Recent Posts

Thank you so so much for your help and expertise.  I could tell by your response that it was beyond my time and technical ability to fix the website.  Thanks to the links on your blog and website information and scan links I contracted SiteSecurityMonitor.com and they had our site fixed within 2 days. Thank you thank you thank you for helping us, your expertise on this website is truly invaluable.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 75 domain(s)

This is likely an indication that there are files containing malicious code, hidden among the other files in your website. They are probably not your regular pages that you are aware of, but new files added into the site.

In this scenario, malicious code was added into the pages of the 75 sites. It had iframes or javascript references to the malicious files that the hacker put into your site, causing those files from your site to be loaded into people's browsers when they visited pages at the other 75 sites.

The task is to find and delete those files hidden in your site. If possible, it's (obviously) desirable to find out what the names of those files are.

One way would be to visit the other 75 sites and look for code referring to yours. However, the 3 example sites listed in the Safe Browsing Report have already cleaned themselves up, so nothing will be found there. A Google search might or might not turn up some of the other 75, but note that if any of them remain infected and dangerous, visiting them will be just as dangerous to you as to anyone else, so make sure you have JavaScript turned off and very good antivirus installed on your PC.

The safer methods:

Get a complete listing of all the files in your site (this shows how to do it on a Linux server: http://25yearsofprogramming.com/blog/2009/20090621.htm). Search the listing carefully for filenames you don't recognize.

A more direct approach that you might also need to try is to search through your HTTP access logs for requests for strange filenames (such as javascript files), where the referer is shown as being other websites, not yours. In other words, the browsers of people visiting the other 75 infected sites are being told to download the malicious files from your site. Those requests will show in your logs. Since this situation seems to have existed for quite a while, logs from the past month or before would probably be most useful. After the other sites have been cleaned (which is happening) you'll receive fewer requests for the malicious files, so the older logs should contain more evidence.

Neither approach is quick, and both will require attention to detail.

Also, at Google Webmaster Tools (http://www.google.com/webmasters/) see if they list any "example" malicious pages from your site.

-----

It looks like at least two of your .js files are not returning any code when requested:

mootools.release.83.js
timed.slideshow.js

That is suspicious. Using your control panel's file manager, look at the source code of those files to see what is in them.

    Our website has been flagged by Google as being harmful but other scans have not found any malware on our site.  Would you be able to point us in the right direction because we are at a loss as to what the issue is.

As a security precaution we have changed the passwords for our site access, run 4 different scans on the computer that does the website updates (0 problems found) and requested a review of our site but still the google diagnostics says our site may be distributing malware.  We've reviewed the Diagnostic page but can't figure out where the "suspicious content" is (results pasted below).

Safe Browsing Diagnostic page for metroair.ca. What is the current listing status for metroair.ca?
Site is listed as suspicious - visiting this web site may harm your computer.
Part of this site was listed for suspicious activity 1 time(s) over the past 90 days.
What happened when Google visited this site?
Of the 251 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-08-31, and the last time suspicious content was found on this site was on 2010-08-31.
Malicious software includes 376 exploit(s), 180 scripting exploit(s).

This site was hosted on 1 network(s) including AS36351 (SOFTLAYER).

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, metroair.ca did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 75 domain(s), including junction-city.or.us/, eshelnet.org.il/, dyada.co.il/.

[windyt]

Hello windyt, I'm sorry for my delay in replying. Due to hardware failure, I've been offline for several days.

Be sure to scan your PC (at home/office, not your website's server) carefully for viruses, using a scanner different from your usual one. If any malware is found, clean it out and then change your website passwords again.

However, I believe gifimg.php that they uploaded is a filename frequently used for backdoor PHP scripts. Once they have uploaded a backdoor, they can call it from their web browser and manage your site remotely using it. If you examine that file, you'll likely find it full of malicious PHP code for managing the site (upload/download, etc.). If that's the case, delete the file. Also check out anything else they uploaded.

Unfortunately, these backdoor scripts are things that they can only upload to REgain access after they've already hacked their way in once, so it's not how they originally got in. You still need to find the original method of entry: viruses on your PC, outdated WordPress version, etc.

