Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : Malware: PUA.HTML.Infected.WebPage-2

[firewiz]

Hello Everyone.

I have a small issue with one of our sites. I recently did a VirusTotal.com scan and discovered one infection/malware "PUA.HTML.Infected.WebPage-2". I tried searching the forums and Googled the term, but hardly could find any information to remove the infection. We installed "ClamAV" and "Malware detect" but there was no indication of any malware on the hosting.

Can someone please help?

[CH-Shaun]

I'm assuming you uploaded a PHP or HTML file to VirusTotal. Hackers will sometimes inject malicious code into PHP or HTML files.

[ssfred]

Hello
The chance for a malware or virus attack on a Linux server is very low. Normally files uploaded through an infected machine will be the culprit . In such cases , you need to change your Cpanel and mysql password first and then perform a detailed scan on your machine with updated anti-virus. Once the machine is confirmed to be secure, download the webcontents and then remove the malware entries and upload it back. Stop the habit of storing site login credentials on applications like ftp client or web browser. Some viruses are capable of capturing them and upload malicious contents to the server. Also ensure that the installed applications are safe and secure.

[CH-Shaun]

Quote:

Originally Posted by ssfred

Hello
The chance for a malware or virus attack on a Linux server is very low. Normally files uploaded through an infected machine will be the culprit . In such cases , you need to change your Cpanel and mysql password first and then perform a detailed scan on your machine with updated anti-virus. Once the machine is confirmed to be secure, download the webcontents and then remove the malware entries and upload it back. Stop the habit of storing site login credentials on applications like ftp client or web browser. Some viruses are capable of capturing them and upload malicious contents to the server. Also ensure that the installed applications are safe and secure.

Not only just re-upload the affected contents, but I'd advise to ensure that scripts are up to date. The common way that a hacker gains access are outdated scripts.

[firewiz]

Thank you for all responses. Some of your inputs were really good, that I think many of us take for granted.

After hours of scanning and reading online I couldn't find anything that suggested what "PUA.HTML.Infected.WebPage-2" actually is.. until just a while back I noticed the Google Analytics code on our website was appended after the body tag.. I relocated the code and ran the scan again.. that was it!
Even a genuine JS code added outside of the designated areas is flagged as "potential" malware by ClamAV.