Unfortunately, my site hosting service provider, WEBFUSION, was recently hijacked and as a result, I’ve had several accounts -where I syndicate some of my postings/articles- suspend my account, stating that 'my article brings up a malware/virus warning."
The site’s administrator -the site where I’m trying to publish these articles- continues, “Please contact your webhost to ensure that your links do not contain a virus. Let us know when the links in your article have been tested and verified and we will review the account for reinstatement.”
I have since contacted my hosting service and we corrected the problems with the page (I think…). WEBFUSION informed me they were going to re-load my old site template and that the problem would be taken care of a.s.a.p.
With that, my question to the community is: how would I go about checking to make sure my site is no longer vulnerable to attack? I am hesitant to merely go on the advise of the hosting service since our conversations and their actions have been two completely different entities.
I see I’m a little late here, but, you can use a site like http://www.rexswain.com/httpview.html to view what your site is delivering to your visitors.
You can use different user agents and referrers to be certain it isn’t in your .htaccess files.
Some keywords to search for in your files are:
unescape
document.write
eval(
base64_decode
Also, for malscripts look:
Before the opening html tag
After the closing head tag
between the closing head tag and opening body tag
Before the closing body tag
Between the closing body tag and closing html tag
After the closing html tag
In .js files, look for obfuscated code at the end of the file or a series of document.write statements
The topic has been discussed many times on this forum so there are plenty threads that go into more depth but -
you need to make sure any software and plugins you use are up to date,
you need to change all passwords including ftp
you need to run a virus scan
Make sure that your local machine is not hijacked, change the requred passwords like, FTP password, DB password, login password e.t.c. Delete the hijacked posts or articles resore your old data. this might help you.