I should also point out that the first line in your log, even if it's your IP address, is not an upload of index.html. It's for a file called tracker-bevo.png. If that's not the name of the file you intended to upload, it is another indication that your PC may be infected with malware.

Hello and thank you for your time to write this great resource. I am a victim of a recent hacks - but every time I clean the site, they come back and over ftp replace all the files. I have even deleted the domain in my VPS cpanel and recreated with a new password but they still keep coming - from my ftp log:

the first IP is mine - I uploaded index.html saying site is down
Thu Aug 26 20:56:24 2010 2 24.19.224.207 30115 /home/tomasv/public_html/tracker-bevo.png b _ i r tomasv ftp 1 * c

Fri Aug 27 04:01:58 2010 0 64.71.229.10 141 /home/tomasv/public_html/images/gifimg.php a _ i r tomasv ftp 1 * c
Fri Aug 27 04:02:05 2010 0 64.71.229.10 37721 /home/tomasv/public_html/wp-content/plugins/akismet/akismet.php a _ o r tomasv ftp 1 * c
Fri Aug 27 04:02:06 2010 0 64.71.229.10 14861 /home/tomasv/public_html/wp-content/plugins/akismet/legacy.php a _ o r tomasv ftp 1 * c

The other lines are them uploading a new Wordpress that is infected - how do I find out more about the RFi attack and how to prevent it please? This is the 3rd time I cleaned the site, generated the ftp password using the cpanel generator and within 48 hours I am hacked again :-(

Thank you again for your time and help...

Your suggestion led to a discovery. I'm using Ubuntu 9.04, so when I type
mdb-schema
or
man mdb-schema
it shows that the -S flag is available. So does the documentation at http://manpages.ubuntu.com/manpages/jaunty/man1/mdb-schema.1.html. But if you browse to the later versions on that page you'll see that -S isn't shown anymore in 10.04LTS and after. It's also not shown at http://linux.die.net/man/1/mdb-schema.

I didn't mention -S or the other mdbtools options because I hadn't used them and couldn't describe them any better than the documentation, but now I wonder if the -S option still exists in later versions.

If any of the mdbtools programs create unacceptable or undesirable table names, it seems like it should be possible to correct them in the output files with sed or by manually editing them before using them to do the table creates and data transfers.

[the idea being about just where to place the flag, and just with what it is interchangeable]

Wonderful post, Steve --and thank you again!

I was hoping that you'd include an example of the mdb-tools FLAG for throwing things into the idiom of MySQL.  Thank you for the article.  There could have been a moment after mentioning the MySQL variant where you take to time to say:

#######################
[root@localhost ~]# mdb-schema
Usage: mdb-schema [options] <file> [<backend>]
where options are:
  -T <table>     Only create schema for named table
  -N <namespace> Prefix identifiers with namespace
  -S             Sanitize names (replace spaces etc. with underscore)
[root@localhost ~]# man
########################

mdb-schema -S MDBFILE.mdb mysql [as opposed to other DB platforms, where 'sybase', 'oracle', 'postgres', or others could have had a spot.]
#########################

Your computer can communicate with the internet without your knowing about it. Malware on your computer can steal your website FTP password and send it to the hackers. As long as your PC is infected, it doesn't matter how many times you change your password; the malware will steal the new one and send it to the hackers. That's why your PC must be clean before you do anything else.

If you're sure the computer is clean, you've completed step 5 at http://25yearsofprogramming.com/blog/20070705.htm.

Now move on to step 6, changing your password. If your computer was infected that last time you changed the password, you must do it again now. If it was clean, you can move on to step 7, making sure your forum software is up to date. Based on the error message from your site, you are using forum software, but it gives no indication what the name of it is. Whatever it is, go to the website that distributes it and see if you are using the current version. If not, install the latest version.
 

I ran a deep scan earlier and Zonealarm quarantined 3 threats and renamed Heur:Trojan. Win 32.  What should we do next?  We have to deal with hackers and stop them accessing our server.