hi, This is the first time I posted a topic here.
I need some help in removing malicious script from my website.
Several months ago, in preparation for my new business I bought a gig online which include a website design and hosting for a year.
I almost had no problem with the site itself until two days ago when I tried to add more info to the site I was unable to open it.
My Norton Internet security blocked my site and detected " Web Attack: Malicious JavaScript Redirection 6" from my site.
After live chat session with Norton I decided to submit my site to be checked for false positive, much to my surprised Norton found that my website contains a malicious script that redirects the user to an Angler Exploit Kit through the means of an iframe.
I tried to contact the guy who hosted and design my website but for some reason I was unable to reach him.
seeing this situation I planned to ask some expert help to move my website to new hosting very soon, as I still have access to admin account on my website.
However, I fear that simply moving the hosting to another site might not be enough to remove the threat. I am afraid that I will still get same problem after that and it might hurt the reputation of my website.
I have no experience in website building and editing so I would need to ask expert to help me fix the website, in order to do that I would need info on the script that I need to remove from the website.
If possible I would like to ask for some help in identifying all scripts that I need to remove from my website so that I can access it again.
The website in question is aplus-promo(dot)com
reply from false positive queries has reported that the script in question question begins with:
var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.host)!==0
I want to know, is the above script is all I need to remove from my website in order to solve the problem?
if there are more, can someone help me identify it so that I could give it the info to the one who will help me fix the website and move the hosting later.
When the new site is finished, please register it with the Safe Web site, place your new Meta Tag on the site and let me know when you have done this.
I will check out that the Meta Tag is there and visible. I will then notify the Safe Web Team to verify the site ownership and have them evaluate the website. So please post here when you have the Meta Tag in place.
I decided to make entire new website with new domain and take down the old one.
I already ask the guy who is currently building my new site to remove the old one from my domain, so aplus-promo(dot)com should no longer be accessible. though since its dns stuff it might took a day or two before its truly gone.
for the new site, I am the one who own the hosting so I should have more freedom with it, I also plan to add more security later on when the site is up, most likely from godaddy.
thanks for the help and suggestion guys, it really helped me a lot.
After you get your website set up and it's clean and the way you want it, may I suggest that you get a free imaging program. Then you can take an image of the site and use that image if the site should become infected again. If one is used, you wouldn't have to start from scratch rebuilding the site again.
at this point I really unable to get into contact to the guy who set up the website...
I have control over dns, I think, I am the one who own the domain name, at the very least, so as long as I can upload the site to new hosting it should be fine.
but other than that the only thing that I have is access to admin account on my site...
I found a service on fiverr that claim they can help me download the site, clean it and reupload it to my new hosting, but at this point I really would like to be extra careful and need to discuss it with my partner first...
in any case, I will still need to purchase security/anti malware plan either from quttera or godaddy after this...
I will update the situation once there is new development.
You have absolutely no way to contact the person who set this up for you? If you don't have full access, you may not be able to download critical portions of the site (wp Database).
Even if you can get all the files, the new hosting company may detect and flag the malicious payloads as you upload them.
Additionally, if do not have access to the Domain Name DNS records, you will not be able to point your website name to a new server.
to be honest I am currently encountering some heavily sticky situation....
it seemed that quttera will need info and access to hosting id, which I don't have since I am not the person who hosted the site in the first place.
my only choice at this situation seemed to be manually exporting the site(assuming it is possible) and reuploading it again to new hosting before I can ask quttera to clean or fix it.
I do believe this is risky as the malware will still remained if I do that, but my only other choice is to start from the scratch.
I am really in bind here...
I am currently trying to contact quttera inquiring the details that I need to clean my website.
I just hope that I have enough detail to use their service as the only thing I have is access to admin account on the site...
Q. which website that you recommend I should use to clean mine?
A. I am not in a position to personally recommend any of the companies listed because I have not used them. However, they all carry a good public reputation and I believe them to be reliable. An internet search on these companies might give you some more insight.
