JS:Redirector-MR [Trj]. Please help me.

[pieter_dj]

should I delete the whole of php code or only the javascript code? Just now I only delete the javascript code. I see it has solved the problem. Oh should I delete the php code also? waht do you think spg SCOTT and DavidR ?

[Pondus]

do not post code in the forum as avast may alarm on it

[DavidR]

Again please post any script examples as images not live code, which could cause an alert.

Thank you very much, spg SCOTT. I have removed the code, but I only remove the javascript code, not the whole of PHP code. so the script now has been like this.

<snip>

Can you check to browse my site again? I think the problem has solved, right? I only need to solve that "Dean Edwards" malware not appear again each time I browse my site.

[spg SCOTT]

It seems that the added code in the functions.php was what added the malicious code to the pages as they were created. I can't see the code within the page now.

You also need to ensure that your wordpress version is updated:

From Sucuri...

1. Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php  Wordpress version outdated: Upgrade required.
...

[pieter_dj]

I am sorry, I don't know that the code can make avast alert to this forum. I am apologize. I am cuious, how to see the code in the source code. Because when I see the source code of my site, I can't find that code before I delete that javascript code. I use opera browser. I click menu view and click source, but I can't find the code before I delete the javascript in functions.php. I am curious how you can find the code spg SCOTT ?

[polonus]

Hi folks,

When I do a search query on that malcode on http://sucuri.net/new-malware-evalfunctionpacked.html
and go and try to visit: -http://jsunpack.jeek.org/dec/go?report=961a36cb8a1f4c17e1974106b061279928f04583  immediately avast Web Shield blocks connection to it and alerts for as JS:Agent-HA[Trj]

polonus

[Pondus]

I am sorry, I don't know that the code can make avast alert to this forum. I am apologize. I am cuious, how to see the code in the source code. Because when I see the source code of my site, I can't find that code before I delete that javascript code. I use opera browser. I click menu view and click source, but I can't find the code before I delete the javascript in functions.php. I am curious how you can find the code spg SCOTT ?

Scott is using a program called Malzilla

[polonus]

Avast is right here, see what was reported here: http://blog.armorize.com/2011/10/mass-wordpress-infection-ongoing-most.html  link authors Wayne Huang, Chris Hsiao, NightCola Lin.

Quote from there:

1. Location of injected script: in the index page of the compromised website.
2. Means of compromise: we believe via a combination of a) stolen WordPress passwords b) backdoors into previously compromised WordPress websites and c) Automated script-injection tools that work in combination of either (a) or (b).
3. Injected script: In the [Details] section we've included an example of an injected script. There are more than 20 variations.
4. Script packer used: Dean Edwards' packer.
5. Malware: Multiple malware will be installed (dropped) onto the visitors machines without the users' knowledge. Antivirus detection rate is around 5 out of 43 vendors on VirusTotal at the time of this writing.
6. Infected websites: A lot of WordPress websites have been hit, a sample list is as follows:

Now the way the infection goes

he injection has a simple chain:

1. Index page of a WordPress site is injected with script packed by Dean Edwards' packer
2. Javascript generates iframe to a malicious domain registered with changeip.com
3. Browser loads the exploit pack from the malicious domain, hosting on a few fixed IPs including 95.163.66.209 (Russia), 64.131.75.19 (USA), and 182.18.185.82 (India).
 

Link authors: Wayne Huang, Chris Hsiao, NightCola Lin at Armorize malware Blog

polonus

[Asyn]

Avast is right here...

Sure avast! is right, I guess we can all agree on that.
Also read here: http://blog.sucuri.net/2011/09/mass-spam-infection-from-wplinksforwork-com-50k-wordpress-sites-hacked.html

[polonus]

Hi Asyn,

Again this shows how important it is for webmasters to continuously update their website software, here Wordpress, and initially for them to secure their WordPress passwords for instance with the Chap Secure Login plug-in for instance , or one could use an online secret key generator: https://api.wordpress.org/secret-key/1.1/salt/

polonus

[Asyn]

Again this shows how important it is for webmasters to continuously update their website software, here Wordpress...

+1

[polonus]

Hi folks, if there is a Dean Edwards packer, there is also an unpacker:
http://dean.edwards.name/unpacker/

Enjoy,

pol