Hi
I received an email yesterday suspending our adword account due to
distributing malware. Following that I realized our google links have
the warning This site may harm your computer.
I have scoured our site files, etc. had the host do all they can and
contacted the software forum, etc and come up rather thin in what it
might be. Some images were not well secured and there was a php file
of unknown origin though the contents did not seem very suspicious.
Our host added an additional level of security to the images, etc. I
have not yet applied for a review. Can anyone here look at the page
that was pulled from adwords and see if they can find something I'm
missing? The link is:
http://www.13moons.com/index.php?main_page=index&cPath=29
it looks like your server is redirecting when users are coming in from
Google (and possibly other search engines). I tried the following to
access your site with a Google referrer and it redirected me:
I am having the same problem as Jbat13.
I discovered it two weeks ago when I attempted to access the site
statistics from my webhost.
At that time it was redirecting me to the same antivirus url as
Jbat13, but from the webhost stats page and the webmail page.
It was not affecting / redirecting me from any other page on my site,
accessed directly from my site or via a link from google.
My webhost discovered and cleaned up the hack two days after I
reported it. I thought everything was cool, until yesterday when I
discovered Google has blocked the website and added a statement that
says that the site distributes Malware.
I requested a review of the site, but they are telling me that it is
still infected. MSN, Yahoo and Altavista do not seem to have a
problem with the site and it is not redirecting me when I enter the
site directly. In addition I combed through a few of the pages--
straight html...nothing fancy and did not find any text out of order.
Is there another way in which to further analize my files to ensure
the Malware is erradicated, so that Google can stop blocking my site?
Leslie, my problem was just discovered (not by me). It turned out to
be incredibly simple and I too had to wait 2 days for it to be
discovered. The htaccess file was hacked and a bunch of re-write code
was dumped in. My host also felt a bit foolish for not looking there
sooner! Now I have to go have it reviewed I guess. I already put a
request in a day ago because every one had done as much as possible
and security was tighted, etc. Hopefully it won't look bad to have
another request.
This code adds malware elements to your page when visitors view it
with JavaScript enabled (I would recommend not visiting it at the
moment :-)). It's possible that the rest of your site has similar code
-- I would recommend checking all of the pages (and of course fixing
those where you find similar code). Once you have done that, a malware
review will generally be positive, but I would still suggest all of
the usual security measures such as changing the passwords, etc.
> This code adds malware elements to your page when visitors view it
> with JavaScript enabled (I would recommend not visiting it at the
> moment :-)). It's possible that the rest of your site has similar code
> -- I would recommend checking all of the pages (and of course fixing
> those where you find similar code). Once you have done that, a malware
> review will generally be positive, but I would still suggest all of
> the usual security measures such as changing the passwords, etc.
As I entered the site to inspect and edit my code I also looked at
the
htaccess file and found two files one has 0 bytes and the other is
htacces[dot]mal..it has 417 bytes.
Should I delete the mal file?
Only the file called .htaccess will be active. But with a size of 0
that means it's empty.
The other will be useless but if you don't know who put it there, this
is worrisome. This means there's an unauthorized way into your site
It may have been put there to facilitate future hacking. Or maybe your
hoster found the hacked .hatccess file and renamed it to that.
Download it and take a look. It probably has nasty directives.
Then I would delete it from the server. Keep it as future reference on
your pc.
You will have to find and plug all vulnerabilities. Probably your
hoster has to get involved seriously.
While you are at it, you shodl change thsi meta tag on yro homepage:
<meta name="verify-v1"
content="AcnW448XoqhOSUEHAe8UXOUueiTnrA6A6xZ4CMjuFbM=" />
It needs to be closed with > and not /> because you are not using an
xhtml doctype.
> As I entered the site to inspect and edit my code I also looked at
> the
> htaccess file and found two files one has 0 bytes and the other is
> htacces[dot]mal..it has 417 bytes.
> Should I delete the mal file?
I've just finished going through and editing all of the files. I have
changed the file access, deleted files that I did not put in there and
alerted my webhost. Oh...and changed my password again!
After reading the postings at webmaster world from the link John
provided, I too am wondering if the webhost is being targeted. They
have been having access issues, email stoppages, etc. recently.
