Malware on my website?!

Hello, something is wrong on my website. Visitors complain of detection by anti-virus infection. For example here:
http://www.areavis.com/m/humor/view/Zwierzęta-zasypiają-z-maskotkami-Galeria

Full scan from my server nothing found.

On Google diagnostic page I found this: http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com

This site was hosted on 1 network, including AS23352 (SERVERCENTRAL)

Why my website is hosted on AS23352 (SERVERCENTRAL) and how to fix this? Please help

I check it also on: http://quttera.com/detailed_report/www.areavis.com

and I see this information:

/inc/js/functions.js

Severity:
Potentially Suspicious
Reason:
Suspicious JavaScript code injection.
Details:
Procedure: + has been called with a string containing hidden JavaScript code <script>document.getElementById("").submit()</script>.
Threat dump:
Threat dump MD5:
470A1F8AE5C99385C0EE1D7BB863609C
File size[byte]:
33511
File type:
ASCII
MD5:
6D217BA4C93CF1216BCA0C058032A697
Scan duration[sec]:
0.412000
Quote · 9 Apr 2014

Interesting.  When I got to view code I get this:

File name: /inc/js/functions.js

 

[[html+='<html><head></head><body><formid="'+sWindowId+'"method="'+sMethod+'"action="'+sWindowUrl+'">';if(aVarNames%26%26aVarValues%26%26(aVarNames.length==aVarValues.length)){for(vari=0;i<aVarNames.length;i++){html+='<inputtype=\"hidden\"name="'+aVarNames[i]+'"value="'+aVarValues[i]+'"/>';}}html+='</body></html></form><scripttype="text/javascript">document.getElementById("'+sWindowId+'").submit()</script></body></html>';newWindow.document.write(html);returnnewWindow;}functionsetCheckbox(the_form){varelts=document.forms[the_form].getElementsByTagName('input');varelts_cnt=elts.length;varallUnchecked=true;for(vari=0;i<elts_cnt;i++)if(elts[i].checked)allUnchecked=false;for(vari=0;i<elts_cnt;i++)if(elts[i].type=="submit")elts[i].disabled=allUnchecked;}var]]
Geeks, making the world a better place
Quote · 9 Apr 2014

 Thank you for check. But what I should do now?

Interesting.  When I got to view code I get this:

File name: /inc/js/functions.js

 

[[html+='<html><head></head><body><formid="'+sWindowId+'"method="'+sMethod+'"action="'+sWindowUrl+'">';if(aVarNames%26%26aVarValues%26%26(aVarNames.length==aVarValues.length)){for(vari=0;i<aVarNames.length;i++){html+='<inputtype=\"hidden\"name="'+aVarNames[i]+'"value="'+aVarValues[i]+'"/>';}}html+='</body></html></form><scripttype="text/javascript">document.getElementById("'+sWindowId+'").submit()</script></body></html>';newWindow.document.write(html);returnnewWindow;}functionsetCheckbox(the_form){varelts=document.forms[the_form].getElementsByTagName('input');varelts_cnt=elts.length;varallUnchecked=true;for(vari=0;i<elts_cnt;i++)if(elts[i].checked)allUnchecked=false;for(vari=0;i<elts_cnt;i++)if(elts[i].type=="submit")elts[i].disabled=allUnchecked;}var]]

 

Quote · 9 Apr 2014

maybe it's XP issue or older browser.

I checked it and i don't get any security mgs in IE, FF, O, Chrome

what if you delete the image ... do you still get a security detection??

 

Quote · 9 Apr 2014

Have you or anyone else made any changes in the functions.js file?

Geeks, making the world a better place
Quote · 9 Apr 2014

 I do not even know which this picture. Just people complain that after entering a gallery get a warning about the infection.
What worries me also what is Google Page diagnostic:
http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com

 

there is information:

This site was hosted on 1 network, including AS23352 (SERVERCENTRAL)

http://www.google.com/safebrowsing/diagnostic?site=AS:23352

There are spam links...maybe this is the reason?


maybe it's XP issue or older browser.

I checked it and i don't get any security mgs in IE, FF, O, Chrome

what if you delete the image ... do you still get a security detection??

 

 

Quote · 9 Apr 2014

 No, nobody did change. What could be wrong with this file?

Have you or anyone else made any changes in the functions.js file?

 

Quote · 9 Apr 2014

I know if you have members that are seeing warnings that it is not a good thing.

Google has listed your site as OK.

You could upload the functions.js file from the zip archive and replace your current functions.js if you have not made any changes in it.

Geeks, making the world a better place
Quote · 9 Apr 2014

 This is strange because the scan on the server also found nothing. Most scans web page also found nothing. Only at quttera.com found something suspicious file functions.js

I switched the file to the original. However, I can not check if the problem is gone, because once I scanned my website and the second time I can not do that. Can anyone enter the quttera.com and enter the address of my website www.areavis.com to check it out?

I know if you have members that are seeing warnings that it is not a good thing.

