Web Site hacked: Exploit:HTML/IframeRef.EX

Hi,

I built a website from a free template about a year ago. I put it up on a paid server for my friends at the organization to review, but it languished as they are a busy non-profit with few staff.

Got a notice from the hosting company saying the site had been hacked, and Google flagged it as unsafe (see attached Google site report --anonymized for the clinic).

Went to site and MSE immediately picked up and deleted (4) instances in template site html files of:

Exploit:HTML/IframeRef.EX

Took the site down and downloaded the Dead Files into a directory on my computer. MSE immediately deleted those 4 html files -- so I couldn't view the code if I knew what I was looking for.

This thing runs on spry and java, and is a static html site with encrypted paypal buttons. An oddity I found in the new site that was not there before was there is a string above the paypal button:

<input type="hidden" name="cmd" value="_s-xclick" />

From what I found on paypal dev site, this is a standard paypal button -- but I copied and pasted the form from the old into the new and do not recall generating a new button -- but maybe I made a new button, but i don't think so.

I have changed user account, FTP, & Paypal UN & PW.

My computer is now infected, but that is secondary, as MSE says they found it and removed it and MBAM comes back clean on the files in the original directory.

My question is this: can anyone with some knowledge look at the template files I used and tell me if the exploit was coded into in the original "free template." I did have the good sense to scan it before using it, but may have missed something.

Don't want to dump a lot of files here without permission. Hesitant to finish running all scans as I may delete something needed to identify the culprit.

Any help is appreciated.
kpduty

 

Thanks for the reply. I'm not sure how to delete the original post, so I'll thank you now if you can do it for me. Believe it or not, I keep my system pretty clean and up to date (guilty of hanging on to XP till support ends next summer).

I was just unsure if I should delete viruses whilst asking for help on them. That being said, if you would be so kind as to examine the logs from Read & run me, I could sure use the help.

I went ahead and ran MBAM the first day, picked up nothing, but sophos anti-virus tool did, and removed it. Attached are the read & run me logs from today. I also ran MBAR anti-rootkit as I am trying to reset passwords before it gets worse, and Adw Cleaner. I have attached these logs as well, and the MSE list of what it found where.

I'm hopeful that the files in question may be ok, as scanning the original files I uploaded comes back clean. Only the ones on the web came back with viruses, no the original code saved on my computer and I have since brought them up to W3c validation. But I'll wait to see if the system is clean, then post my question in software as you suggested -- sorry to hit the wrong forum.

Can you look at my logs and let me know what you think as far as cleaning the "dev server" (my little PC). Thanks!

 

Thanks so much for your help. I'll head over to software forum now.