I have not had any of these issues on the other sites that I manage--
they are on servers with other webhosts.
Thank you all for this thread. I've been going crazy trying to find
out why these very persistent antivirus popups were plaguing my site.
I've searched more than a hundred groups/forums/etc. looking for an
answer.
Several weeks ago, one of my visitors told me that they had gotten a
popup stating that he might be infected and to run this free scan from
"windows-virus-scanner.com". Canceling it (close or the "x") caused
it to run anyway. My main pages are comprised of tables and some
tables have iframes displaying live content fed from another source.
The unsolicited popup (which occurred very randomly, sometimes only a
few times a day, sometimes more) almost always ran inside the same
table on my main pages (running one of the live content html pages as
an iframe), or any launched window that ran the same page in an
iframe. Sometimes it would run from a different table that was
running yet another live content html page as an iframe, but mostly it
was from the other table.
My site is served mainly by a (shared) web host and the live content
is served up from a different source. I copied all of my hosted files
back locally, scanned them with every virus and spyware/adware scanner
that I already had (was NOT going to buy or install a new one) and
found nothing. I read every line of code on every page that I wrote
(all manually created, not by a page generator) and there was nothing
out of place.
Other symptoms I was having was if someone clicked on the link to my
site from my email signature (in yahoo), or if I gave them the link
through yahoo messenger or msn, their full page would be redirected to
the windows-virus-scanner.com page.
Over time, the URL of the pages kept changing, but still leading back
to the same company that then forced the freescan. Here are the other
URL names they used:
antivirus2008-freescan.com
antivirus2009-freescan.com
windows-defense.com
scanner.win-antivir-2008.com
scanner.win-antivir-2009.com
scanner.power-antivirus-2009.com
From my research, thanks mostly to this thread leading me down the
right roads, I believe it is most likely someone that is getting paid
to refer as many people as possible to that company. I contacted the
company directly through their email support at "support@xp-
registration.com" asking how to get rid of this and their reply back
to me said to buy their software and run the scan - nice. Earlier
this week they started getting even more aggressive - if you tried to
reload the page (which usually cleaned it because it made the correct
page run in my table), or close the page, they would popup another
warning about not navigating away from their page and all kinds of
scareware messages. Closing it anyway made it still run their
scanner.
I was trying all kinds of ways to block this popup but nothing stopped
it. I placed the URLs in the Restricted list for Internet Options, I
ran popup blockers, etc... The only thing that came close to helping
was to use my antivirus program (AWIL's AVAST) and their WebShield to
block these URLs. The page would still be affected, but at least the
popup was blocked and the "free scan" couldn't run. Avast just put a
notice in that table, where the malicious page was running, saying
that it blocked it. My next step was to try the same thing with my
hardware firewall (I could not find this feature in windows'
firewall), but then a search of the latest URL change brought me to
this thread.
The source of the problem ended up being the .htaccess file on the
shared host. After seeing that file name mentioned a few times in
this thread, I looked and found that a .htaccess file was placed into
every single folder that I had on the host - on about the same day as
I had my first complaint of the popup. The file contained the
following data (after about 40 line feeds):
By the way, a friend with a MAC had the popup run on her machine and
it totally took over her browser and she had to have someone uninstall
and reinstall it for her.
So, many thanks to all of you - each of you had a piece of the puzzle
for me. After having my host provider run a script removing
all .htaccess files, my site is fine once again. I might even turn my
google ads back on ;) I was blaming the ads for this since I could
find nothing else.
As a server admin this was helpful in tracking down the issue one of
my clients faced, I did a search on my server and found just one site
was affected and it was via FTP. It appeared the hacker got the FTP
account a few weeks before they actually uploaded the .htaccess files
so make sure you are changing your logins and not sending them around
via email, I've also started generating 8-12 character passwords with
4 types of complexity (alpha,numeric,symbol,case).
> Thank you all for this thread. I've been going crazy trying to find
> out why these very persistent antivirus popups were plaguing my site.
> I've searched more than a hundred groups/forums/etc. looking for an
> answer.
