Malware on my site

[slowloris]

Hi,

Google is reporting Malware on some of my sites and has removed them from its index.

It only seems to be affecting php pages. Google webmaster tools states in could not find any malicious code on the site so it's not javascript of an iframe. I've checked out .htaccess and httpd.conf as google suggested and found nothing out of the ordinary. The sites do not redirect me only people in the US and Europe from what I can gather so far.

Does anyone have any suggestions as to how this might be occurring or where else I could look? My server admin is running a virus scan on the server at the moment so hopefully that will sort it out.

If anyone wants to check it out for themselves one of the sites is http://www.gay-spa.com/ (Gay Content Warning!!!, and be careful of anything which tries to install) I would be interested to see if people are still getting redirected and how persistent the virus / worm / whatever is.

I'm trying to decide whether I should turn off apache until the virus scan is complete to protect my surfers, but as I don't really know what is happening I'm not sure if that is an over reaction or not. If anyone is brave enough to check out the url and click on a few links and let me know what happens I'd be grateful!

Thanks!

[Agent 488]

What happened when Google visited this site?
Of the 8 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-11-29, and the last time suspicious content was found on this site was on 2010-11-29.
Malicious software is hosted on 3 domain(s), including roadstersaverstore.com/, get4-domain.cz.cc/, get3-domain.cz.cc/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including pornomet.com/.

[slowloris]

Yeah I have other sites with more pages reported as redirecting to malicious software. Also a site which google claims is being used as an intermediary site to download malicious software. So there it must be hiding files somewhere on my domains which redirect users from other compromised servers to the final download site?

The google siteadvisor thing is also claiming one of my sites infected several others? How is that possible I'm not sure? Is there some kind of worm spreading from server to server? Have my ftp details been compromised?

[slowloris]

Does the following imply that my site has infected the other sites? This is what I don't understand?

For this site:-

http://www.google.com/safebrowsing/d...nggaysites.com

Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, shockinggaysites.com appeared to function as an intermediary for the infection of 5 site(s) including gayandguy.com/, moviesboy.net/, moregaytwinks.com/.

[baddog]

Running open-x?

[slowloris]

Yes I did have an old version of it on there I deleted it yesterday. Is OpenX just generally unsafe as I am still using the latest version on the server.

Which versions are unsafe? I deleted 2.0

[carzygirls]

maybe you have your answer now. If not, I suggest going to the google forum and posting your question there. Just beware, there are a lot of senseless and moronic people on that board, you need to filter out those and find your answer with the ones that know what they are talking about. gl

[botfurom]

Get me out of here!!

[slowloris]

Well I'm assuming the old openx installation is how what ever got in, got in, I just don't understand how some of the sites I'm trading with are starting to go down 1 by 1 as well.

I have had little luck with the google forum in the past when trying to figure out why all the Smart Thumbs sites got deleted from their index. It took almost a few days to get the attention of anyone with half a brain and that was with lots of affected webmasters posting regularly. In fact I think the only reason a google employee even noticed it was because it got up to several hundred replies.

This is the reason I am posting here first. I seriously cannot understand what is telling apache to redirect or even if the redirects are still occurring. Perhaps it is occuring at a lower level than apache since all config files look ok and I can find no bad code in any php file?

I'll see what happens with the virus check and then post to googles message board if nothing comes up.

[baddog]

Quote:

Originally Posted by slowloris

Yes I did have an old version of it on there I deleted it yesterday. Is OpenX just generally unsafe as I am still using the latest version on the server.

Which versions are unsafe? I deleted 2.0

If you are running any version, google the exploit. There are two different ways to deal with it, depending on the version you are/were using.

If not using or when fix, notify google of what the problem was and what you did to fix it. It will take a few hours (to a few days) after you notify them for the alert to go away.

[MasterM]

google openx exploit : 635.000 results
damn

http://www.mindraven.com/blog/php/openx-exploit/

[slowloris]

I know there is a shitload of exploits for previous versions of openx - I did delete the really old copy yesterday and found there was actually an upgrade to the other two copies I was running which I already thought were up to date, but which now, actually are up to date.

But what I would really like to know is if anyone is still being redirected to the malware pages?

Come on - there must be some brave soul out there who can handle gay content, and is familiar with what to do when it tries to penetrate your system. Tell me - does any of the links at http://www.gay-spa.com/ try to mislead you, and attach its agenda to your OS?