Welcome to WebmasterWorld Guest from 174.129.135.89

Forum Moderators: phranque

Message Too Old, No Replies

Virus on a web page?

   
1:04 pm on May 13, 2009 (gmt 0)

5+ Year Member



I had someone contact me to inform me that when visiting a site on my VPS (I also administer site) they rceived a notification that the web site contains a virus (they did not give me the exact warning message) but they said it happened when accessing the site from 2 seperate computers.

First off all, is it possible for a virus to exist on a web page iteself?

I have the most up to date virus protection on my computer and when I visit the site nothing shows up as being maliscious. I am assuming that the person has several computers infected with some sort of "scareware" that is trying to get them to buy a protection program of some sort but I thought I would look into it just to be sure

Any comments or suggestions?

6:25 pm on May 13, 2009 (gmt 0)

5+ Year Member



One thing to do is to see what Google has to say about your site. Enter this URL with your site in place of example.com:

[google.com...]

6:41 pm on May 13, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



is it possible for a virus to exist on a web page iteself?

It is possible for javaScript to automatically download one from the page (or attempt to).

Things to look for might be some javaScript or an iframe inserted in the page.

If you have checked the page's source HTML and nothing has been changed then your guess about the user having a scareware problem may well be correct.

But check very carefully.

...

6:44 pm on May 13, 2009 (gmt 0)

5+ Year Member



Yes I did notice that the main indez.html page was last updated on May 5 2009 and I know I havent updated it - I downloaded the file and there was a script at the bottom of the page with a bunch of text in it - I deleted it and re-uploaded file - now I just have to figure out how it got there
6:55 pm on May 13, 2009 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



now I just have to figure out how it got there

Your site has been compromised.

At the very least you should:

Check your computer for viruses and malware
Change your site access passwords
Check any scripts on the site for vulnerabiities
Check for any hidden files
Check for any other external modifications
Restore a clean copy of the site
Monitor carefully

If someone has write access to your site you have a serious problem.

...

[edited by: Samizdata at 6:56 pm (utc) on May 13, 2009]

7:55 pm on May 13, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



You probably have other files on there as well that have been compromised and with a VPS the stakes go up, it will most likely happen again unless you find out where they got in.
7:50 pm on May 14, 2009 (gmt 0)

5+ Year Member



Look up all the scripts you use at [secunia.com...] .

Regardless of what you find at Secunia, also upgrade all your scripts to their latest versions.

Get the timestamp from the defaced file and examine your access logs to see what requests were being made to your site at exactly that time. That can show you which page they attacked and what method they used to get in.

Also check FTP logs for unauthorized activity.

[edited by: SteveWh at 7:51 pm (utc) on May 14, 2009]

7:54 pm on May 14, 2009 (gmt 0)

WebmasterWorld Senior Member demaestro is a WebmasterWorld Top Contributor of All Time 10+ Year Member



It is also possible that a .jpg image has embedded files in them that can get executed.

Do you allow people to post images in a forum or in ads?

6:21 am on May 17, 2009 (gmt 0)

5+ Year Member



I have the same problem as the OP. I had a line of javascript inserted into every page on my website which, apparently then downloads a trojan onto that person's computer. I reposted my pages (on my local computer the source code is not affected) and changed my ftp password as my hosting company suggested. I did that but the code has returned. I am now flagged by google as a site with malware. I am a real novice at this and am not sure whether there is something I can do/should have done or whether it is the hosting company with perhaps out of date servers. If I change hosts, is the problem likely to continue? Any help very gratefully received.
8:54 pm on May 17, 2009 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



this WebmasterWorld thread might have some useful tips:
How Hacked Servers Can Hurt Your Traffic [webmasterworld.com]
3:19 am on May 18, 2009 (gmt 0)

5+ Year Member



Virus on a webpage is possible. You need to scan the file and re-upload in your server.
3:29 am on May 18, 2009 (gmt 0)

WebmasterWorld Senior Member tangor is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Check all your logs to see how access was gained then take measures to close that access. Server configuration apparently not secure. Also check for script and database vulnerabilities. If you allow user input sanitize it! Accept nothing except EXPECTED input, deny everything else.
12:18 pm on May 18, 2009 (gmt 0)

5+ Year Member



Thanks for the input everyone - I did determine it to be the main index page that had an unidentified line of scripting at the bottom. I have since replaced, changed the ftp password - removed the saved password from my ftp program. Also I run a VPS and updated the config file as a recoomendation from my hosting company and so far all is well