I'm currently helping a few semi-local business owners maintain their sites and server space. I inherited this duty last year, but it's a long story I won't go into.

Anyway, I just got a note from one of these folks mentioning that some visitor to their site claims his security software reports the site is infected with some trojan.

Here are the details:

site: http://unclerichards.com



By "log in" I assume he means just accessing the site since it has no account/login functionality.

I haven't been able to locate any type of free scanner that works on a remote site. The closest I found was something called "Protect" from Tren Micro, but they didn't provide a download link - not even in the special (blank) email they sent me.

Can anyone help out here by visiting the site to see if your monitoring software sounds off any alarms? If something gets triggered only on a specific page I'd also love to know what it is. I've done some text searches of all the HTML and PHP files locally without finding anything.

Nothing when just visiting the site. However when I try and "view source" in FF3 I get a warning from AVG about "HTML/Framer.z".

and in IE7 I get "JS/Psyme.MX"

The offending javascript is on the bottom of the main HTML page, there is a big <script>eval(unescape("blah"))</script> block at the bottom with the trojan code it it. Maybe the web server has been compromised ?

Thanks for locating this.

I had looked at the live index and a copy I had locally and at first glance they looked the same. Both had a lot of blank lines at the bottom and I didn't notice the one on the server had that script element at the very end.

I'll have to see about moving the site to my shared hosting site eventually. This is the only site that the owner has hosted elsewhere, but I think telling him that it's been compromised is going to get him to change his mind quickly.