Greetings!  www.frankcohengroup.com is built with DNN 7.4.2.  A user sent me an image today that access to the site was blocked by Kaseya AV as infected with Trojan.Script.Iframer.  Another user last week mentioned a scary popup that announced they had a virus and should call right away for removal.

There is some odd code at the bottom of /default.aspx, a JavaScript function sbhq() that contains a large encoded string and a second function hbfz that loads a window and calls sbhq.  I removed the function from /default.aspx but it still appears on the site (but did not reappear in the file).  The rendered page also contains a div with an iframe leading to gofitnes.top/sd/?wtdmRB (the div was never in the ASPX file)- so pretty sure there is an issue.  

Virus scanner on the server doesn't see anything, nor did two web-based site scanners.

Is this malware?  Any ideas how to remove?  I searched all files in every folder of DNN and the function and div are not present.  Is it in the database?  IIS process?

Best,
Scott

Sebastian,

Sad, but true!  I removed the Install pages on 3 July 2016, but it was too late - the hack occurred on 30 June 2016

Using an Atlanta,GA IP address, hacker ran an install of "7.4.2.1" which replaced \default.aspx, added aspx pages to portals\_default\Smileys and created new host account and made the following host setting changes:

These setting seem ok / benign to me - should I change any of them?

I believe I have remedied the other hacks - for sure that mysterious JavaScript is now gone and the user that reported the issue no longer gets a warning from his AV.

I can't say enough good things about the support here and the Security Analyzer.  Awesome.  That should pinned be on the Host's favorites by default.

Thanks,
Scott