Is my client's website have Virus ?

[sandile]

Hi everyone I'm new in this forum and I hope I'm welcome. lol
My other client told me that his temporal web page I created for him have a virus. www.holidayafricainstyle.co.za can someone with antivirus check it for me please.

You can also check this one: www.zulujazzlounge.co.za

[jenny]

Oct 5, 2010 2:01:01 GMT sandile said:

Hi everyone I'm new in this forum and I hope I'm welcome. lol
My other client told me that his temporal web page I created for him have a virus. www.holidayafricainstyle.co.za can someone with antivirus check it for me please.

You can also check this one: www.zulujazzlounge.co.za

Hi there Sandile,

It does indeed look like your client's site has been infected with malware.

About 4 weeks ago, 24 of my sites (mine and my clients sites) got infected with an ftp hack and labeled by Google as attack sites.
It took me 9 days to clean!

What I would suggest, is that you first go into Cpanel and change your login password and ftp password as well as chances are that your Cpanel login details have been compromised.

Then open every single file on your client's site in a code editor or notepad.
Then go through the code and you will find the malicious code injected in the pages/files.
You will find that they like to inject the code in js files and index page files, but they also inject it into other files.

Once you find the code in the files, delete it and save the file.

Then go through all server files itself as well and check each one for malicious code and delete the code.
In my case, the code was also injected on the server files itself, so each time I cleaned a site, it just got re-injected with the code.
So a good idea to check the server files as well.

Oh and the valuable lesson I learned with this nightmare, was to never, ever store ftp login details inside Filezilla or any ftp program for that matter!

[sandile]

Good morning Jenny, thank you very much with your advice, I thought I should contact my hosting company to clean up my domian. but as yo have adviced me I will try to clean it up my self. I've seen your work here in Antenna forum it amazing. you doing a nice websites. how long you been doing websites?

[jenny]

Oct 5, 2010 6:40:53 GMT sandile said:

Good morning Jenny, thank you very much with your advice, I thought I should contact my hosting company to clean up my domian. but as yo have adviced me I will try to clean it up my self. I've seen your work here in Antenna forum it amazing. you doing a nice websites. how long you been doing websites?

Hi Sandile, thanks.
I started designing sites in 2006.
You sites look great btw!

You can ask your hosting company to clean up the site, no problem,but get them to also change the Cpanel password and Ftp password for added security.
Also scan your pc and also go through your clients backup files, if you have any of them on your pc, just to make sure that the code is not sitting there as well, otherwise when you update the site, you will reinfect your clients site and server again.

[Graham]

Hi sandile

one other thing to bear in mind in may not be the website in question but the clients pc at risk.

Next time it happens if it does as the client to give you the error number it displays on the screen, as this is very helpfull to diagnose what is going on.

I have had people try and view my sites and they get errors and and told its a virus but when you look up the error messages it is actually the client pc with the virus and the website has blocked it.

Graham

[jenny]

PS. I checked your site on 2 different pc's now and the site is definitely infected.

[Graham]

Jenny what virus program you running, I have checke both with AVG and Norton and nothing pops up at all

What is the error page you get with it

Graham

UPDATE:

Just got a mate to check it who is running McAffee site adviser and no warnings either came up for him

[jenny]

Graham I am using Avast at the moment.
The infection on the site is
"HTML: Script-inf"

Apparently Kaspersky and others don't always pick this one up.


They say the malicious code gets injected into the top section of files.
Here are 2 good links about this infection:
forum.avast.com/index.php?topic=64453.0
forum.avast.com/index.php?topic=63588.0

[Graham]

ok found the problem area I switched to IE 8 and and used an online virus scanner my my pc site to track it down

this is the issue area

http://addonrock.ru/Optical_Media.js

You can read about it here www.unmaskparasites.com/security-report/

Your actual site is not infected it is the reference to an external link that is

See this screenshot of your files this is the issue one
www.screencast.com/users/GrahamW/folders/Jing/media/7097b5ed-6073-41e7-908c-59d93e7ba977

Just locate that on your index page and remove it and it will be fine addonrock.ru is flagged as bad not your site

Graham

[jenny]

Don't you just hate these malicious java codes?
My battle was called "nuttypiano"....it sure drove me nuts! hehe

I think it is a good idea to find out how it happened so as to prevent if from happening again.
How do you think the script/link got placed on Sandile's website page?

[sandile]

Thank you guys for you solutions, I've re-uploaded it and it seems to be ok now. but I will keep on checking it for any changes. I think I'm lucky coz I didn't loose this client. lol.