New Site Install Giving Malware Warning?

[BeateNetworks]

Hi,

I recently installed a fresh version of the latest official release along with the Costa Nature theme. I made no mods to the code, I made a small change to the template (different header pic), and only installed official plugins from this site.

Now I am getting some messages from a couple of end users that their virus scanners are warning of malware on the site. Does anyone have a recommendation on what I should look at to address this:




The message in the photo says:

Anyway, it says:

File name htto: //wertionase.com/cache/pdf.php
Malware name: JS-Agent-BQ(Expl)
Malware Type: Exploit

When I run the site in Windows XP using Avast, I do not get any warnings, but some Avast and Norton users are. I'm stumped.

Thank you in advance for any pointers.

Allison

[garvinhicking]

Hi!

What's your URL?

Regards,
Garvin

[BeateNetworks]

Hi!

What's your URL?

Regards,
Garvin

Hi Garvin,

The URL is:

http://www.BeateNetworks.com/designer

Thank you,
Allison

[garvinhicking]

Hi!

Yeah, your page contains malware. I assume it is inserted into the "index.php" file. The signature looks like a trojan/virus that spreads by keylogging your FTP credentials, and using this to insert code into files it can access with those passwords.

You need to:

1. Scan all PCs that had FTP access to your site and try to remove the trojan/viri. Do this VERY THOROUGHLY.

2. Change ALL your FTP passwords of every site you accessed using that PC.

3. Change all your passwords in Serendipity and other tools on your webpage.

4. Do a search on all files on your homepage and search for this "F6FA9E" part. Remove this nasty javascript in all files you find it in. Usually those are only index.html or index.php pages.

Regards,
Garvin

[BeateNetworks]

Hi!

Yeah, your page contains malware. I assume it is inserted into the "index.php" file. The signature looks like a trojan/virus that spreads by keylogging your FTP credentials, and using this to insert code into files it can access with those passwords.

You need to:

1. Scan all PCs that had FTP access to your site and try to remove the trojan/viri. Do this VERY THOROUGHLY.

2. Change ALL your FTP passwords of every site you accessed using that PC.

3. Change all your passwords in Serendipity and other tools on your webpage.

4. Do a search on all files on your homepage and search for this "F6FA9E" part. Remove this nasty javascript in all files you find it in. Usually those are only index.html or index.php pages.

Regards,
Garvin

Thank you Garvin. I'm assuming this is a Windows issue and not OSX or Linux?

[garvinhicking]

Hi!

The viri/trojan is most active in Windows environments, but it could surely also exist for MacOS or Linux clients.

Regards,
Garvin

[BeateNetworks]

Hi!

The viri/trojan is most active in Windows environments, but it could surely also exist for MacOS or Linux clients.

Regards,
Garvin

Thank you again Garvin. This is quite a scary thing. Is there a software tool you would recommend for me to scan the site in the future?

Thank you,
Allison

[garvinhicking]

Hi!

I am not aware of any server-based scanners right now. As for scanning your client, I personally use www.antivir.de tools.

Regards,
Garvin