Skip to content

What to do when AVG claims your own web page is infected

FAQ » Virus FAQ » What to do when AVG claims your own web page is infected

Print Copy link

If AVG suddenly detects a threat on your website, although you have not changed the content recently, it is possible that your web pages have been infected. Viruses all over the Internet actively try to locate weakly secured FTP access to the web servers and they also try to get those FTP credentials from infected computers. Once the correct account credentials are acquired, the virus makers connect to the FTP site and modify some of the web pages. Such infected web pages then redirect users to various infected web sites containing for example virus executables or fake antiviruses.

How to cure infected web pages?

The easiest way is to reload whole web content from backup (meaning rewrite everything on web server with your original web sites). However as backup is not always available, it may be necessary to check contents of each web page reported as infected.

Injected code is usually encoded to avoid detection from antivirus products and this is allows you to locate it easily: it does not look like the rest of your code. Here is an example which uses eval function to encode the real URL:

Injected Code Example

Characters like %64%6F%63%75 are very easily noticeable when you check the web page content using for example Notepad. Another favourite encoding method uses document.write function, so you may also look for that. If you cannot find any of above mentioned functions, you should generally look for any suspicious JavaScript parts which are not supposed to be in the code, or for example iframe elements.

When you find such a suspicious part, simply remove it from the source code and re-upload the cured web page on the web server.

How to prevent the reinfection?

As a first step, we strongly recommend to change your password for the FTP access. It should be at least 8 characters long password combining letters and numbers, to avoid dictionary based attacks. Also do not save your password in any software you use for FTP transfers. Most favourite applications are easy exploitable to get saved password from them when the PC itself gets infected.

How to contact AVG?

In case there is a false alarm, please contact us using the following form:
http://samplesubmit.avg.com/false-detection

We will inform you with more details after the analysis.


Was this information helpful to you?
|

I want to know more: Read user guide