Announcement

Collapse
No announcement yet.

HELP. i've got a virus

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HELP. i've got a virus

    it would seem that both my websites have virus treats.

    one is an online shop , obviously deisgned in Actinic v7 and the other is a static site i designed in frontpage

    the online shop has had a few problems and now google are warning about the site and my web host company have told me it's a code injection problem

    the static site - i thought was ok until today AVG flashed up a virus threat.

    fasthosts have advised that i need to find the code in the java or html and remove it.

    i am way out of my depth with this and not sure what to do next.

    can anyone offer me some advise.

    #2
    Download Firebug, view your site in Firefox and bobs your uncle.
    Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

    Comment


      #3
      your looking for your index.html or php files edit these and remove anything that has iframe in it

      you also need to change all your ftp passwords and run a spyware scan.

      This has probably because you have visited an infected site. Anything you do on your pc including new passwords will be copied until you remove it

      DO NOT DO ANY INTERNET BANKING

      Comment


        #4
        Originally posted by guccij View Post
        Download Firebug, view your site in Firefox and bobs your uncle.
        will this remove the code injection? is it just on the server or is it on my hard drive?

        Comment


          #5
          Originally posted by Darren B View Post
          your looking for your index.html or php files edit these and remove anything that has iframe in it

          you also need to change all your ftp passwords and run a spyware scan.

          This has probably because you have visited an infected site. Anything you do on your pc including new passwords will be copied until you remove it

          DO NOT DO ANY INTERNET BANKING

          where am i looking for these files. in the folders on my hard drive or in the html/java?

          i can change passwords (haven't done it yet) but i ran avg, ad-aware and malware last night and it detected nothing.

          i am always internet banking - S**T!!!!

          Comment


            #6
            My thoughts...
            First - change your FTP password.
            Second - open your site index.html page in your browser and view source - look for 'iframe' - which is a common method of infection. If you find it then delete the site and reupload the site.
            Third - check your local PC for viruses (but as you ran the checks already it sounds like it's only online)

            Comment


              #7
              From past problems chasing one for three days. The infection is likely to be on your pc or a pc that has your ftp details for your website. The index files i mention are all on your server, the iframe is some code inserted into it with links to sites that contain the virus.

              You should find a clean pc, log into your webserver and change the ftp passwords, do not do it from your everyday pc also change all internet banking passwords and anything you want to protect.

              Forget AVG and all those AV's, they are crap at finding keyloggers you need a spyware program, sometimes these spyware programs will require manual deletion including running windows in safe mode and from command prompts it really depends on how nasty it is. Try spyware terminator and search and destroy for two free options, run these both and see what it comes up with.

              i am not trying to panic you but if you dont get rid of it properly your be back here in a week with the same problems. Good Luck

              Comment


                #8
                Originally posted by caroline View Post
                will this remove the code injection? is it just on the server or is it on my hard drive?
                This will show you where the code is. But changing your passwords etc is the first step.
                Reusable Snore Earplugs : Sample Earplugs - Wax Earplugs - Women's Earplugs - Children's Earplugs - Music Earplugs - Sleep Masks

                Comment


                  #9
                  Originally posted by Darren B View Post
                  From past problems chasing one for three days. The infection is likely to be on your pc or a pc that has your ftp details for your website. The index files i mention are all on your server, the iframe is some code inserted into it with links to sites that contain the virus.

                  You should find a clean pc, log into your webserver and change the ftp passwords, do not do it from your everyday pc also change all internet banking passwords and anything you want to protect.

                  Forget AVG and all those AV's, they are crap at finding keyloggers you need a spyware program, sometimes these spyware programs will require manual deletion including running windows in safe mode and from command prompts it really depends on how nasty it is. Try spyware terminator and search and destroy for two free options, run these both and see what it comes up with.

                  i am not trying to panic you but if you dont get rid of it properly your be back here in a week with the same problems. Good Luck
                  This was a very useful reply about AVG and spyware, time for me to learn a bit more.

                  cheers
                  malc
                  sigpicwww.dcgr.co.uk

                  Comment


                    #10
                    ok

                    i've changed my ftp passwords on a clean laptop.

                    i then looked at my websites in internet explorer.

                    www.alpacaonline.co.uk and viewed the source on the index page, i couldn't see iframes anywhere and there was only about 23 lines of text.

                    www.alpacaknitwear.co.uk viewed the source the same and got an avg warning and a load of numbers in line 13 that isn't on the other website.

                    in theroy these 2 sites should be identical as i lead up the same files from front page and the online shop sits in the acatalogue folder in alpacaknitwear.co.uk site.

                    could this be my problem and where do i go form here


                    Caroline
                    ps. thanks for all this advise, you wouldn't believe how much i appreciate it.

                    Comment


                      #11
                      Delete the files on the server for the problem site and reupload using your new FTP password.

                      Comment


                        #12
                        of course - thats logical. Doh!!!!

                        should i run any anti- spy/mal/virus stuff first

                        Comment


                          #13
                          Make sure your PC is as clean as you can detect first.

                          Comment


                            #14
                            We have had two credit cards compromised this year which made me paranoid.
                            We run ESET Smart Security, but in our paranoia we then installed Spy Sweeper and Keyscrambler.
                            Spy Sweeper found lots of malware on our PC's, but none of it serious.
                            Keyscrambler just makes me feel protected!
                            A couple of months ago three of our websites were hacked by some lowlife modifying the .htaccess file which then intercepted calls from a google search listing and redirecting them to their porn sites.
                            No idea how they got in, but it did highlight the fact we were using the same password for all our sites

                            We completely cleared out the server and freshed into new hand-built directories just to be sure.

                            It's yet another good reason to ensure you keep regular snapshots and DB backups IMHO.
                            Kind Regards
                            Sean Williams

                            Calamander Ltd

                            Comment


                              #15
                              I would do it different,

                              First delete all files on the server ALL FILES. if memory serves me well I think most isp's offer a total restart of the server for you which would remove all hidden files as well

                              Second change ftp passwords and passwords of other software you use

                              Third scan you pc with as many virus and keylogger type software as you can get

                              When you are happy the pc is clean then re-load to server
                              Chris Ashdown

                              Comment

                              Working...
                              X