Avatar of Pete Winter
Pete Winter
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Virus on website

Hope you can help...

I have recently took over this website: www.arml.co.uk

The owner has called me saying that some one has hacked the website and there is a virus on the site. They are not very clear on what the issue is, but I think it's related with pop up windows.

The host has scanned the folder and files and everything seems okay, but when you visit the site on a pc you get a virus alert.

The host have suggested the hacker must have injected some code into the website or database.

The issue is as I did not create the website in the first place it's hard for me to work out the issue.

Do you have any advice or what I can do to resolve and how do I work out where the issue is coming from?

Thanks
JavaScriptASPPHP

Avatar of undefined
Last Comment
Pete Winter

8/22/2022 - Mon
SOLUTION
stevepwales

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
JonathanHemmings

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
stevepwales

yes you have stuff appended in the jquery-1.4.2 file replace this with the original or even better call in from the cdn
JonathanHemmings

Do you have a backup of the site? if so maybe just replace it?
stevepwales

replace the jquery file first see if the error goes away load it from here

http://ajax.microsoft.com/ajax/jquery/jquery-1.4.2.min.js

or replace the one on your site
Your help has saved me hundreds of hours of internet surfing.
fblack61
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pete Winter

ASKER
Ah yes just seen that gytcnulxsxpsqkfn.ru script at the bottom of the code. Just downloading all files to search them.

stevepwales - How do you know it's in the "jquery-1.4.2min.j" file? I have done a search for "gytcnulxsxpsqkfn.ru" and nothing came up.
JonathanHemmings

Its at the bottom of both .js files but probably easier just to replace them with your offline copy.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
stevepwales

Search your JS files for

/*qhk6sa6g1c*/


this is one of the tags they are surrounding the js injection codes with
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Pete Winter

ASKER
Thanks for all your help everyone:

I have restored the two files below:

jquery-1.4.2.min.js
cycle.all.2.74.js

Has this removed the virus?

How would a hacker insert this code. Is it do with the permissions of them files?
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
stevepwales

JonathanHemmings

Might be worth sending your host an email to check they have the latest updates for Plesk if that's what they use.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
stevepwales

Yes can not see any traces of the virus now :)
Pete Winter

ASKER
Many thanks for all your help! :) If I could give you A++++ I would!