Before I throw my integrity out the window, let me start off by saying I have not been the one to give a website a virus. I am however the one who has to remove them. Every once in a while I will get an call from a client saying that their website has a virus. Sometimes it is their computers that have the virus. But sometimes I find the the website does indeed have a virus.
What is a Website Virus?
A website virus is not like a regular computer virus. It usually lies in the code as an iframe to another website. Once a visitor has opened a page with the iframe virus, the iframe secretly tries to find a security hole on the visitors computer and then exploits it.
I have seen iframe website viruses before, but today I ran into a new type of website virus that installs itself into only JavaScript files. While technically they still load an iframe into the browser, they do it using JavaScript which makes them more difficult to find.
Here are some helpful tips on how to search for and prevent website viruses.
First, always make sure your virus scanner is up to date and is not complaining about something. The person who has the virus is usually the one who cannot see it. If you find that you are carrying the virus that has caused all the madness make sure that you do your due diligence and check the other websites you are working on.
Make sure you change the password of the FTP immediately. I am unsure how the virus works but I believe it steals your FTP when you are working on the website and then searches the ftp for files it thinks would be good carriers. I noticed index files are particularly high risk.
Before you start searching for the virus, if you or your host has a backup this may be a solution. As long as the virus is not in the backup then you should be all good. As far as I know, the virus does not infect the files on your computer, only the remote files. So if you have the website try uploading the website and see if the virus goes away. However if you must you can always remove the virus from individual files.
To remove the virus from files search all (html,js, and php) files for iframe and look for any unfamiliar src url’s. Especially those that end in a different tld than you are use to such as .cn. Dreamweaver has a search all files in folder feature that is awesome for doing this. Also all (html,js, and php) files for “eval(“. The eval function is commonly used to disguise scripts that do bad things because they encrypt the words, then decrypt and run eval on them.
Example JavaScript Viruses
Below are two scripts that I found just today when one of my clients stumbled upon the virus warning. Another developer was working on the site and infected over a hundred JavaScript files on a Magento shopping cart. They are very cryptic using functions such as “eval” and “fromCharCode” which decrypt all text and then execute it. I have blurred out a few lines so these cannot be used against someone.
