One thing to do is to see what Google has to say about your site. Enter this URL with your site in place of example.com:
|is it possible for a virus to exist on a web page iteself? |
If you have checked the page's source HTML and nothing has been changed then your guess about the user having a scareware problem may well be correct.
But check very carefully.
Yes I did notice that the main indez.html page was last updated on May 5 2009 and I know I havent updated it - I downloaded the file and there was a script at the bottom of the page with a bunch of text in it - I deleted it and re-uploaded file - now I just have to figure out how it got there
|now I just have to figure out how it got there |
Your site has been compromised.
At the very least you should:
Check your computer for viruses and malware
Change your site access passwords
Check any scripts on the site for vulnerabiities
Check for any hidden files
Check for any other external modifications
Restore a clean copy of the site
If someone has write access to your site you have a serious problem.
[edited by: Samizdata at 6:56 pm (utc) on May 13, 2009]
You probably have other files on there as well that have been compromised and with a VPS the stakes go up, it will most likely happen again unless you find out where they got in.
Look up all the scripts you use at [secunia.com...] .
Regardless of what you find at Secunia, also upgrade all your scripts to their latest versions.
Get the timestamp from the defaced file and examine your access logs to see what requests were being made to your site at exactly that time. That can show you which page they attacked and what method they used to get in.
Also check FTP logs for unauthorized activity.
[edited by: SteveWh at 7:51 pm (utc) on May 14, 2009]
It is also possible that a .jpg image has embedded files in them that can get executed.
Do you allow people to post images in a forum or in ads?
this WebmasterWorld thread might have some useful tips:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]
Virus on a webpage is possible. You need to scan the file and re-upload in your server.
Check all your logs to see how access was gained then take measures to close that access. Server configuration apparently not secure. Also check for script and database vulnerabilities. If you allow user input sanitize it! Accept nothing except EXPECTED input, deny everything else.
Thanks for the input everyone - I did determine it to be the main index page that had an unidentified line of scripting at the bottom. I have since replaced, changed the ftp password - removed the saved password from my ftp program. Also I run a VPS and updated the config file as a recoomendation from my hosting company and so far all is well