Hi Guys,

I recently found that whenever I go to my homepage <<REMOVED>> it seems to be automatically downloading a file called <<removed>>. Since I haven't made any changes to the site in quite a while I am a bit concerned as to where this has come from. Any ideas as to how I can get rid of it would be appreciated.

cheers

As this file was a virus (as identified by Norton) I removed your link and the name of the file. You should check any locally stored backup for a link to the file - the source was reported as being from a site with a kr extension. If your backup is clean, then restore it from the locally held copy.

Check all other files involved with your site. Make sure you've updated all forums, CMS software etc to the latest stable versions with the latest security patches.

Remove the <iframe> line of code from the bottom of your page(s) This is the same "tgp" exploit that plagued PW a while back. Possibly you had a backup copy saved to your computer and used it. Either that or someone has found an exploit to gain access to your files.

At least this is what I'm seeing on the site listed in your profile. Since Ian removed the original URL I'm not sure that they are the same.

At least this is what I'm seeing on the site listed in your profile. Since Ian removed the original URL I'm not sure that they are the same.
It is the same site - Mods can't edit profiles.

Check all other files involved with your site. Make sure you've updated all forums, CMS software etc to the latest stable versions with the latest security patches.

The added code may be no fault of a CMS on igates' account (although it is still good to check). I have seen this happen on accounts that had no scripting that may have allowed unauthorized access. This is just a symptom of shared hosting.

One way to prevent further attack is to tweak htaccess files to default to a page like 'myhomepage.html' instead of 'index.htm' or 'index.html'. This exploit is commonly caused by an uploaded script that seeks out and modifies any filename that starts with 'index'.

If you want to view igates' page, I recommend visiting http://www.rexswain.com/httpview.html and entering the URL to his homepage. The iframe exploit will render as plain text so you can see it's evil without harming your computer.

By all means, go in there and remove the iframe code at the end of the HTML file! I'm not sure it would help to tell Powweb support about this. I have done so before and they had no idea how to trace its origin nor promise that they could prevent it in the future.