10.0%20r45&utmdt=Outlet%20de%20Muebles%20de%20Dise%C3%B1o%20-%20Sillas%2C%20sillones%2C%20mesas%2C%20l%C3%A1mparas%20de%20dise%C3%B1o&utmhid=1651933875&utmr=-&utmp=%2F&utmht=1372089138632&utmac=UA-12218578-2&utmcc=__utma%3D97137030.1125915244.1372089139.1372089139.1372089139.1%3B%2B__utmz%3D97137030.1372089139.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=q~ HTTP/1.1
Host: www.google-analytics.com

I also cannot erase the following pictures:

imagen/producto/529

imagen/producto/469

imagen/producto/446

I have deleted the rest of the picture files accessing to them with FTP, but for some reason, I cannot delete these ones!!! How can I erase them?

If you can help me to fix any of this, I would really appreciate it!

Thanks! Celia.

Hi Ethel33,

Break that url link like hxtp://etc.
See this report for details of the malcode: http://sitecheck.sucuri.net/results/www.habitat-outlet.com/
//./include/js/global.js infected & /login.php infected
Site blacklisted by Google Safebrowsing:
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=habitat-outlet.com
see: http://jsunpack.jeek.org/?report=2de5118645d25a8f11d171fee06f04bae2a57414 (go to url with script blocker active and in a Virtual Machine/sandbox)

I asked someone here on the forum to look into the matter and he will help you with the cleansing.
In the meantime for the php malcode, use this Anti Malware plugin, download from http://downloads.wordpress.org/plugin/gotmls.zip
This Anti-Virus/Anti-Malware plugin searches for Malware and other Virus like threats and vulnerabilities on your server and it helps you remove them,

polonus

possible a new Blackhole code since only 2 detect it
https://www.virustotal.com/en-gb/file/1eb1867b721fea0cc2f2f73136781c7cfb8ede3338d1a2a3506e637fcc099f45/analysis/1372118297/

wepawet
http://wepawet.iseclab.org/view.php?hash=5929a9439a437b3132bf8133b0b8c21f&t=1372118723&type=js

Hi Pondus,

It is certainly spreading over the Interwebs, because urlquery dot net gives many a IDS alert for this in scans,

polonus

Hi guys! Polonus and Pondus!

Sorry that I haven’t answered until now, but I thought I had no replies… I haven’t got any e-mail confirming the answers…

Well, anyway, finally I cleaned up my website and Google took the ‘warning message’ out of it, but I am afraid this is not finished yet…

I have Norton Antivirus and it doesn’t warn me of any viruses in my website, but Avira and AVG still does…

The problem is that the infection is in the IMAGES. See here: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.habitat-outlet.com%2Fimagen%2Fproducto%2F557%2F51b6042838ab73320300.jpeg&ref_sel=Google&ua_sel=ff

I don’t know what to do to remove them… I have changed the images from the ones that I had before the infection and I have even uploaded different new images, but the ‘bad script’ doesn’t go away…

Do you know what I could do to fix this?

Thanks! Ethel

Bitdefender TrafficLight also flags:htxp://www.habitat-outlet.com/imagen/producto/254/4e2ebf82e43833220176.jpeg
See for instance also: https://www.virustotal.com/nl/url/2ef886423389442d3b5c234ac7e67c8b160de0f685ddf40a94a796b1aabb66c7/analysis/1372448140/

and: http://urlquery.net/report.php?id=3385312 detection is for Dynamic Content
You have to consider these vuln.: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-106044/PHP-PHP-5.2.17.html
Did you check for http://blog.trendmicro.com/trendlabs-security-intelligence/plesk-zero-day-exploit-results-in-compromised-webserver/
This blacklist starus is still there: http://www.yandex.com/infected?url=habitat-outlet.com&l10n=en
I have asked an expert to come and advise you here…
see: https://www.virustotal.com/nl/url/ec8b3b64533829b51cfa0811579f33182793854082664a6ca939224f0f0a864c/analysis/1372449368/

polonus

Hi Ethel,

When looking through your file manager, did you find any suspicious files that weren’t there before the infection?

Also: When scanning the ftp with AVG/Avira, are any files besides the images detected?

~!Donovan

Hi guys!

No, at the end there were 4 files still infected, and ‘imagen/index.php’ was the one infecting the images…

Thanks to all!

Xx, Celia

Hi Ethel33,

Great that was solved then,

polonus