I’m the webmaster of this website, and this error keeps happening. I’ve done everything suggested above, and it still happens. I send a “clean” version of the website, and within 3 hours the malicious code re-appears. I’m at my wits end now, I have no idea why this is happening, and am getting concerned as the business the website is for gets most of it’s customers through the website, and because of the google message regarding it being unsafe I’ve had to take the main part of it down.
If there’s anything you can suggest to help I would be more than grateful!
It looks like you are using Dreamweaver for your site. Are you storing FTP password in it? There is a theory that some trojans can steal FTP passwords stored in Dreamweaver. I don’t have any proofs though.
I have found the solution (I hope so)… Wat you need to do is firstly block the
You need to give your files 644 privilege, and folders with 755 privilege..
and then send MSG to Google to rectifier warning.
I happened to find this Ip details and found that this ip is from Europe. Firstly I do’t have any visitors from Europe, second point is after this Ip visitor is not showing any browser details, Lastly after this ip visitor my site was effected again.. But ya blocking Ip is not the final solution… Even though i have blocked the Ip my site has been effected again.. If any body has any suggestion please help me out…
why do you say block that IP? aren’t there hackers from IPs all over the universe? don’t they do things like spoof their IP #s and such? or use proxies? And we have done all the recommended steps but these hackers do it anyway and I have no idea how. except it is the crappiest hosting service we could have chosen and they won’t refund our money.
Meanwhile is Anyone using servage.net for hosting? If you are, 99% chance the iframe injection has happened to you and you don’t even know it — they are the worst and they hate their customers because they will not do anything to help fix or secure their servers or help customers nor even admit they have a problem.
They blame their customers and offer no help to customise your security settings to prevent hackers — who return within hours to re-hack and reinject the malicious code injections.
Beware as the site warns. We discovered it too late.
We’ve been battling this one and other variations here at work for a while now.
We are 99.99% sure the root cause is ftp credentials being harvested on local machines via some unrecognized malware and being feed over to lists used by the ‘bad guys’. The bad guys then turn their scripts loose on these ftp accounts, they cruise through the site injecting the mentioned code into any file matching the criteria.
I don’t believe that this is always done through a compromised ftp login. This type of hack has now transformed into something very nasty. It actually has the ability to change the domain’s directory permissions to 777.
I also have some doubts, but it’s the best explanation I have when see pure html statics websites exploited. There is no way to inject SQL commands or some nasty script. And yes, using FTP, intruders can change file/directory permissions.
Do you have evidence that this exploit changes directory permissions to 777?
Do any of you have an update? We’ve been experiencing this problem also – except that there is no evidence in the event log, or IIS logs, or FTP logs. Do any of you have logfiles showing this exploit? I personally do not believe that it is FTP .
James, I checked your site and found the Gogo2me obfuscated iframe there so I removed the link to your site from your comment (so that other visitors don’t get infected if they click on your link).
You don’t actually need any programming skills. Just replace server files with a clean copy. Make sure your own computer is not infected by spyware. Then change all passwords. Don’t store your passwords inside programs that upload files to server. And consider contacting your hosting provider.
Thanks for the post and the comments. But I have a question:
Also, say I found and downloaded some antivirus software which correctly detects the malware that the injected IFRAME elements download (http://www.virustotal.com/analisis/3dfacd15cfe5b67d14a3d03b8ac27a32). If I scan the computer with them, am I 100% safe? Maybe that binary executable is just assistant software, which then downloads the virus itself?…
I am afraid that these are rhetorical questions, at least for now, but possible answers will be appreciated. :)
Every browser is vulnerable. Get yourself a decent antivirus and firewall. Update your browser and OS regularly. Move to a Mac or Linux to minimize security threats. If you are using FireFox – consider the NoScript plugin.
No antivirus is perfect. You can get the antivirus that detects that particular malware, but what about thousands of other viruses and spyware?
I first learned of the compromise when a twitter follower notified me of a malware alert when he came to my site.
I poked around and discovered the multitude of appended to end of my source code.
A quick (grep -r “<iframe” .) in console informed me that hundreds of pages had been hacked (index, home, main, default).
Long story short I found a script that will go in and clean up your site. It was $10 and well worth it. You don’t have to know any code so James your in luck.
The code is only set up for “goooogleadsence . biz” so if your attack is from a different site you have to change the name. Easiest thing to do is find and replace that url with the your pest url, save, run and repeat the process for other urls. In my case I had 3 different ones.
I’ve had the same problem on my test server these last few weeks. Thankfully I have nightly backups. Anyway, after some research I thought it might be related to PHP’s register_globals setting. Turns out I was right. The damn setting was on.
Now that I’ve cleared it, attacks have stopped. You all might wanna check if your host has left it on in php.ini. If you can’t edit your php.ini file, just add “php_flag register_globals off” at the top of your root .htaccess file.
My site received the same attack recently…
I believe the FileZilla FTP credentials were being used by some virus…
Changed passwords to my ftp accounts, and set file/directory permissions to 644/755, cleaned up my windows system.. and since then have moved to Ubuntu… didn’t see the attack again in last two weeks.