village website (VIRUS?)

[Lou_smorals]

Hi
I maintain our village website, this was put together using Joolma 1 by myself (complete lamer) with some top help from big larry some years ago. (www.roughtonvillage.co.uk) today I have had a villager on the telephone upset that "your site is a virus." when I asked him to be more specific he said AVG says it came from the village site. when he goes to the website is says "webshield alert threat detected threat name: exploit search engine hijack."
Please can somebody advise me if I have done something wrong and what I should tell the geezer.
many thanks
LS

[Zippeyrude]

have you visited the site yourself with avg?

[Mule]

AVG really doesn't like this file - http://www.roughtonvillage.co.uk/tem...log_bullet.png

[Zippeyrude]

summit on ur site is infected

avg 8.5 screenshot attached

[psxcity]

just done a quick visit and scan on that url got no warnings
Checking: http://www.roughtonvillage.co.uk
Engine version: 5.0.0.12182
Total virus-finding records: 550079
File size: 20.94 KB
File MD5: 6c556bb29a3bc18b7e950525c21074aa

http://www.roughtonvillage.co.uk - archive HTML
>http://www.roughtonvillage.co.uk/JavaScript.0 - Ok
>http://www.roughtonvillage.co.uk/JavaScript.1 - Ok
>http://www.roughtonvillage.co.uk/JavaScript.2 - Ok
>http://www.roughtonvillage.co.uk/javascript.3 - Ok
http://www.roughtonvillage.co.uk - Ok

[Lou_smorals]

Hi
Wow, thank you all so much, so guy is correct! oh dear. what would u advise I do from here?
thanks
LS

[Zippeyrude]

replace the file for presumably a clean one.

is the folder native to the site or has it been added by a hack?

[psxcity]

strange that avg picks it up and both my scans dont,even tried a online scan url to find it clean,anyone else picked a warning up using someting other than avg?

[Lou_smorals]

hi
Should I take it offline until fixed?
thanks
LS

[iNSPECTA]

Clicking the link to the 'infected' blog bullet takes me to:

Code:

http://poshdates.com/photos/search.php?q=do%20it%20yourself%20bankruptcy

[BigLarry]

The file wasn't infected, pretty sure you can't do that with a png anyway.

Problem was that someone had basically pissed about with the htaccess in the templates directory redirecting any 404's to a php script which basically looks on the server you are referred to like someone has searched on the poshdates.com site for "do it yourself bankruptcy". As in the link below:

http://poshdates.com/photos/search.p...f%20bankruptcy

What perhaps happens next is that there's a fake javascript click on the site to boot on one of the links (they're all basically sponsered links).

So the people paying for the "sponsered links" see what look like bona fide visitors going to the search box entering a term and clicking a link. They have a valid new user IP address, a referrer etc etc

To sum it up, it's click fraud and not a virus

[Lou_smorals]

The file wasn't infected, pretty sure you can't do that with a png anyway.

<snip>
To sum it up, it's click fraud and not a virus

Thanks m8, you the man, Larry the 4rth emerency service, oh and u can shove thoic right up your farter.
LS
Xdigital was the place

[Latic]

Lou,

You'll need to completely update your Joomla install to stop this happening again. Looks like someone has used an exploit with the old code.

[c0axial]

Upgrade Joomla.... had the same issue when teamfury.co.uk got compromised with a sploit, ended up with a replaced php and a packaged virii ... sounds like the same issue ... the blighters scan hosts and find exploitable hosts.....they ended up putting political war images with blown up body parts.... Upgrade Upgrade Joomla ASAP...