Q. can you tell me more about "security of your admin credentials and the structural integrity of your site."
I will definitely change my admin account password for sake of safety, but a bit more details won't hurt
A. That is too involved to get into here, but you can start with this: Hardening WordPress
Q. also, I just wanna as for sake of reference, but building a new website from scratch and putting them on old domain will also work right?
A. Yes as long as you really start from scratch and do not download any infected files and re-use them. You can shut down your old site by deleting all the files on that hosting server. Once you delete these files, your website will no longer exist so you should have the next steps ready to go.
Select a new hosting provider and upload a new, clean copy of your website. As long as you have control over your domain name DNS Records, simply point it to the new hosting servers. The server information will be provided by the new hosting company. Here is a video showing how to point your domain name. You do not have to use the companies named in the video. When this is complete, it may take a few hours for your website to propagate across the internet (show up).
I am planning discuss it with my partner first as we haven't decided on new hosting for the website and how much the cost for doing that.
which website that you recommend I should use to clean mine? sucuri or quttera?
if either is fine I would like opinion of an expert...
can you tell me more about "security of your admin credentials and the structural integrity of your site."
I will definitely change my admin account password for sake of safety, but a bit more details won't hurt
also, I just wanna as for sake of reference, but building a new website from scratch and putting them on old domain will also work right?
sure I will go through hell of data entry again, but with all these problems I feel that I might as well as start from the beginning, its feel safer and cleaner...
I am really sorry for what you are going through, however simply moving the site will not solve the problem. If you look at the Sucuri report, you can see that the malicious payloads are embedded in your code. Move the site and the malware will come along with everything else.
If you cannot access the site directly, you can use an FTP client such as the free Filezilla to download the wp files, but since WordPress also relies upon a database, you will need to get that too. I do not use WordPress, so I can only advise you to a limited extent.
Please realize that once the files are cleaned, you will need to check the security of your admin credentials and the structural integrity of your site.
So if you are not familiar with website building, do not try to fix this yourself.
I am indeed planning to move the site, but I wonder whether simply moving the site directly to new hosting will make the problem disappear.
If I can't fix the problem before moving the site to new hosting, I fear that even in new hosting I will still get the similar problem, that's why I want to ask whether its possible to fix it first.
Sadly enough I can't get into contact with the guy who design the website, his account on the website where I contacted him was somewhat unavailable and the support team of the site said that they can't gave away any private info about the guy due to their privacy policy. This taught me a thing or two about buying gig online ugh...
my website uses wordpress theme, and before this happened I remember seeing a plugin that could allow me to download the website data for backup purpose, that said I can't access it due to norton blocking the site, I could ask some expert help to download it and move it to new hosting server but I still afraid if I simply do that the problem will still persist.
so, current question is,
will the problem persist if I simply move the website to new hosting?
also, what are the process involved in asking legitimate company to clean my website? I would like to know as much detail as possible
You asked, ”… is the above script is all I need to remove from my website in order to solve the problem?”
Unfortunately the answer is no. Both bjm_ and Krusty13 have demonstrated that there are serious multiple problems with your site. You have at least 6 malicious payloads. I checked with another online site scanner which returned the same serious results: http://quttera.com/detailed_report/www.aplus-promo.com
If you have no knowledge of website design I suggest the following:
Contact ‘the guy’ who sold you this package and get him to fix it right away.
If you can't contact him, call the hosting company. They should have a vested interest in keeping their servers clear of malware. If they won't help, then get ready to move your site.
If you can’t contact this person or the hosting company, use a legitimate company to clean your site. You can do a search or use either of the sites already mentioned in this thread as they provide that type of service.
As soon as your site is clean, immediately move it to a legitimate hosting company in the region where your business resides. If you are in the US, send me a Private Message and I will be happy to provide you with a few very reliable hosting services I use.
It is imperative that you address this immediately. Not only will you be directly losing business due to the malware, but this will adversely affect your search ranking.
I will ask the Safe Web Team if someone there can tell you how to clean up the site. Please stay tune to a report back from them. Once it is cleaned up, then you can get ownership verified and have it evaluated also, so it can be rated Green.
