Date: Mon, 30 Nov 2009 15:24:44 To: WebDev Interest Subject: [Webdev] Some web security advice from an unqualified web developer Hello website owners! I have received a few emails from site owners, saying when their users open their website, the user gets a warning from their computer that there may be malware ("virus") on the web page. In every case, there has been no problem on the site. (In one case i changed 6 Joomla passwords before i checked more carefully and realised the site was ok. Annoyance for everyone!) So i thought i would share with you what i have learned so far about checking your site for malware. How to find: ----------- 1. One way is, view your site on the web, and "View source" and search for "iframe". If you find any iframe, and you didn't put it there, it's a hack. 2. Another way: go to http://domaintools.com/ and enter your website url in the 'whois' search. Then click on the "Site Profile" tab and scroll down to the line "iFrames". If it says the page has an iframe, and you didn't put any there, it's a hack. (Bonus: these tabs tell you lots of useful things about your website!) 3. Great way to find more kinds of malware: Go to http://wepawet.iseclab.org/ enter your domain in the search box, and see what it tells you. How to fix: ---------- Usually the malware on a website is an iframe or a very small image. If you didn't put any iframes or hidden images in your web pages, a hacker did it -- or more likely, some virus that is on your Windoze computer. * If it is a flat-file web page, Just remove the iframe or image code from the page copy on your computer and upload -- and then run a good antivirus program on your computer ... or ... check out the latest Ubuntu ... :) * If you are using a CMS and got an iframe in some page content, your site probably got hacked. Go to a secure computer (preferable not Windows) and log in to the site admin and Change All Passwords. Then, (the way i removed iframes from one CMS site) log into the site's phpmyadmin and do a search on "%iframe%" in the content table columns. Then delete it through editing the content source in phpmyadmin. * If the problem is with an infected image, PDF file, or flash file, you need to remake the file on a secure uninfected computer and re-upload it. Notes and musings: ----------------- I think we are getting these false alarms, with sites that have google analytics or youtube or other javascript/external iframe code. And it is just some version of Windows, that is being over-cautious -- I am guessing that all the people getting these warnings, are using Vista. But why it seems only in India, i don't know. (Did i mention the latest version of Unbuntu linux is pretty cool?) Please note that i am *not* a security expert. (I've been using linux for 12 years, and that's why i don't know anything about viruses.) In fact i am so far from being any kind of knowledgeable in security that i am almost embarassed to write this email ... but hey, somebody has to take the hits :) If you are tempted to email me with your web security problems ... this email contains *everything* i know. So i will only re-send it to you! If you have security problems, contact a *real* security person for advice. Feedback and information from all the people who know more than i do about this is welcomed! I will add it to the TibetanGeeks.com page that i am about to build from this email. And ... You didn't click on the links above, right? You do know to *never* *never* *never* *never* click on a url in an email, right? Not even in wonderful trusted James' email! Copy and paste the url into the browser ... or type it in. Thank you to Greg Walton for the webpaweb link, and Tenzin Sonam for the good discussion that contributed to this email. I don't know anything, i only stand on the shoulders of giants ... digesting and typing :) Happy paranoid days to all! -- james --0--