Hey guys a clients site of mine has Malicious code inseted and I can't work out how to remove it. I have tried searching for it but can't find it. I have confirmed with web-sniffer.net/ (used googlebot) via the drop down menu and can see hundredss and hundreds of external links. Has anyone experienced this? I have searched all the main files such as index.php / footer.php / header.php etc and can't find anything wrong. The site is no longer appearing google via the keywords, and now also has a caution next to it when the domain name is entered is google direct. The domain name www.strathfieldonline.com.au where else can the information be stored and how do i remove it. I appreciate everyones time thanks Malicious code Injection. How to remove?? PLEASE HELP!!!
Its best to contact the hosting provider. If they are a good hosting provider they will have a 24/7 live customer support on their website. Explain to your client that you believe there is malicious code, and save all the proof (examples you have encountered) for the webhosting providers tech support, they will ask for it, and god for bid they can not reproduce the issue, they won't be of any help. So go in there with proof, and have them do their job. Btw the link you posted can not be found. Did you take the site down?
TheStopNetworks Im just courios how the hosting provider can help me??? Isn't the code "injected" into the site some where?? Sorry i just want to know so i know which way to approch the problem thanks for your help
They might be able to help you because they will probably have experienced admins working for them who should be able to track down the malicious code. However, it isn't their job to clean up your code so don't be surprised if they charge you for the time it takes. You also need to find how it was inserted in the first place. If you don't close that down it will happen again.
Go in to the backend of the site via file manager and enabled it to show hidden files - that's any that begin with . e.g. .htaccess. Have a rummage about. It may be that's it's lurking as a hidden file. If you find one beginning with a dot, view it. If all you see is a pile of garbled text, bingo, you've found one. Keep looking. Of course it may be that it's injected from a database? Impossible to know. Hell, it might not even be on that site. It could be the host has been compromised.
Hey guys thanks for the info. really really helpful TheStopNetworks. I have spoken to my hosting company and the informed me that the version of OsCommerce is old and should be updated. He also said that no other site is infected and that its got to do with 'lack of security' for the site. So i guess i'll have to try and figure where the code is and how it was 'injected' in the first place to try and stop if from happening again. mcfox I will do it later on today and see how it goes. but i got a question is there a way to look for it in the database? also in websniffer its saying the code is directly under the <!-- footer_eof //--> - is there a way i can search for that code? like do you any programs i can download and tell it to search ALL PHP files for that code? thanks heaps all, for all your help
CircleofLinks, I had a quick sniff around the net and it seems you are not alone. Looks like the vulnerability is in file_manager.php. More here I would suggest that you delete all of the site's code and rebuild it. A PITA but I think it's probably necessary.
Before you delete anything, try scanning the site with a code injection scanner to see if it helps you figure out where the malicious code is. There are quiet a few injection scanners listed here: http://software.informer.com/getfree-online-code-injection-scanner/