Questions? Start a Support Ticket
User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > How to go about removing a virus from a website


How to go about removing a virus from a website




Posted by Beatplexity, 02-11-2012, 07:09 AM
one of my websites on my server is sending out a virus and appears to be infected. Scanning the url with virustotal i get clean site, it doesnt pick up anything however i have seen this virus pop up before. when i visit my site, its a virus scanner 2012 malware i think. If its infected this website does that mean all my websites on my server are also infected? Im not sure how i go about removing it? Any help would be much appreciated. Thanks ps if anyone wants to check out the website its - internetmarketinghustle [dot] com
Posted by HostTorch, 02-11-2012, 10:44 AM
your website is clean it is OK with ESET smart security live guard ...
Posted by Dr_Michael, 02-11-2012, 10:51 AM
Your site IS infected! Look here: http://sitecheck.sucuri.net/results/...tinghustle.com My advices: 1. Perform a full scan on your computer with a good antivirus. I suggest M$ Security Essentials AND MalwareBytes AntiMalware. 2. Change the ftp passwords for all the sites, using the random passwords generator. 3. Each time you access the sites through ftp, change the password again. 4. Download your entire site through FTP. 5. Check ALL the php, html and js files for malicious code. 6. Check php.in and .htaccess for malicious code. 7. Upload the clean files on the server. 8. Change FTP passwords again. If you need further assistance, let me know. Last edited by Dr_Michael; 02-11-2012 at 10:59 AM.
Posted by Beatplexity, 02-11-2012, 11:16 AM
ye i think im going to need assistance with that, i have no clue with stuff like php etc
Posted by Dr_Michael, 02-11-2012, 11:33 AM
Do the above steps that I mentioned before and let me know in which step you need help?
Posted by bear, 02-11-2012, 11:34 AM
That doesn't show it's infected, looking just now, but when I visited my AV blocked a connection. It looks like you have the timthumb addon on that site. Have you updated that recently? You mean here in the forum, right? Last edited by bear; 02-11-2012 at 12:35 PM. Reason: broken quotes
Posted by Beatplexity, 02-11-2012, 11:35 AM
Step 5 is when im going to become stuck
Posted by Dr_Michael, 02-11-2012, 11:36 AM
Always! I can post here answers to whatever he asks on the issue.
Posted by spykee, 02-11-2012, 12:01 PM
Most probably your AV is not up2date. The site of the OP is indeed infected. Got an alert from Avast and Kaspersky.
Posted by Dr_Michael, 02-11-2012, 12:05 PM
Open all the files with an editor. I recommend ConText. Then look if they have any malicious code there. You will find very useful details for your infected files, on the site I mentioned before.
Posted by Beatplexity, 02-11-2012, 12:22 PM
thanks for all the help so far, i really do not have time to sift through pages and pages of code, i have no idea what im looking for. I have 9 websites on my server, so chances are all of my websites are infected. Guessing this is going to be a big job to clean up
Posted by Dr_Michael, 02-11-2012, 12:24 PM
when did they infected? Does your host has backups so you could ask for restore?
Posted by bear, 02-11-2012, 12:32 PM
If you have local copies you know are not infected, you can use a file comparison tool to compare them side by side, which will reveal right away if they are different. I use BeyondCompare, a paid program. You also didn't mention if you'd updated TimThumb or not...if you hadn't, that might be the source of the infection (wild guess, there, based on too few details)
Posted by fshagan, 02-11-2012, 02:15 PM
First, try to find the code itself that is infecting your sites. Check the infected site's "index.html" or "index.php" (or any "index" file with any extension) and look for a line either INSIDE the opening php tag or inserted at the very bottom of the file. For the opening php tag on a .php file, look for something like this: That opening php tag should look something like this: More commonly, you will see an "eval(base64" or encoded javascript line at the very bottom of the file. Often the hacker will insert 100 blank lines before it, so make sure you go to the very bottom of the file. Post a PORTION of the string here ... maybe the first 100 characters ... and the application(s) you are running on your site if any (such as Wordpress, Joomla, etc.) Or compare that file to a newly downloaded, known good file to see if the string appears in it. Once you know it is malicious: Select a portion of this very long encoded string, and copy it to your clipboard. Then, using a free text editor like PSPAD, choose "Search" > "Search / Replace in Files", use the "Selected Directory" button under "Search Scope", check off the "Include Subdirectories", and search every file in your downloaded copy of your site for the occurrence of that string. It may take a few minutes, but you should get a list of files.
