homepage Welcome to WebmasterWorld Guest from 54.198.148.191
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe to WebmasterWorld

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
Virus on a web page?
captainron19




msg:3912569
 1:04 pm on May 13, 2009 (gmt 0)

I had someone contact me to inform me that when visiting a site on my VPS (I also administer site) they rceived a notification that the web site contains a virus (they did not give me the exact warning message) but they said it happened when accessing the site from 2 seperate computers.

First off all, is it possible for a virus to exist on a web page iteself?

I have the most up to date virus protection on my computer and when I visit the site nothing shows up as being maliscious. I am assuming that the person has several computers infected with some sort of "scareware" that is trying to get them to buy a protection program of some sort but I thought I would look into it just to be sure

Any comments or suggestions?

 

mayest




msg:3912795
 6:25 pm on May 13, 2009 (gmt 0)

One thing to do is to see what Google has to say about your site. Enter this URL with your site in place of example.com:

[google.com...]

Samizdata




msg:3912802
 6:41 pm on May 13, 2009 (gmt 0)

is it possible for a virus to exist on a web page iteself?

It is possible for javaScript to automatically download one from the page (or attempt to).

Things to look for might be some javaScript or an iframe inserted in the page.

If you have checked the page's source HTML and nothing has been changed then your guess about the user having a scareware problem may well be correct.

But check very carefully.

...

captainron19




msg:3912803
 6:44 pm on May 13, 2009 (gmt 0)

Yes I did notice that the main indez.html page was last updated on May 5 2009 and I know I havent updated it - I downloaded the file and there was a script at the bottom of the page with a bunch of text in it - I deleted it and re-uploaded file - now I just have to figure out how it got there

Samizdata




msg:3912813
 6:55 pm on May 13, 2009 (gmt 0)

now I just have to figure out how it got there

Your site has been compromised.

At the very least you should:

Check your computer for viruses and malware
Change your site access passwords
Check any scripts on the site for vulnerabiities
Check for any hidden files
Check for any other external modifications
Restore a clean copy of the site
Monitor carefully

If someone has write access to your site you have a serious problem.

...

[edited by: Samizdata at 6:56 pm (utc) on May 13, 2009]

thecoalman




msg:3912892
 7:55 pm on May 13, 2009 (gmt 0)

You probably have other files on there as well that have been compromised and with a VPS the stakes go up, it will most likely happen again unless you find out where they got in.

SteveWh




msg:3913863
 7:50 pm on May 14, 2009 (gmt 0)

Look up all the scripts you use at [secunia.com...] .

Regardless of what you find at Secunia, also upgrade all your scripts to their latest versions.

Get the timestamp from the defaced file and examine your access logs to see what requests were being made to your site at exactly that time. That can show you which page they attacked and what method they used to get in.

Also check FTP logs for unauthorized activity.

[edited by: SteveWh at 7:51 pm (utc) on May 14, 2009]

Demaestro




msg:3913866
 7:54 pm on May 14, 2009 (gmt 0)

It is also possible that a .jpg image has embedded files in them that can get executed.

Do you allow people to post images in a forum or in ads?

MrWrite




msg:3915259
 6:21 am on May 17, 2009 (gmt 0)

I have the same problem as the OP. I had a line of javascript inserted into every page on my website which, apparently then downloads a trojan onto that person's computer. I reposted my pages (on my local computer the source code is not affected) and changed my ftp password as my hosting company suggested. I did that but the code has returned. I am now flagged by google as a site with malware. I am a real novice at this and am not sure whether there is something I can do/should have done or whether it is the hosting company with perhaps out of date servers. If I change hosts, is the problem likely to continue? Any help very gratefully received.

phranque




msg:3915448
 8:54 pm on May 17, 2009 (gmt 0)

this WebmasterWorld thread might have some useful tips:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]

begamo




msg:3915562
 3:19 am on May 18, 2009 (gmt 0)

Virus on a webpage is possible. You need to scan the file and re-upload in your server.

tangor




msg:3915569
 3:29 am on May 18, 2009 (gmt 0)

Check all your logs to see how access was gained then take measures to close that access. Server configuration apparently not secure. Also check for script and database vulnerabilities. If you allow user input sanitize it! Accept nothing except EXPECTED input, deny everything else.

captainron19




msg:3915734
 12:18 pm on May 18, 2009 (gmt 0)

Thanks for the input everyone - I did determine it to be the main index page that had an unidentified line of scripting at the bottom. I have since replaced, changed the ftp password - removed the saved password from my ftp program. Also I run a VPS and updated the config file as a recoomendation from my hosting company and so far all is well

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved