Someone went to our church website and reported to me that their PC got infected by Trojan.
I called the ISP and they told me to downlink all the files and scan them then reupload them.
Well, this is a 10 years old website with 5600 files. I downloaded all the files from root directory, then I scanned the folder using TP2011 and it says nothing found. However, when I used other computer to visit the site, I saw the message saying that it's waiting for a file from:
Yes, I'm the webmaster of this site, and I check it with siteadvisor and the results says the site it ok.
Any suggestion on what do I need to do and what is this file from co.cc site?
The .co.cc domain is notorious for hosting malware of various sorts, which is why Google has blocked 11 million of its sites from showing in search results.
The url you mention does not show up in search results (what a surprise) but a closely associated site (sysforme1073.co.cc) was recently blacklisted :
Note that the last half of the line ("main.php?page=a911bd6268796cac") is identical to the string you posted. So this too is probably a result of the Blackhole Exploit Kit being used.
The Blackhole exploit kit ... creates a handy way to plant malicious scripts on compromised websites. Surfers visiting legitimate sites can be redirected using these scripts to scareware portals on sites designed to exploit browser vulnerabilities in order to distribute banking Trojans, such as those created from the ZeuS toolkit.
It could be a php injection into one of the pages on your site. If nothing is now detected then either the malware has been modified to prevent detection (see http://community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx) or the site is now clean. If I have time later I'll try out one or two site testing tools to see if they find anything, but I'm short of time tonight.
Yes, you're right Hayton. My site got banned because of the links to those sites mentioned above. Fortunately my church website and my other site that got infected by the same malware didn't have that much visibility like the one that being blocked by Google.
These b*st*rds were so clever that they didn't put the malware inside the website, but only put the link to those co.cc sites that causing the problem. I think siteadvisor and other AV softwares failed to see the threat because this malware only place a link into the infected files on the sites they penetrated.
BTW, the Sysformexxxx,co.cc has different number xxxx when I found them in each of my infected sites.
I hope this will at least give some warning to people whose sites get infected.
Aris/Message was edited by: drt12 on 11/21/11 6:04:50 PM CST