Google has listed your site as OK.

You could upload the functions.js file from the zip archive and replace your current functions.js if you have not made any changes in it.

 

Quote · 9 Apr 2014

Scan results the same.  Do you have js compression turned on?  I am wondering if it is tripping their scanner.  I would just ignore it except for the warnings that you say some of your members are seeing.

 

-

Geeks, making the world a better place
Quote · 9 Apr 2014

 Thanks for check. I turn on js compression now.

Maybe this is tripping their scanner. But it worries me that many visitors to my website has a problem with malware.

Scan results the same.  Do you have js compression turned on?  I am wondering if it is tripping their scanner.  I would just ignore it except for the warnings that you say some of your members are seeing.

 

-

 

 

Quote · 9 Apr 2014

 

 Thanks for check. I turn on js compression now.

Maybe this is tripping their scanner. But it worries me that many visitors to my website has a problem with malware.

Scan results the same.  Do you have js compression turned on?  I am wondering if it is tripping their scanner.  I would just ignore it except for the warnings that you say some of your members are seeing.

 

-

 

 

I am confused; did you have js compression on or off when running the scans?  My thought was that js compression could be causing the scanner to return a false positive.  Of course I don't know why it would trip on just the functions.js file.

Geeks, making the world a better place
Quote · 9 Apr 2014

 When the scans were running js file compression was OFF. Now I changed to ON.

 

 Thanks for check. I turn on js compression now.

Maybe this is tripping their scanner. But it worries me that many visitors to my website has a problem with malware.

Scan results the same.  Do you have js compression turned on?  I am wondering if it is tripping their scanner.  I would just ignore it except for the warnings that you say some of your members are seeing.

 

-

 

 

I am confused; did you have js compression on or off when running the scans?  My thought was that js compression could be causing the scanner to return a false positive.  Of course I don't know why it would trip on just the functions.js file.

 

Quote · 9 Apr 2014

I scanned my site with quttera.com and had no problems.

Perhaps your host has server side compression or mod_deflate is active and enabled in your .htaccess file.

Next time a member reports a problem with your site, find out what they are using for antivirus software. False positives are quite common with free antivirus scanners like Avast and AVG.

You also have a problem in your sites header templates. You have multiple head tags. You need to take more care when modifying these files to add your code for google fonts, google site verification and other plugins you add. You did something wrong in those files resulting in a damaged head section.

https://www.deanbassett.com
Quote · 9 Apr 2014

 For me only found something in file functions.js but I uploaded original and now I don`t know if all I have no threats on mywebsite. I don`t want to receive from visitors information about virus threats.

As I read before I found something also here: http://www.google.com/safebrowsing/diagnostic?site=www.areavis.com and information: This site was hosted on 1 network(s) including AS23352 (SERVERCENTRAL).

But my server support tell me to just ignore this.

My support check this and compression and mod_deflate is disabled. I`m using AVG and nothing wrong with not detected on my website. But on another computer I have Avast and any threat detected ... but I thought it was a mistake on their part because this often happens and I ignored it. But then many visitors complained of infections ... so I suppose that Avast is a major problem ... I have already written to them in this matter.


In _header.html can be something wrong? I have this code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US">   

    <title>__page_header__</title>
    <base href="<bx_url_root />" />   
    __page_description__
    __page_keywords__
    <meta http-equiv="Content-Style-Type" content="text/css" />
    <bx_include_css />
    <bx_include_js />
    __dol_images__
    __dol_lang__
    __dol_options__
    <script type="text/javascript" language="javascript">
        var site_url = '<bx_url_root />';
        var aUserInfoTimers = new Array();
        $(document).ready( function() {
            $( 'div.RSSAggrCont' ).dolRSSFeed();
        } );
    </script>
    __extra_js__
    <bx_injection:injection_head />
    <script type="text/javascript">
        var oBxUserStatus = new BxUserStatus();
        oBxUserStatus.userStatusInit('<bx_url_root />', __is_profile_page__);
    </script>
</head>
__flush_header__
<body <bx_injection:injection_body /> class="bx-def-font">
    <bx_injection:injection_header />
    <div id="notification_window" class="notifi_window"></div>
    <div id="FloatDesc" style="position:absolute;display:none;z-index:100;"></div>
   
    <link href='http://fonts.googleapis.com/css?family=Exo&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Open+Sans&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Oxygen&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href="http://fonts.googleapis.com/css?family=Oswald:700|Droid+Serif:400,700italic" rel="stylesheet" type="text/css" />
<link href='http://fonts.googleapis.com/css?family=Play&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Roboto+Slab&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Ropa+Sans&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Russo+One&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Sanchez&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Scada&subset=latin,latin-ext' rel='stylesheet' type='text/css'>
<link href='http://fonts.googleapis.com/css?family=Share&subset=latin,latin-ext' rel='stylesheet' type='text/css'>

<head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=__page_charset__" /> <meta name="google-site-verification" content="xxx" />

<meta name="msvalidate.01" content="xxx" />
</meta>

<script type="text/javascript" src="<bx_url_root />plugins/fancybox/jquery.fancybox.pack.js"></script>
<link rel="stylesheet" href="<bx_url_root />plugins/fancybox/jquery.fancybox.css" type="text/css" />
<script type="text/javascript" language="javascript">
$(document).on('click', '.single_image', function() {
  // remove the class to ensure this will only run once
  $(this).removeClass('single_image');
  // now attach fancybox and click to open it
  $(this).fancybox().click();
  // prevent default action
  return false;
});
</script>

I scanned my site with quttera.com and had no problems.

