Recently I got more than 10 websites which got Bad site rating from google as Google crawler found that these sites are distributing malware. On investigation, we found that somehow website code has been modified and an Iframe got inserted in HTML code that link to some third party website which is actually distributing the malware through our website.
I search and read that not only my client but 1000s of other people, web developer got the same problem but none has mention any method to protect from this attack. I got only one of my site infected with this virus but more than 50 sites remains safe. The site we got infected was corrected by simple code patch and now it is more than 3 months even that website is working fine without any fear for same. Now let me explain why this virus infect a website and how it does that. Along with that I will define how you can protect your website.
- The important thing to know about this virus is that this is indeed a virus/Trojan horse, but not a HACKING on your website. Any good antivirus software will detect the virus with its latest updates.
- Second important thing to know is no web hosting is infected with this virus, and they cannot stop this attack at their level, so don’t blame your hosting company.
- This virus will hit your website because of you or your developer (or any person who has FTP access of your website).
How it get started?
Simple, a person who has FTP of website, FTP to that ftp and later that website got virus infected. The background story is that, if your machine has Trojan horse then that trojan horse do 2 things
1. It steal your FTP password
2. It keep File change watch on your HTML files.
As soon as you change any html file in your machine t modify that file to put iframe code in it, so before you save and upload to FTP your file will probably get infected with virus. If it doesn’t change the file or fail to do so, the robot that might be running somewhere around the globe will use FTP password that it got from your machine, will open the FTP, look for DocumentRoot file, and change it to add Iframe tag.
This trojan horse can be found with various name, in various method, they might only steal FTP, they might only change Disk file, they may do both, also different Anti virus shows different name for it.
Now how can you get rid of it?
This is good question, and most important. First get a machine that shows clean on anti virus scan, or if you install it afresh from your Trusted Media. Install FTP software, download complete website (HTML, PHP pages etc..) Install Trial or Paid version of Dreamweaver or any free text editor that has FOLDER search and replace feature. Please do not install Pirtated version as your Software Crack may already have that virus you are protecting yourself.
Now open the index file look for iframe code and do Search and replace in your all file. Which probably take 10-15 minutes, and you get your website clean.
Zip all source in one place for backup, and upload clean files back to FTP. But before you reupload, Change the FTP password.
Chances are you might still get hit again with this attack, but you have ZIP folder that is clean and you have protect it from virus attack, so you just have to reupload it on attack.
To get permanent removal of virus, you have to format your virus infected machine and leave all files specially any executable file on that machine. I try 2 days to get rid of that virus when my machine got infected, I use 10+ spyware, ,malware remover but all fails.
How you protect yourself?
1. Do not use any Crack/Keygen specially on machine that have FTP software.
2. Do not connect to Internet or LAN when you use Crack or keygen
3. Don’t visit any adult website or something that can bring virus.
4. Trust your old media for installation, and use original software.
5. PHP website are main target of this virus, I never saw any .NET or JSP website infected.
6. .NET website get infected with this virus using SQL injection attack mostly.
7. Hire a developer, that can protect himself and his machine from virus, and if not, they can atleast be available to you with enough resources. Because once google crawl reach your website when it was infected, your website will be shown with “Virus infect website” in google search and when you try to open your website in Firefox or Chrome it show a RED BADWARE website warning.
Hope this guide will help to get you going, if not I think I earn enough expertise with those 10+ website that I fix to fix your website soon … after all I love more business too… Best of luck.