Website Hell

Rory2009

I employed a uk based web design company last year to develop and manager a new website for my company. Everything was going fine until last week when I tried logging onto my site through internet explorer only to find that my antivirus software declined me access due to a Trojan horse virus. I contact a few family members and friends to get them to visit the site but they all encountered the same problem and were unable to view the site.

I thought it might have been a problem on my pc as I upload files regularly to site using the admin login – only text, pdf’s and images files. Saying this, I did a full system scan using my antivirus software. The software detected 2 viruses and deleted them from my system. Thinking this might have been the problem, I then tried to access my site again only to find the problem still remaining. I’m guessing the problem exists on our website company’s server.

“Now for the major problem”, the company in England that looks after my site seem to have gone out of business. All their landline phones have been disconnected and even two mobile numbers I have for them don’t work anymore. I have sent around five emails to them over the last couple of day without any reply.

Could someone please advise what to do next, can I employ another website company to look after the site and fix the existing problem and if so how would I go about this. I have near zero experience in this field as my company I non technology related. If I can’t get my website back up and running I’m not sure how long I can keep operating as a business probably only a matter of weeks.

Please, please could someone advise me how to resolve this problem.

Thanking you in advance, rory2009.

randombar

I'd recommend get as many usernames and passwords for the hosting, ftp access db and so on, once you have them you can basically hand over the site to another web admin and they should be able to sort it out for you, depending on the complexity of the site.

Hoku

Quite likely this is the same thing as another user here had a number of weeks ago. Checking your files for odd-looking JavaScript would be a good start. Then look out for extra files in the image directories, as well as the .htaccess file .

Webmonkey

As Koku mentioned, it sounds like the same thing a lot of people including myself got. If you view the source, you probably see strange javascript embedded in the body tag or somewhere similar.

chakotha

It sounds like Gumblar or one like it.

Here is the removal guide

http://www.webpayments.ie/blog/Gumblar-What-is-it-How-to-I-remove-it-.html

There may be a dodgy looking JavaScript function just before the opening <body> tag on some of the pages.

You would ideally need to change the FTP login and password, delete any of those Javascript functions, then upload clean files.

And find a new host for the longer term.

tricky D

If it's Gumblar you'll have some wierd script stuff just at the end of the head of your pages like this:

<script type="text/javascript">var GdpldPBsdvjorQSwfbuS = "kw60kw105kw10 --snipped this bit with lots of letters out-- w62";var cyFDWFBHQiyWMnIpDJig = GdpldPBsdvjorQSwfbuS.split("kw");var ERVwiosNQnfsmlwIqxQG = "";for (var gOdsCliGvQnAiIwQxpeN=1; gOdsCliGvQnAiIwQxpeN<cyFDWFBHQiyWMnIpDJig.length; gOdsCliGvQnAiIwQxpeN++){ERVwiosNQnfsmlwIqxQG+=String.fromCharCode(cyFDWFBHQg[gOdsCliGvQnAiIwQxpeN]);}document.write(ERVwiosNQnfsmlwIqxQG)</script>

Your AV hopefully should have picked up something like TROJ/JSRedir.B

Check if you are still infected by downloading FileAlyzer, install, follow the instructions on:
http://blog.scansafe.com/journal/2009/5/27/gumblar-modified-sqlsodbcchm-clue-to-infection.html

You could also have some hidden iframe calling a .cn domain, injected into your pages from something not quite Gumblar.

Change your browser to Google Chrome until this is over. Backup all of your site, edit files to remove the line with the script. Remove all your pages and directories by ftp, contact your hoster if problems. Clean your pc for viruses, malware ( http://www.malwarebytes.org/mbam.php ) and you might as well do adware too. Hopefully your AV should be up to standard and up to date and find it. Similarly, clean all other pc's on your network. Change your ftp passwords from a clean pc which has been no where near your network/pc's, a cybercafe is good for this. It's important this must be done from a clean pc otherwise you could be wasting your time. Upload your clean files and watch the files on the server like a hawk for a few days. Do AV and malware scans on your pc daily. Repeat for any people you got to check the site for you and who got through. Once you think it's all clean, get Google to review your site using their Webmaster Tools to request a review. This could take quite a while - weeks.

more info:
http://www.webologist.co.uk/2009/05/gumblar-virus-threat-to-the-internet-how-to-remove.html

podgeen

Rory2009 wrote: »

Could someone please advise what to do next, can I employ another website company to look after the site and fix the existing problem and if so how would I go about this. I have near zero experience in this field as my company I non technology related.

Sorry to hear of your situation. I'll second GaryCocs recommendation - get as much information as you can so you can get another web development company to take over the site. I know this is difficult to do if you are unable to contact them. How did you start working with this company originally? Do you know of any other sites that they have developed? If so you could contact the owners for these sites and see if they have contact details.

Rory2009 wrote: »

I have near zero experience in this field as my company I non technology related.

The various posts about Gumblar including the link to my blog post (thanks chakotha) are probably not going to help you for you are not very technical. Once you have login details for your sites host then you can get a web developer to fix it for you. I would recommend entering the URL of your site on the Unmarked Parasites security tool. It will give a report on any hidden links or security exploits on your site. I know you are not going to be able to fix them yourself but it will at least give you an idea of how serious it is and how badly effected your site is.

Dave

Rory2009

Hi folks, firstly thank you all for taking the time to reply to my post.

Still no joy with my web designer / manager, tried a couple of times today but still no answer, I have given up all hope of trying to get in touch with them.

I have run antivirus on all my office computers along with malwarebytes but the problem still exists.

In relation to Dave's post I visited the companies web portfolio and nearly all the website's that they manage are unavailable and seem to have the same problem as me. This has led me to the conclusion that the problem definitely exists with them.

Dave, I entered my web address into unmask parasites and google generated this message.

"Site is listed as suspicious - visiting this web site may harm your computer."
"Part of this site was listed for suspicious activity 1 time(s) over the past 90 days."
Of the 1 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2009-08-25, and the last time suspicious content was found on this site was on 2009-08-25.
Malicious software includes 4 scripting exploit(s). Successful infection resulted in an average of 4 new process(es) on the target machine.
Malicious software is hosted on 1 domain(s),
This site was hosted on 1 network(s) including AS26347 (DREAMHOST).
Hopefully this might make sence to you?
Unfortunately, I don't have access to my source files, this is the main problem. The only details I have is from whois.com. The report clarifies that I'm the registered owner. Would this information be adequate for getting the website transferred over to either a web company or one of you guys.
Again thanks for all your help.
Rory

randombar

Hi,

If you can't get access to the site, you definitely don't have usernames/passwords to access the backend then it depends on the complexity of the site. If it is a static enough website i.e. there was no major CMS on the backend then it should be too much work for a web dev to download what they can see on firefox etc and upload it somewhere else? If you like you could PM me the contents of the site and I could have a look.

Also you should find out who is the domain name provider so you can transfer ownership of the domain over to you, this will allow you to change where the domain is pointing if/when you get the files from the server.

HandWS LTD

We do not like any hosting company who will do this. They should have notified their customers before they went out of business. This is something we would tell our customers about so they can organise a new web hosting company to host their website.

I'm annoyed that this could happen. The virus problem does not lie with your computer but with the hosting company as you family and friends have had the same problem.

Do you have your website files backed up? If so then all you will need to do is do a whois domain search of your website and find out the registrar, who you will need to contact regarding this.....to change the domain dns settings to the new hosting company you went with....or transfer your domain name to the new hosting company. Once this is done then you can upload your website files to your website.