> Several weeks ago, one of my visitors told me that they had gotten a
> popup stating that he might be infected and to run this free scan from
> "windows-virus-scanner.com". Canceling it (close or the "x") caused
> it to run anyway. My main pages are comprised of tables and some
> tables have iframes displaying live content fed from another source.
> The unsolicited popup (which occurred very randomly, sometimes only a
> few times a day, sometimes more) almost always ran inside the same
> table on my main pages (running one of the live content html pages as
> an iframe), or any launched window that ran the same page in an
> iframe. Sometimes it would run from a different table that was
> running yet another live content html page as an iframe, but mostly it
> was from the other table.
> My site is served mainly by a (shared) web host and the live content
> is served up from a different source. I copied all of my hosted files
> back locally, scanned them with every virus and spyware/adware scanner
> that I already had (was NOT going to buy or install a new one) and
> found nothing. I read every line of code on every page that I wrote
> (all manually created, not by a page generator) and there was nothing
> out of place.
> Other symptoms I was having was if someone clicked on the link to my
> site from my email signature (in yahoo), or if I gave them the link
> through yahoo messenger or msn, their full page would be redirected to
> the windows-virus-scanner.com page.
> Over time, the URL of the pages kept changing, but still leading back
> to the same company that then forced the freescan. Here are the other
> URL names they used:
> antivirus2008-freescan.com
> antivirus2009-freescan.com
> windows-defense.com
> scanner.win-antivir-2008.com
> scanner.win-antivir-2009.com
> scanner.power-antivirus-2009.com
> From my research, thanks mostly to this thread leading me down the
> right roads, I believe it is most likely someone that is getting paid
> to refer as many people as possible to that company. I contacted the
> company directly through their email support at "support@xp-
> registration.com" asking how to get rid of this and their reply back
> to me said to buy their software and run the scan - nice. Earlier
> this week they started getting even more aggressive - if you tried to
> reload the page (which usually cleaned it because it made the correct
> page run in my table), or close the page, they would popup another
> warning about not navigating away from their page and all kinds of
> scareware messages. Closing it anyway made it still run their
> scanner.
> I was trying all kinds of ways to block this popup but nothing stopped
> it. I placed the URLs in the Restricted list for Internet Options, I
> ran popup blockers, etc... The only thing that came close to helping
> was to use my antivirus program (AWIL's AVAST) and their WebShield to
> block these URLs. The page would still be affected, but at least the
> popup was blocked and the "free scan" couldn't run. Avast just put a
> notice in that table, where the malicious page was running, saying
> that it blocked it. My next step was to try the same thing with my
> hardware firewall (I could not find this feature in windows'
> firewall), but then a search of the latest URL change brought me to
> this thread.
> The source of the problem ended up being the .htaccess file on the
> shared host. After seeing that file name mentioned a few times in
> this thread, I looked and found that a .htaccess file was placed into
> every single folder that I had on the host - on about the same day as
> I had my first complaint of the popup. The file contained the
> following data (after about 40 line feeds):
> By the way, a friend with a MAC had the popup run on her machine and
> it totally took over her browser and she had to have someone uninstall
> and reinstall it for her.
> So, many thanks to all of you - each of you had a piece of the puzzle
> for me. After having my host provider run a script removing
> all .htaccess files, my site is fine once again. I might even turn my
> google ads back on ;) I was blaming the ads for this since I could
> find nothing else.
> Many, many thanks!
> Terry
> My70sRadio.com
> On Jul 31, 8:14 am, lescan wrote:
> > Yippy!
> > All cleaned up, indexed and Google listing is looking GREAT!
> > Many thanks to you all for your help. :-) Life is Good!
> As a server admin this was helpful in tracking down the issue one of
> my clients faced, I did a search on my server and found just one site
> was affected and it was via FTP. It appeared the hacker got the FTP
> account a few weeks before they actually uploaded the .htaccess files
> so make sure you are changing your logins and not sending them around
> via email, I've also started generating 8-12 character passwords with
> 4 types of complexity (alpha,numeric,symbol,case).
> On Aug 1, 7:58 am, tjoe70s wrote:
> > Thank you all for this thread. I've been going crazy trying to find
> > out why these very persistent antivirus popups were plaguing my site.
