Link to home
Start Free TrialLog in
Avatar of Pete Winter
Pete WinterFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Virus on website

Hope you can help...

I have recently took over this website: www.arml.co.uk

The owner has called me saying that some one has hacked the website and there is a virus on the site. They are not very clear on what the issue is, but I think it's related with pop up windows.

The host has scanned the folder and files and everything seems okay, but when you visit the site on a pc you get a virus alert.

The host have suggested the hacker must have injected some code into the website or database.

The issue is as I did not create the website in the first place it's hard for me to work out the issue.

Do you have any advice or what I can do to resolve and how do I work out where the issue is coming from?

Thanks
SOLUTION
Avatar of stevepwales
stevepwales
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
yes you have stuff appended in the jquery-1.4.2 file replace this with the original or even better call in from the cdn
Do you have a backup of the site? if so maybe just replace it?
replace the jquery file first see if the error goes away load it from here

http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js

or replace the one on your site
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pete Winter

ASKER

Ah yes just seen that gytcnulxsxpsqkfn.ru script at the bottom of the code. Just downloading all files to search them.

stevepwales - How do you know it's in the "jquery-1.4.2min.j" file? I have done a search for "gytcnulxsxpsqkfn.ru" and nothing came up.
Its at the bottom of both .js files but probably easier just to replace them with your offline copy.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Search your JS files for

/*qhk6sa6g1c*/


this is one of the tags they are surrounding the js injection codes with
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for all your help everyone:

I have restored the two files below:

jquery-1.4.2.min.js
cycle.all.2.74.js

Has this removed the virus?

How would a hacker insert this code. Is it do with the permissions of them files?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Might be worth sending your host an email to check they have the latest updates for Plesk if that's what they use.
Yes can not see any traces of the virus now :)
Many thanks for all your help! :) If I could give you A++++ I would!