Avast WEBforum
Other => Viruses and worms => Topic started by: johnpatel on May 20, 2020, 01:01:17 PM
-
Hello,
Recently one Chinese hacker hacked my website and he placed some malicious scrips in some of the files. Also, he messed up my website homepage. It shows some hacking images with Chinese written language.
Then I took my website's backup on my computer and scan all the website files in avast software. But avast do not track any malicious script files.
Can you please help me with how can I clean my website files using avast?
Please let me know if you need any further details from me.
Thanks in advance
-
Is your website online now?
Check it here >> https://sitecheck.sucuri.net/
Post link to scan result
you may also upload and scan your website code here >> www.virustotal.com
Post link to scan result
-
I have scanned it in sucuri and it shows "Unable to scan your site. Timeout reached"
https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech (https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech)
and virustotal shows all well.
https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection (https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection)
Yes my website is live: https://www.gradecalculator.tech (https://www.gradecalculator.tech)
I have restored my old backup after hack.
-
I have scanned it in sucuri and it shows "Unable to scan your site. Timeout reached"
https://sitecheck.sucuri.net/results/https/www.gradecalculator.tech
You may ask Sucuri why ... there is a chat
If you need website protection, Sucuri is the one to ask https://sucuri.net/
and virustotal shows all well.
https://www.virustotal.com/gui/url/02a9c97d15c3644c9ad2edafab1b6d24ba91f32cbaf9454972d3eba8bc46c8f5/detection
Did you just scan the URL ? that is just a URL blacklist check
You have to upload the HTML code as a file and scan it to see if it contain anything malicious
-
Ok let me check.
Thanks for your advice and support.
-
I have uploaded my website files and folder in virustotal and after scan they gave me more than 50 files with malicious script.
Thanks support team to solve my issue.
-
Some major configuration errors found, some scans fail for the web address you mention.
Here you have some improvement recommendations based on linting:
https://webhint.io/scanner/6621268d-f132-4637-9424-2ccc0900c31c
Here a fileviewer scan for where your site is redirecting to:
https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Z313e2IuW15zLmZdfXRoLmd9YHB1YmxbXmA%3D~enc
Retirable jQuery libraries: bootstrap 3.4.1.min Found in -https://grweb.ics.forth.gr/public/assets/js/bootstrap-3.4.1.min.js<br>Vulnerability info:
High 28236 XSS in data-template, data-content and data-title properties of tooltip/popover CVE-2019-8331
jquery 3.2.1.min Found in -https://grweb.ics.forth.gr/public/assets/js/jquery-3.2.1.min.js<br>Vulnerability info:
Low CVE-2019-11358 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution
Medium Regex in its jQuery.htmlPrefilter sometimes may introduce XSS
Javascript SRC -> error -> TypeError: Cannot read property 'style' of null
/public/:108
Javascript 11 (external 5, inline 6)
INLINE: (function() { let alreadyInsertedMetaTag = false function __insertDappDete
1,238 bytes
consent.cookiebot.com/uc.js
INLINE: function onSubmit(token) { $( "#w-form" ).submit(); } func
295 bytes
INLINE: checkNonCookieResponse(); function checkNonCookieResponse() {
934 bytes
grweb.ics.forth.gr/public/assets/js/jquery-3.2.1.min.js
grweb.ics.forth.gr/public/assets/js/bootstrap-3.4.1.min.js
INLINE: document.getElementById("currentYear").innerHTML = new Date().getFullYear()
84 bytes
grweb.ics.forth.gr/public/assets/js/animate.js
INLINE: $(document).ready(function() { $("#domain").focus(); //add
495 bytes
www.google.com/recaptcha/api.js?hl=el&render=onload
INLINE: onload();
9 bytes
ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes
ONCLICK: /* a.onclick = */ Cookiebot.renew()
35 bytes
Re: Externally Linked Host Hosting Provider Country
-eregpublic.eett.gr Hellenic Telecommunications and Post Commision Greece
-www.ics.forth.gr Foundation of Research and Technology Hellas Greece
Somehow you have to take this up with the hosting party.
Your domain is now pointing to a hosting party with a domain address on IP 185.201.11.156
that is hosted in Cyprus by person: Hostinger NOC
address: Hostinger International Ltd.
address: 61 Lordou Vyronos
address: Lumiel Building, 4th floor
address: 6023
address: Larnaca
address: CYPRUS
Does all this ring a bell?
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)