Filezilla FTP Virus / Malware / Adware / Website Parasite: How to Spot It and What to Do

by Johnny Brezenhauer

Has somebody told you that your legit and innocent website makes their anti-virus programs flash warnings and block your site?  And on closer inspection, have you noticed that your website, upon loading, first connects to some other irrelevant site, sometimes making your page take longer to load?  Have you been desperately scratching your head, wondering what causes this?   Is it your web host that is corrupt, or have servers infected with spyware?

Well, so have I and fortunately I can tell you now what this is, how to spot it and how to get your site back on track. 

When a visitor to my site first told me honestly that my site is full of viruses, I had to do a lot of headscratching on what could be causing this.  Could it be that the 3rd party advertisement displayer is showing image ads that contain viruses?  Was it perhaps a free script I had used, or a free player I had integrated, or is the problem that my web host's server has been infected? 

Well, with the help of my host, we have managed to find the problem.  At this time I do not know what this virus / malware / adware / worm / trojan / spyware / password stealer / parasite does or even what to call it, or where your site contracts it, or what the purpose of it is supposed to be after it infects one's website, but as we have come to know the internet and its criminals, it can of course be nothing good for the infected website and its owner.  I'm assuming for the time being it's some kind of spyware script stealing passwords and collecting identity information from computers browsing the innocent victimized sites.

One of the sites this virus loads something from is rec-creations.com, but sometimes it also connects to other uncalled for sites.  When opening rec-creations.com in my browser, it seems to be the website of a provider of children's playground equipment.  However, the malicious script is definitely downloaded from their site. 

Note that most likely, rec-creations.com got infected somehow with this malware, and they are therefore also an innocent victim. It's likely they have no idea that their website is being used as a host by the malware infectors, to spread the malware from.

The illegal running of a script on and downloading of something from rec-creations.com when we open our own site, is caused by a script, usually in our index.html file but I suppose it can be in any html file or any other web page file of one's site. 

Now before you open your index.html file in your html editor to look for it, don't bother, for it is NOT there.  You will not see it in your local file.  It is written into the file by the virus somewhere between the transfer from your computer (perhaps by infected FTP software or browser when uploading via control panel, though I can't say which for sure) and being on your host's server. 

Even though you uploaded a file that is clean on your computer, if you now open that page in your web browser, the first thing you'll notice is that your status bar at the bottom of your browser  may say "Waiting for rec-creations.com..." or "connecting to" or "transferring from" the parasite website.  It may slow down the downloading speed of the page, or it may be so quick that you don't even pick up that your browser had connected to another site before finishing the opening of your page. 

However, if you now right-click and choose "View Page Source", you will spot this malicious script HIDDEN ANYWHERE on your page among the lines of code:

In the photo below, it was hidden in the page body, however, in another infected page, it was hidden right after another script in the header details, making it extremely hard to spot.

How and at what stage did it get added to the page code?  That for now is the mystery;  if somebody who knows more about it reads this, please comment and share the details. 

UPDATE: It seems likely a downloaded version of Filezilla is the culprit that adds the code to files during FTP upload. ALWAYS only ever download Filezilla from the official site, and not from any third parties that may have tinkered with it. Personally I've just stopped using Filezilla altogether for safety.

UPDATE #2: I have now stumbled upon posts by internet users that say Filezilla officially contains viruses and malware, so could it be that it wasn't that somebody else tinkered with a Filezilla install file and offered it online to others in order to infect them, but that Filezilla's own people is using it to distribute malware? Sad and sick.

Anyway, how to fix the issue is simple:

It would appear that not only does Filezilla alter the html files you upload in Filezilla in order to add the malicious lines, but also that your password have been sent off somewhere to be used to add the offending lines of code to your pages and reupload them so altered, even if you yourself are not using Filezilla anymore.

Fortunately it seems if you install and run Malwarebytes, an anti-malware program, Malwarebytes will pick up the malware and you can remove it from your computer.

Once you have run Malwarebytes and removed the malware on your computer that stole your website control panel's password, you MUST CHANGE YOUR WEBSITE CONTROL PANEL'S PASSWORD or your web pages will simply get infected again.

Now, if you're sure that there's no password stealing malware on your computer, as for your infected website files on your website's server, delete the infected file, for example index.html off of your web host's server, and upload the clean original (make sure it is clean of course) again.  Completely refresh your website in your browser, usually by pressing Ctrl + F5, and check the status bar for connecting to any strange sites.  If you can't spot any, right click and check the source code again.  The parasite script should be completely gone from the entire source code. 

Now your site should be safe again for browsing.

Download AVG Ultimate antivirus & tuneup combo for computers, phone & tablet