Thread Starter
8gomad
(@8gomad)
Some additional info: The virus warnings seem to happen to people viewing in IE or Chrome. Firefox users are reporting that it is loading fine. Safari users are seeing the white space. I use Chrome but don’t get the virus warning, I do get the white space though.
Thread Starter
8gomad
(@8gomad)
I completely deleted and re installed everything, but today the same problems are being reported. The only browser that seems to be unaffected is Firefox. Can anyone help?
Post the generated source code of your homepage in the pastebin: http://pastebin.com/
People should not click on your link since your site might be infected.
Thread Starter
8gomad
(@8gomad)
This is the code from ‘view source’ I notice there’s a whole load of stuff before the HTML starts.
http://pastebin.com/raJVKHaP
Normally there shouldn’t be anything before your <!DOCTYPE html> line.
Can you paste the contents of your header.php file into another pastebin?
Thread Starter
8gomad
(@8gomad)
I’m not sure what’s going on here – where all that <script> code before your doctype is coming from. I hope someone else has some ideas. I’m guessing that’s what’s triggering the virus alert.
There is hidden iframe with a link in it pointing to //clck.ru/7qKy in the domain //8gomad.co.uk and two inline scripts outside of the html tag on the sub-domain //blog.8gomad.co.uk.
The scripts however, may be legit. function createCSS(selector,declaration){var ua=navigator.userAgent.toLowerCase();var isIE=(/msie/....
You should confirm that they are.
http://www.google.com/safebrowsing/diagnostic?site=clck.ru
http://www.google.com/safebrowsing/diagnostic?site=blog.8gomad.co.uk
Thread Starter
8gomad
(@8gomad)
What does that mean? How can I get rid?
What does that mean? How can I get rid?
On your home page at 8gomad.com.uk, just before the closing body tag, there is a hidden iframe.
<iframe src=...//clck.ru/7qky width"0" height"0" frameborder="0"></iframe>
…at the very least, it needs to be removed, and you need to find out how it got there in order to prevent it happening again.
You will also see one of the inline scripts on that same page, just after the opening body tag. You need to verify that it belongs there and is legitimate. Then you should do the same with the scripts on blog.8gomad.co.uk.
Thread Starter
8gomad
(@8gomad)
I’ve deleted the dodgy html from 8gomad.co.uk, but not sure how to do the same for blog.8gomad.co.uk as it’s all php/css and I don’t have a clue what to do!
Thanks for all your help thusfar π
Clayton: That bit of code at the top is malicious even though it looks legit.
Post some details about it here:
http://sucuri.net/malware/malware-entry-mwjs612
*seeing some other sites infected with it.
