Getting Virus Warning when attempting to log onto my site.

[Rajaiam]

Greetings, I would really like some assistance on overcoming an inability to log onto my website due to a virus warning. The site address is: hxxp://iamunlimited.org. Thanks for any help you may give.

[Tarq57]

I've had a look (without much forensic expertise) and there is a hidden i-frame detected as a worm.
These types of warnings from the webshield are usually reliable.
In other words, it appears your site has been hacked and a hidden exploit inserted.

[Rajaiam]

Thanks for the reply. Any suggestions on how to remedy?

[Pondus]

This page seems to be <suspicious>
http://www.UnmaskParasites.com/security-report/?page=iamunlimited.org

Safe Browsing
http://www.google.com/safebrowsing/diagnostic?site=grizzli-counter.com

Practical Guide to Dealing With Google's Malware Warnings
http://www.unmaskparasites.com/malware-warning-guide/?url=grizzli-counter.com/id120/index.php

[DavidR]

The site appears to have been hacked with an iframe tag inside of a hidden div tag, which in its own right is highly suspect. See image where I have broken the line to make it easier to see.

avast is not alone in finding this suspect, http://www.virustotal.com/analisis/2e8d3aec48e195f7252850b2e99cf4965dcb81a474ed3f32ba7bdd959d172160-1266621651.

This is the target site of the iframe, a Chinese domain, also seen as suspect, http://safeweb.norton.com/report/show?name=grizzli-counter.com.

[DavidR]

Thanks for the reply. Any suggestions on how to remedy?

- See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.

- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.