Posted by Beatplexity, 02-11-2012, 02:48 PM
ok well ive gone into my template's index.php file and this is what i see And to answer a few of the questions you guys have been asking -I dont have any backup of the site. -There is no hosting provider i own the dedicated server (unmanaged) and host all the websites myself.
Posted by Dr_Michael, 02-11-2012, 03:08 PM
This code seems clean (no infection). Check your index.php home page.
Posted by Beatplexity, 02-11-2012, 03:11 PM
here is the public_html index.php
Posted by Dr_Michael, 02-11-2012, 03:54 PM
This is clean too. Check your .js files.
Posted by Beatplexity, 02-11-2012, 03:57 PM
there are 100's of JS files /public_html/wp-includes is the right directory?
Posted by Dr_Michael, 02-11-2012, 03:59 PM
Check these: http://internetmarketinghustle.com/w...ripts/html5.js http://internetmarketinghustle.com/w...n.js?ver=3.3.1 http://internetmarketinghustle.com/w...r.js?ver=3.3.1 http://internetmarketinghustle.com/w....easing.1.3.js http://internetmarketinghustle.com/w...y.tools.min.js http://internetmarketinghustle.com/w...loadify.min.js http://internetmarketinghustle.com/w...r.js?ver=3.3.1 http://internetmarketinghustle.com/w...y.js?ver=3.3.1 http://internetmarketinghustle.com/w...a.js?ver=3.3.1 http://internetmarketinghustle.com/w...c.js?ver=3.3.1 http://internetmarketinghustle.com/w...m.js?ver=3.3.1 http://internetmarketinghustle.com/w...o.js?ver=3.3.1 http://internetmarketinghustle.com/w...r.js?ver=3.3.1 http://internetmarketinghustle.com/w...m.js?ver=3.3.1 http://internetmarketinghustle.com/w...i.js?ver=3.3.1 http://internetmarketinghustle.com/w...n.js?ver=3.3.1
Posted by Beatplexity, 02-11-2012, 05:40 PM
what am i supposed to be looking for??? is it definitely going to be called
Posted by Dr_Michael, 02-11-2012, 06:20 PM
You are searching for either "php eval base64" code, or redirection to any unknown site. If you cant find any infected file, then it may be your htaccess or php.ini files.
Posted by tvcnet, 02-11-2012, 08:31 PM
Sadly, she's still looking hacked at the moment.
Posted by Beatplexity, 02-12-2012, 05:05 AM
i cant seem to find htaccess or php.ini files where will they be stored? Could anyone recommend a good company that i can hire to fix my server and make it secure?
Posted by Dr_Michael, 02-12-2012, 05:16 AM
On the root folder outside of public_html folder. Sucuri is one of the companies that clean out malware but I dont know if they are good on it. You should ask somebody's help in order to locate the infected files! And after cleaning them, you have to update timthumb and WP if needed.
Posted by Beatplexity, 02-12-2012, 08:18 AM
everything appears to be updated in my wordpress control panel i dont have a htaccess file in the root folder. I will post on the trade forum to see what offers i get
Posted by bear, 02-12-2012, 09:13 AM
files are hidden by default. They would be visible via shell, or if via FTP by adding in a flag such as "-a". Most FTP programs have that ability, or a setting to show ".files".
Posted by fshagan, 02-12-2012, 10:48 AM
Ah, Wordpress. Check the index.php file in the /wp-content/Themes/ folder. It may be the infection source. There are a number of companies that advertise here in the Offers forums. I have never used them, but you can look for reviews of them if you see one that interests you. You could also install http://configserver.com's Config eXploit Scanner (CXS), but that will cost $50. An open source alternative is LMD, Linux Malware Detect, which is similar. They may or may not be able to find the source of the infection. I use CXS, and it can "deep scan" all the files for suspicious "fingerprints" of known scripts. You have to take care because you can get some false positives sometimes.
Posted by ssfred, 02-15-2012, 06:59 AM
I would suggest you to make a scan using "maldet". It is quite easy and efficient to a good extent.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
welcome2inter.net is down (Views: 786)
Internal dummy connection AND Down apache! (Views: 724)
Database server in different continent? (Views: 725)
how to increase virtual memory size? Help needed (Views: 747)
what about ace-host.net ? (Views: 735)


Language:

Our Services

Client Menu

Legal

Terms of Service | Privacy Policy | Refund Policy | Affiliates
Copyright © 2015 DC International LLC in partnership with Bragin IT Solutions Inc. - All Rights Reserved.