Author Topic: Redirector-HS [Trj] detected on my website  (Read 6534 times)

0 Members and 1 Guest are viewing this topic.

eltopo

  • Guest
Redirector-HS [Trj] detected on my website
« on: December 26, 2011, 12:03:31 PM »
Hello,

Avast detects the Trojan js:Redirector-HS on my Wordpress website. Here's the page: hxxp://prog-inna-babylon.fr/audio/. As far as I can see, all the Javascripts called in the header correspond to legitimate plugins (NextGen Gallery and Shadowbox), and the Javascript in the footer is to scramble an email address in the code.

Am I missing something? Kaspersky doesn't see anything on that page, and the Sucuri SiteCheck WP plugin doesn't turn up anything either. Only Avast does on my friend's pc, and every page but the home one is inaccessible to him - on the same network with another antivirus the site works fine though. To add to my confusion, all the online web scanners I've tried, whose credibility I'm admittedly not sure about, say the page is safe.  ???

Thank you.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Redirector-HS [Trj] detected on my website
« Reply #1 on: December 26, 2011, 12:33:53 PM »
Check here how to clean and make a website secure.
I'll report this to the virus analyst and hope they correct the detection soon.
The best things in life are free.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Redirector-HS [Trj] detected on my website
« Reply #2 on: December 26, 2011, 12:41:00 PM »
could you attach a screenshot of the avast warning


urlQuery report - suspicious  
http://urlquery.net/report.php?id=13446

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=0de8b7e2ee03f9f693dbe04925489572&t=1324900047&type=js



and it is not only avast that does not like it

VirusTotal - audio.htm - 9/43
http://www.virustotal.com/file-scan/report.html?id=e810facc1fb040ec09bb0b35b909b4ceabe6214a74dc9b159cb263937198342d-1324899746


« Last Edit: December 26, 2011, 01:04:22 PM by Pondus »

spg SCOTT

  • Guest
Re: Redirector-HS [Trj] detected on my website
« Reply #3 on: December 26, 2011, 12:53:41 PM »
avast! seems to be alerting on the code shown in the image. Odd since it appears to be an obfuscated email address?

Not sure why...possibly a false positive.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Redirector-HS [Trj] detected on my website
« Reply #4 on: December 26, 2011, 12:58:56 PM »
yepp...and that mail show in the wepawet report

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Redirector-HS [Trj] detected on my website
« Reply #5 on: December 26, 2011, 01:43:45 PM »
Norman lab confirms infected
Quote
Detection is added for the malicious redirect pages
audio.htm : Processed - HTML/Agent.RA
prog-inna-babylon.fr.htm : Processed - HTML/Agent.QZ

Quote
The detection is added for the redirect prog-inna-babylon.fr that transacts medicmagic.net which is related to ads . Hence these detctions are added in PUA category
The written data feteched here is  <a class="footer" href="mailto:joelliron@yahoo.co.uk"> Contact</a>
wherein the registar details are -http://www.myiptest.com/staticpages/index.php/whois/joel-liron.net

It is to alert the user that he is aware of a redirect

PUA category = Possible Unwanted Application
some use the PUP name = Possibel Unwanted Program - http://searchsecurity.techtarget.com/definition/PUP
« Last Edit: December 26, 2011, 06:12:13 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Redirector-HS [Trj] detected on my website
« Reply #6 on: December 26, 2011, 05:34:14 PM »
Here the suspicous part of the code:

suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
-prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 suspicious
[suspicious:2] (ipaddr:82.165.108.214) (script) -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05
     status: (referer=-prog-inna-babylon.fr/audio/)saved 1750 bytes aecd83a288c7f7a8094e58df045e5703aeda4599
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     info: file: saved -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 to (aecd83a288c7f7a8094e58df045e5703aeda4599)
     file: aecd83a288c7f7a8094e58df045e5703aeda4599: 1750 bytes
     file: a4cad35d4ebf6dd99082e86577790468309c57ca: 2080 bytes
     file: 93a6e87828b6629a588539e8dce94fe6ef7523d4: 2086 bytes
     file: 000eb96c77da1a6c3e013c691bc26c7bdde1a630: 2295 bytes
     file: d7b9dabdca7e87c255f6b2d6e5d3318e97c90d30: 2487 bytes
     file: bdbe42bcb7e0c0608f6a708235fcf8a3e362b7f1: 2201 bytes
     file: d748b293f6fa509600be0050eeb12e03ff38577e: 2325 bytes
Check if the latest WP version is sinstalled:
Wordpress internal path: /homepages/7/d341462386/htdocs/PIB/wp-content/themes/Starkers/index.php

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

eltopo

  • Guest
Re: Redirector-HS [Trj] detected on my website
« Reply #7 on: December 26, 2011, 05:58:42 PM »
Hello all

Thank you for your quick replies - what a great community this is.  :)

Here is the screenshot (in French): hxxp://prog-inna-babylon.fr/wp-content/uploads/2011/12/ProgJS.jpg

I can't see any suspicious code in my WP theme, which is custom-made, and I'm not proficient enough to go looking through the Wordpress files themselves. I upgraded to the latest version of WP last week I think, from a fresh install oof 3.2. I've just changed the permissions on files and folders such as htaccess, wp-config.php, wp-content, in accordance to recommendations by BulletProof Security, a WP plugin, so maybe there was a security hole there.

I have deactivated and deleted the NextGen Gallery plugin, which was calling the ngg.slideshow.min.js file in the site's header - thanks Polonus. Avast still shows the error when I navigate to the site - does that mean there's some more evil code somewhere, or that this .js file wasn't to blame?

I can restore the site to about two weeks ago, not sure if that's the best thing to do right now...?

Thanks again for all your help, it's appreciated.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
Re: Redirector-HS [Trj] detected on my website
« Reply #8 on: December 26, 2011, 06:04:43 PM »
i got some extra info from Norman...see my post above

Hope that helps   ;)

eltopo

  • Guest
Re: Redirector-HS [Trj] detected on my website
« Reply #9 on: December 26, 2011, 06:26:35 PM »
Thanks a lot Pondus, you da man! I took out the js code obfuscating the email address in the Html source code, and both Avast and Wepawet report the site clean now - so I assume I'm good?

I'd gotten the Js code from some online site where you enter the email address and out pops some scrambled code... with some extra baggage apparently.

What a relief, it's like a second Christmas. Thanks again!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37505
  • Not a avast user
« Last Edit: December 26, 2011, 06:35:35 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Redirector-HS [Trj] detected on my website
« Reply #11 on: December 26, 2011, 08:23:22 PM »
Also wepawet scan confirms,

The last time we found it to be benign was at 2011-12-26 09:34:48.
The last time we found it to be suspicious was at 2011-12-26 03:47:27.

Someting has changed, the difference was Evals Writes - that is now gone...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!