Is the DB of MySQL or similar flavour? If so, it is probably on a different server. I've occasionally had problems due to the constant switching between servers and losing packets, especially if the DB is large (order of Mbs).

Suggestion: temporarily disconnect the DB and reconnect with a small dummy one: If the problem persists, you will know that a small combination of bits looks like part of a known malware. Tracing it is not necessarily easy, especially if scripted in PHP or similar.

Yes it is mysql. The website uses the modx cms.

Google claims various pages have hidden iframes with links to various malware sites. I have never seen them in Page View Source, nor in the JS, nor have I found any changes file dates apart from cached pages.

That's what Firefox told me:

Me too, but whenever I look I can't see it myself!

At the moment I'm praying it was a scan from before I did a restore and password change early yesterday pm, but since I've never actually found the source that's probably wishful thinking.

I'd go with Brian on this one... Could be something in th database.... Is it possible to scan the database for suspicious content?

I get the same google report as TransformX, claiming that the last suspcious data was found on the 17th (yesterday). What surprises me is the report also lists some domains on which the malware is hosted, shouldn't there be traces of this in the database or source then?

The AVG Web page scanner finds nothing: http://www.avg.com.au/resources/web-page-scanner/
The unmaskparasites lists the google result: http://www.UnmaskParasites.com/secur...www.cappeu.com
It can also search for hidden links on the website, but more interestingly they provide more suggestions on how to resolve it and on how to request a malware review on Google (it schedules your site to be scanned again within a couple of hours).


edit1: can't file times/dates be altered? I don't think the timestamp is sufficient to say the file has not been tampered with.

edit2: Symantec rates it as safe now: http://safeweb.norton.com/report/sho...com%2F&x=0&y=0

Jörg

Maybe you were spoofed?

Thanks guys.

The server is dedicated. The database is on the same machine.

I have just dicovered there is an update to the cms which fixes, amongst other things, a XSS vulnerability.

Is there such a thing as a self-deleting virus? Something that could keep attacking and remove itself each time?

Don't know on the virus question... but shouldn't it leave traces?
One possible scenario could be that other machines keep trying to infect a machine which was infected before. So if you replace the software with an (unpatched) image, it would get infected quickly again...

Could something have gone wrong in an update (so your machine got infected during an update of one of the components)?

Also, you can try if it is possible to browse to other parts of the site, or if google blocks those (or gives e.g. a different number of malwares); it may help you to narrow down on which pages it occurs. From there on you can check the content of those pages and databases...

Our sysadmin always says: if a machine has been infected, don't trust anything on it...

Update:

At the moment Google likes me again. Phew.
the concensus appears to be it is probably an infected php file and the db should be untouched. This would make sense and explain the random nature of the infected pages and why I could never see anything in the source for each page.

This pm I updated from 1.0.2 to 1.0.4 which closes some vulnerabilities, and in the process I probably wiped the infection away.

I've throoughly scanned all my client machines and locked down the firewall even tighter so reinfection from machines with firewall privileges should be very unlikely.

My developer has found mention of HEUR: TROJAN.Script.Iframer on the 22/7/2010 in his Kaspersky logs. I wonder if it had chance to start all this before Kaspersky found it.

might it be related to this?

I see crap like this all the time. You probably don't have a virus, you probably got hit by a cross-site scripting attack or SQL injection attack.




The cross-site script attack uses a mix of vulnerabilities in PHP, ASP.NET, javascript, CGI, etc. to attach links inside your actual physical files to sites that try to infect computers with trojans. The Google webmaster tools should help identify which pages, if any, got hit. An iFrame attack, or virus, is a type of cross-site script attack.



SQL Injection is the other possibility. Instead of attaching malicious code into your files it implants the links/information into SQL. This takes advantage of registration and URL vulnerabilities to get the data into the database, so when certain pages/link/content is served the malicious code is injected by bad SQL data into your dynamic pages. These are especially hard to clean, because you either have to roll back your database from backup, or spend a lot of time cleaning it, and then figure out where your security holes are and then fix the code.

If updating your code fixed the issue then it was probably a cross-site script attack. Replacing the files would clear out any malicious code that got injected.

On every thread which mentions SQL injection, there should be the Bobby Tables cartoon...