Need some web people to give second opinion on tracking a virus on a website

Posted on 2012-08-28
Medium Priority
Last Modified: 2013-11-29
I have a client who is being told their website is spreading viruses, or specifically the Tojan Horse Generic_r.bat.  I do not handle the website design or hosting, only the internal network jobs.

The webmaster insists everything is fine, but we were flagged before with Google search (they were re-directing people who searched for us to a "This website is known to spread viruses" and give the user a choice to continue or not.  We reported it to them, they did something and it started working fine again.  Now a dial forward three months, I have a random external consultant telling us our website gave them a virus, twice.  Once had to be cleaned, the other time it was picked up by the AV scanner she had loaded, both times  soon after as she went to the site.

I looked to see if there was a way to scan a website or it's directory, but everything I see is for a local computer, not a web server.  Any tips on this?  It is really more for my own improvement, since the web host company is someone selected by the marketing company they contracted with to do their sales and marketing work, but I am interested in the tools they would use to try to prove or disprove this.
Question by:tsaico
LVL 12

Assisted Solution

Seaton007 earned 400 total points
ID: 38342114
You could use HTTrack to download the web site and then scan it locally: www.httrack.com
LVL 16

Accepted Solution

grahamnonweiler earned 1600 total points
ID: 38342609
When a website is suspected of spreading viruses it normally means it has been the subject of a "SQL Injection" attack, which is where some malicious script (normally Javascript) has been inserted in to the content of a page.

This was acheived either by submitting the script through a form, or more commonly by a remote controlled bot that searches through websites looking for vulnerabilities.

The actual script is often a hidden iFrame, that in turns causes your browser to download a script from another server not associated with the website you are viewing. This is also sometimes referred to as XSS or Cross Site Scripting attack.

Finding the infection is the job of the developer/owner of the website, as they will need to scan through their database to find the infected pages and correct it. This is carried out on the database server (or in smaller hosting environments the web server).

Now, if you use the HTTrack tool suggested above, you will certainly download the "infected" page, but it will not be identified by any conventional AV system. It will only be when you open the infected page in a browser on your local PC that the script will run.

Beware, you will still get infected as the Iframe will load the script from the external site!

HTTrack will not download the infection as it is called using Javascript, while HTTTrack only uses conventional HTML links/urls to download pages.

If the website has indeed been the subject of SQL Injection then it means that the underlying scripts that are producing the website are of a poor standard, and little or no security has been considered by the developer.

Unfortunately, this level of coding/development is all too common on the web these days.

Author Comment

ID: 38350587
Thank you for a very informative post.  It seems the best way to help secure a Word Press seems to be one of several security plugins.  I did find some websites that said the site was fine, but AVG had said two reports of infection were turned in over the last 30 days.

Since the plugins may or may not be installed already, I am not sure about it's effectiveness, since any malicious code will already be in place, and all the plugins check for changes in code or page sizes, or a change in the checksum, all of which will stay the same if we are already infected.  

Hopefully the web company hired by the marketing company that was hired by the company I work with does their due diligence and gets it resolved.

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like me and like multiple layers of protection, read on!
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question