Perhaps your host has server side compression or mod_deflate is active and enabled in your .htaccess file.

Next time a member reports a problem with your site, find out what they are using for antivirus software. False positives are quite common with free antivirus scanners like Avast and AVG.

You also have a problem in your sites header templates. You have multiple head tags. You need to take more care when modifying these files to add your code for google fonts, google site verification and other plugins you add. You did something wrong in those files resulting in a damaged head section.

 

Quote · 10 Apr 2014

oooh wee - you have a closing </head> before an open <head>. Like Deano said - you gotta pay attention to changes you make to your files. I would start by uploading fresh copies of _header.html and _sub_header.html (make backups of what you have though). THen, once you have everything like it should be, you can add your extra code (but ask for help in adding it so you know you add it to the correct places).

caredesign.net
Quote · 10 Apr 2014

 Thank you. I'll fix it. But this code is already about three months ... and virus threats are only from about 5 days ...it could be the reason for this?


I catch today on other computer with avast this screenshot:

oooh wee - you have a closing </head> before an open <head>. Like Deano said - you gotta pay attention to changes you make to your files. I would start by uploading fresh copies of _header.html and _sub_header.html (make backups of what you have though). THen, once you have everything like it should be, you can add your extra code (but ask for help in adding it so you know you add it to the correct places).

 

Quote · 10 Apr 2014

when I go to your site - I do not get any messages about malware. So, maybe you have something on your computer that is malware, or could it possibly be something with your country of origin? Just curious - do you get the same error messages when you go to demo.boonex.com?

caredesign.net
Quote · 10 Apr 2014

 Thanks for check. I`m using AVG and nothing detected. On Avast also...but here something detected: http://www.unmaskparasites.com/security-report/

I find in php_admin scam link and delete it in site_stats_PagesStatistics. Now nothing detected here: http://quttera.com/detailed_report/www.areavis.com

when I go to your site - I do not get any messages about malware. So, maybe you have something on your computer that is malware, or could it possibly be something with your country of origin? Just curious - do you get the same error messages when you go to demo.boonex.com?

 

Quote · 11 Apr 2014

Hello again, one suspicious file I was able to remove. But there is something else ... please check: http://www.UnmaskParasites.com/security-report/?page=www.areavis.com


My hosting support has already done two very long and accurate scans. Nothing on the server was not detected. They told me that it is hidden in my script and can not help me. Please if anyone can help me with this information about infection?

 

Long suspicious script
_atrk_opts={atrk_acct:"",domain:"areavis.com",dynamic:true};(function(){var as=document.createEleme...
Quote · 18 Apr 2014

There is a danger with freeware to report errors & some will even claim if you upgrade to the paid subscription version they will fix your problems for you automatically. I would be very wary of using freeware on security features, malware, anti virus, etc. That's not to say you don't have problems, others have identified errors in your header for starters. I would do as advised & restore default files & get advice here in new threads for any changes you want to make if you are unsure. Members here have checked your site & cannot duplicate the malware warnings, they can't be forced so start by fixing the errors you've been notified about.

Quote · 18 Apr 2014

I had many customers saying that they were getting virus warnings from our site... We had been blacklisted by some virus companies.... and the reason - One of the modules i purchased from the market - removed the module and everything went back to normal and got whitelisted in about a week or so.....

 

Quote · 18 Apr 2014

Hello again. Unfortunately, passed over current month, and the problem still exists. I do not know what to do. This reduces the credibility of my website. I get information from visitors to my website that is connected with Trojan threat. On the web browser "Opera" my website in general will not open because the message of danger. What can I do? Scan Server has no effect because it is 100% clean.

Many tests also shows that my website is clean. Except Yandex. Results here >>

I wrote to them in this matter and received this response:

A infinite loop is detected at your web server. Its scheme goes as follows:

www.areavis.com (302) - →
ehfhtjk5ekmdoh5ipfhzvxi.modagiyimtv.com/index.php?b=a3ZjeXRiej16am1wb21hZWkmdGltZT0xNjA1MTUwNjUwMTI4OTQ2OTIzNSZzcmM9MTQxJnN1cmw9d3d3LmFyZWF2aXMuY29tJnNwb3J0PTgwJmtleT0xRDk0ODZDNiZzdXJpPS8=
(302) → www.areavis.com (302) → ...
Quote · 16 May 2014
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.