> > I've searched more than a hundred groups/forums/etc. looking for an
> > answer.
> > Several weeks ago, one of my visitors told me that they had gotten a
> > popup stating that he might be infected and to run this free scan from
> > "windows-virus-scanner.com". Canceling it (close or the "x") caused
> > it to run anyway. My main pages are comprised of tables and some
> > tables have iframes displaying live content fed from another source.
> > The unsolicited popup (which occurred very randomly, sometimes only a
> > few times a day, sometimes more) almost always ran inside the same
> > table on my main pages (running one of the live content html pages as
> > an iframe), or any launched window that ran the same page in an
> > iframe. Sometimes it would run from a different table that was
> > running yet another live content html page as an iframe, but mostly it
> > was from the other table.
> > My site is served mainly by a (shared) web host and the live content
> > is served up from a different source. I copied all of my hosted files
> > back locally, scanned them with every virus and spyware/adware scanner
> > that I already had (was NOT going to buy or install a new one) and
> > found nothing. I read every line of code on every page that I wrote
> > (all manually created, not by a page generator) and there was nothing
> > out of place.
> > Other symptoms I was having was if someone clicked on the link to my
> > site from my email signature (in yahoo), or if I gave them the link
> > through yahoo messenger or msn, their full page would be redirected to
> > the windows-virus-scanner.com page.
> > Over time, the URL of the pages kept changing, but still leading back
> > to the same company that then forced the freescan. Here are the other
> > URL names they used:
> > antivirus2008-freescan.com
> > antivirus2009-freescan.com
> > windows-defense.com
> > scanner.win-antivir-2008.com
> > scanner.win-antivir-2009.com
> > scanner.power-antivirus-2009.com
> > From my research, thanks mostly to this thread leading me down the
> > right roads, I believe it is most likely someone that is getting paid
> > to refer as many people as possible to that company. I contacted the
> > company directly through their email support at "support@xp-
> > registration.com" asking how to get rid of this and their reply back
> > to me said to buy their software and run the scan - nice. Earlier
> > this week they started getting even more aggressive - if you tried to
> > reload the page (which usually cleaned it because it made the correct
> > page run in my table), or close the page, they would popup another
> > warning about not navigating away from their page and all kinds of
> > scareware messages. Closing it anyway made it still run their
> > scanner.
> > I was trying all kinds of ways to block this popup but nothing stopped
> > it. I placed the URLs in the Restricted list for Internet Options, I
> > ran popup blockers, etc... The only thing that came close to helping
> > was to use my antivirus program (AWIL's AVAST) and their WebShield to
> > block these URLs. The page would still be affected, but at least the
> > popup was blocked and the "free scan" couldn't run. Avast just put a
> > notice in that table, where the malicious page was running, saying
> > that it blocked it. My next step was to try the same thing with my
> > hardware firewall (I could not find this feature in windows'
> > firewall), but then a search of the latest URL change brought me to
> > this thread.
> > The source of the problem ended up being the .htaccess file on the
> > shared host. After seeing that file name mentioned a few times in
> > this thread, I looked and found that a .htaccess file was placed into
> > every single folder that I had on the host - on about the same day as
> > I had my first complaint of the popup. The file contained the
> > following data (after about 40 line feeds):
> > The ip address traces out to Chisinau, Moldova
> > By the way, a friend with a MAC had the popup run on her machine and
> > it totally took over her browser and she had to have someone uninstall
> > and reinstall it for her.
> > So, many thanks to all of you - each of you had a piece of the puzzle
> > for me. After having my host provider run a script removing
> > all .htaccess files, my site is fine once again. I might even turn my
> > google ads back on ;) I was blaming the ads for this since I could
> > find nothing else.
> > Many, many thanks!
> > Terry
> > My70sRadio.com
> > On Jul 31, 8:14 am, lescan wrote:
> > > Yippy!
> > > All cleaned up, indexed and Google listing is looking GREAT!
> > > Many thanks to you all for your help. :-) Life is Good!
> > > ..Leslie in Abilene, Texas- Hide quoted text -
|
