Hello everybody: I have a blog in WordPress. There is a Google message saying that my site may harm your computer. It gives me additional information: Malicious software is hosted on 1 domain(s), including ancom1.ru/. This site was hosted on 1 network(s) including AS11798 (BLUEHOST). I guess I have checked everything but found nothing. This is the report Webmaster Tools gives me. Please help.
download ur website files/folder and scan them but before doing anything check ur theme footer.php file becoz </body> tag u will see malicious code there, remove that.
Look for iframes that load external pages. That's one of the ways spyware, trojans and zombie botnet software is distributed. Google even points you to the domain "ancom1.ru" so look for links to it in the code.
You have been hacked. If one site has been hacked, possibly all of your sites have been hacked! They probably have given you an iframe virus. AND you probably won't see it! Here's how you fix it! Backup your site to your hard disk - ALL OF THE FILES. You will not find the virus searching for iframe, as they usually use base_64 encoding to hide the bug. ALSO, they place the script VERY F-A-R to the right side of the frame, so if you quickly scan your files you will not see it. Another way to find it, is to check your upload dates... if you did not upload anything recently, simply sort your folders by the upload date and then go in and clean up the files. Finally, change your client from FTP to SCP... Change your passwords. B@stards did this to 70 of my sites in one day.
UPDATE: I was looking for the exact code that was snuck into my sites... it went after Wordpress directories and especially index.php It's on my home drive, so no luck. I had saved the actual file and could have posted the code - of course, after changing the malicious link to a dead URL... Here is an article on these nast iframe bugs: iframe trojans Idiots who write these trojans should face a firing squad! Here is the exact link that I found embedded in dozens of pages on my sites - especially Wordpress sites. I have stretched it so that it will not auto-link, so if you intend to search the string, you must put the actual link back together. (MADE NOT CLICKABLE - DO NOT VISIT THE SITE OR YOU WILL GET INFECTED!) <iframe src="h t tp : / / x 5 o . r u : 8080/index.php" width="129" height="154"></iframe> style="visibility:hidden"> HTML: There are at least a couple of names for this trojan: Win32/Rustock Trojan.Script.Iframe Sadly, there are probably many more trojans like this out there... If you have a lot of sites, think about using Nagios.