Need some web people to give second opinion on tracking a virus on a website

Posted on 2012-08-28
Last Modified: 2013-11-29
I have a client who is being told their website is spreading viruses, or specifically the Tojan Horse Generic_r.bat.  I do not handle the website design or hosting, only the internal network jobs.

The webmaster insists everything is fine, but we were flagged before with Google search (they were re-directing people who searched for us to a "This website is known to spread viruses" and give the user a choice to continue or not.  We reported it to them, they did something and it started working fine again.  Now a dial forward three months, I have a random external consultant telling us our website gave them a virus, twice.  Once had to be cleaned, the other time it was picked up by the AV scanner she had loaded, both times  soon after as she went to the site.

I looked to see if there was a way to scan a website or it's directory, but everything I see is for a local computer, not a web server.  Any tips on this?  It is really more for my own improvement, since the web host company is someone selected by the marketing company they contracted with to do their sales and marketing work, but I am interested in the tools they would use to try to prove or disprove this.
Question by:tsaico
    LVL 12

    Assisted Solution

    You could use HTTrack to download the web site and then scan it locally:
    LVL 16

    Accepted Solution

    When a website is suspected of spreading viruses it normally means it has been the subject of a "SQL Injection" attack, which is where some malicious script (normally Javascript) has been inserted in to the content of a page.

    This was acheived either by submitting the script through a form, or more commonly by a remote controlled bot that searches through websites looking for vulnerabilities.

    The actual script is often a hidden iFrame, that in turns causes your browser to download a script from another server not associated with the website you are viewing. This is also sometimes referred to as XSS or Cross Site Scripting attack.

    Finding the infection is the job of the developer/owner of the website, as they will need to scan through their database to find the infected pages and correct it. This is carried out on the database server (or in smaller hosting environments the web server).

    Now, if you use the HTTrack tool suggested above, you will certainly download the "infected" page, but it will not be identified by any conventional AV system. It will only be when you open the infected page in a browser on your local PC that the script will run.

    Beware, you will still get infected as the Iframe will load the script from the external site!

    HTTrack will not download the infection as it is called using Javascript, while HTTTrack only uses conventional HTML links/urls to download pages.

    If the website has indeed been the subject of SQL Injection then it means that the underlying scripts that are producing the website are of a poor standard, and little or no security has been considered by the developer.

    Unfortunately, this level of coding/development is all too common on the web these days.
    LVL 9

    Author Comment

    Thank you for a very informative post.  It seems the best way to help secure a Word Press seems to be one of several security plugins.  I did find some websites that said the site was fine, but AVG had said two reports of infection were turned in over the last 30 days.

    Since the plugins may or may not be installed already, I am not sure about it's effectiveness, since any malicious code will already be in place, and all the plugins check for changes in code or page sizes, or a change in the checksum, all of which will stay the same if we are already infected.  

    Hopefully the web company hired by the marketing company that was hired by the company I work with does their due diligence and gets it resolved.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now