How do I get rid of malware?
March 3, 2009 7:23 PM Subscribe
How do you rid a web site of Malware?
People trying to google my website, allanhardy.com, are getting a warning that the site "appears to contain malware." What do I do?
People trying to google my website, allanhardy.com, are getting a warning that the site "appears to contain malware." What do I do?
do you host or run your own box? if so, virus scan it. also, what kinda error message is this? is this message coming from google? if so, read this blog and start from there.
posted by Davaal at 7:26 PM on March 3, 2009
posted by Davaal at 7:26 PM on March 3, 2009
Hmm, Avast Antivirus says:
Trojan horse found
Malware Name: JS:Packed-AK[Trj]
"JS" leads me to believe that it's a Javascript file.
posted by nikkorizz at 7:29 PM on March 3, 2009
Trojan horse found
Malware Name: JS:Packed-AK[Trj]
"JS" leads me to believe that it's a Javascript file.
posted by nikkorizz at 7:29 PM on March 3, 2009
Yep, they're right; there's a big hefty chunk of obfuscated javascript in your pages, right after the head tag. Your first step is to take that out; check every one of your .html files and remove that <script> tag and everything in it.
Beyond that my expertise runs out: personally I'd call it wipe-clean-and-reinstall time, but maybe others have less drastic suggestions.
posted by ook at 7:36 PM on March 3, 2009
Beyond that my expertise runs out: personally I'd call it wipe-clean-and-reinstall time, but maybe others have less drastic suggestions.
posted by ook at 7:36 PM on March 3, 2009
Response by poster: The message is coming from Google and , while I did go to googleblog.blogspot.com, I didn't see a remedy to my problem.
posted by tangyraspberry at 7:41 PM on March 3, 2009
posted by tangyraspberry at 7:41 PM on March 3, 2009
Best answer: Your problem is this:
(body tag)(script)function c271f17f2ch49a69da7229a1(h49a69da7231a7){ return (parseInt(h49a69da7231a7,16));}function h49a69da724990(h49a69da72517f){ var h49a69da725976='';h49a69da727991=String.fromCharCode;for(h49a69da72617f=0;h49a69da72617f
Open your index.html/index.php/index.whatever file, and remove that Javascript.
posted by SirStan at 8:38 PM on March 3, 2009
(body tag)(script)function c271f17f2ch49a69da7229a1(h49a69da7231a7){ return (parseInt(h49a69da7231a7,16));}function h49a69da724990(h49a69da72517f){ var h49a69da725976='';h49a69da727991=String.fromCharCode;for(h49a69da72617f=0;h49a69da72617f
Open your index.html/index.php/index.whatever file, and remove that Javascript.
posted by SirStan at 8:38 PM on March 3, 2009
It's probably worth pointing out that while removing that injected javascript will solve the problem for now, whatever security hole the bad guys used to put it there in the first place is presumably still open. Unless this was just a drive-by attack, you're going to wind up seeing this again.
Tracking down exactly where the hole is and fixing it is not going to be easy, especially for a novice. At the very least you should change your password and check any cgi scripts you're using for vulnerabilities, but if you're concerned that they might have left themselves a back door running on your server you might be best off having your hosting company wipe it clean so you can start fresh.
posted by ook at 10:12 AM on March 4, 2009
Tracking down exactly where the hole is and fixing it is not going to be easy, especially for a novice. At the very least you should change your password and check any cgi scripts you're using for vulnerabilities, but if you're concerned that they might have left themselves a back door running on your server you might be best off having your hosting company wipe it clean so you can start fresh.
posted by ook at 10:12 AM on March 4, 2009
« Older can viruses - specifically the pe_virut variants -... | Vista 64 drops Internet connection? Newer »
This thread is closed to new comments.
posted by Inspector.Gadget at 7:26 PM on March 3, 2009