What to do when AVG indicates that your own web page is infected?
If AVG suddenly detects a threat on your website, but you have not changed the content recently, it is possible that your webpages have become infected. Viruses all over the Internet actively try to locate weakly-secured FTP access to web servers and also try to get FTP credentials from infected computers. Once the correct account credentials are acquired, the virus makers connect to the FTP site and modify some of the webpages. The infected webpages then redirect users to various infected websites containing items such as virus executables or fake antiviruses.
How to cure infected webpages?
The easiest way to cure infected webpages is to reload the whole web content from backup (that is, to rewrite everything on the web server with your original websites). However as a backup is not always available, it may be necessary to check the content of each webpage reported as infected.
Injected code is usually encoded to avoid detection from antivirus products, which allows you to locate it easily; it does not look like the rest of your code. Here is an example which uses the eval function to encode the real URL:
When you find a suspicious part, simply remove it from the source code and re-upload the cured webpage on the web server.
How to prevent reinfection?
As a first step, we strongly recommend changing your password for FTP access. It should be at least 8 characters long and combine both letters and numbers to avoid dictionary-based attacks. Also do not save your password in any software you use for FTP transfers. The most popular applications are easy exploitable to access saved passwords from them when the PC itself gets infected.
How to contact AVG?
In case there is a false alarm, please contact us using the following form:
We will inform you in more details after the analysis.