Our website has recently gotten a virus or something that writes a redirect in the index.html pages and adds a long list of URLs to the page. We use a template and the code has been attached after the </html> at the end of the page and outside the template (didn't know that was even possible). I removed the code in question, resaved the file, changed our passwords, scanned all our website for virus using Intego Virus Barrier. The next day all the files were reinfected with a different long list of URLs after the end of the page's coding. I removed this coding, resaved the file (thinking I was going crazy), and low and behold -- again, the same thing although the redirect coding on the first day was not added...just the long listing of URLs. I've looked for a virus fitting this description with no luck. I've contacted our webhost who claims its my problem and told me to do exactly what I had already done plus remove or update any software that was an addon or not from a reputable site. Which I did although any addon to the host site was through their control panel and supposedly legit.
The last major things done on our site was the addition of a forum page to the site (using approved forum software) and addition of google analytics to the index page (although that was done 2 months ago). We haven't found anything on our local machines (yet). We are using one PC with windowsXP and one MAC with OS 10.1.5 to manage the site using Dreamweaver. Both machines run the Intego Virus Barrier software supposedly constantly. The mac is updated and run manually by me weekly. The PC is updated remotely and supposedly run constantly via our local server.
Any thoughts? I'm attaching a doc file with the original coding -- the blue & red coding was what mysteriously appeared at the end of the file. The red coding keeps regenerating except it isn't the exact same list.
The sites affected are the index pages
www.southern.org and
www.enterprisesouth.biz. Both are on the same webserver.
Finally, this is the third time we've been attacked. Each on different web hosts. Once with the gumblar virus, once our database was removed, and now this. What are some tried and true suggestions to keeping the bad guys out?
