It is advisable to check the website thoroughly, as it may have been attacked and the malicious code inserted without the knowledge of the webmaster.
The most common way to hide a virus on a website is known as an "iframe attack". The "iframe" hides in the code of the pages and calls another page invisibly to better position that hidden page or infect website visitors. Usually this "iframe" is added to the code of the index page (index.html, index.php ...).
In the same way, there are infections with viruses such as "Gumblar cn", in which case a file is uploaded and it is located in a folder where it is unlikely to be detected. "Gumblar cn" uploads a file called "image.php" inside the "images" folder.
Steps to follow to verify that the website is clean:
-
Analyze the webmaster's computer and network (including removable disks) with an updated antivirus and antispyware, since if the computer from which the page is loaded is infected, even if you clean the site, every time you load the web from it become infected again.
-
Analyze the folder containing the website with an updated antivirus and antispyware.
-
Once the antivirus and antispyware have finished the process of scanning and removing suspicious files, the manual review work should be started within the site folder:
3.1. Identify all files that include a "hidden iframe" that do not correspond to the web page and remove that portion of code.
Example:
<iframe src=”http://pagina-web.cat”
style=”visibility: hidden; display: none”>
</iframe>
3.2. Check if there is any page where there is a "document.write" followed by an encoded line. If there is, delete it from the code.
Example:
<script language=”javascript”>
document.write( unescape( ‘%70%61%67%65%20%6F%6E%65′ ) );
</script>
3.3. Confirm that all src = and http: // refer to website files or trusted external sites.
3.4. Verify that all .php, .js, .htm, .html, asp, .aspx, .inc, .cfm files, among others, belong to the website.
-
Once you are sure that there is no type of infection, change the FTP password from the control panel and connect by FTP in a secure way.
-
Completely delete ALL website files on the server.
-
Reload ALL files (previously cleaned) to the website from the disinfected computer.
-
Clear the browser cache, open the web index page and all infected pages. Check the source code of each page, if the "iframe" or "document.write" no longer appears, the site is free of malicious content.
-
When you are 100% sure that the site has been disinfected, request a review of the website from Google, through the Google Webmaster Center or Stop Badware. Google re-indexes it fairly quickly if it finds it free of malicious code, in a short time the ads of malicious software associated with the web will disappear from the search engine results.