dumb questions about JS:Redirector-H3 [Trj]

[fflefever]

I am one of the directors of a very small nonprofit group, with website hxxp://nyng.org

Suddenly, a day or two ago, Avast! blocked my visit with a warning that JS:Redirector-H3 [trj] had been detected.

I reported this to our webmaster, who encountered no such warning (using a different virus protection package).   However, she suspected it might be in some leftover Mambo code, which she deleted.  On my next visit, I encounterd no warning and reached the site.  Good!  That does it, eh?

No, the next day, going to the site again, Avast! blocked me with the same warning.

I have MANY questions and too little background to understand some of the answers, I suspect.

(1) what would be the consequences if I ignored the warning and went to the site?

(2) what are likely consequences for people currently going there to get information OR to register for our conference, i.e. pay registration fees (via PayPal store, with which we were having  some problems)?

(3) How is the trojan being (re-)inserted?

(4) How can our webmaster find and delete the trojan?

(5) How can our webmaster block future insertions of the trojan?

(6) Oh-oh! this just occurred to me: is it possible that her own visits to the site provide a route to reinfect it with that trojan?

[!Donovan]

I visited the site and got no warning...

[polonus]

Hi fflefever,

Can you please break the link by putting hxtp or hxxp before :// etc. so the curious cannot get infected!
Or the site was cleansed or no longer had malcode on it, because all the scanners did not detect anything out of the ordinary with this inline script:

Code: [Select]

^!--
function MM_openBrWindow(theURL,winName,features) ^.....{ //v2.0
  window.open(theURL,winName,features);
}
//--

polonus

P.S. Donovansrb10, you live a rather dangerous life, trying all possible live malcode links, we strife for it that people on our forums make them non-clickable for obvious reasons, you do not want to collect malcode, do you?

D.

[!Donovan]

P.S. Donovansrb10, you live a rather dangerous life, trying all possible live malcode links, we strife for it that people on our forums make them non-clickable for obvious reasons, you do not want to collect malcode, do you?

I thought that was my job.

[DavidR]

Presumably your web master has done some cleaning as I didn't get an alert either.

The only way you could visit a site that gave this kind of alert would be to pause the web shield and that would be plain crazy. The JS:Redirect could have any payload at the other end of the redirect from the benign to the totally destructive, meaning you might be infected by a virulent virus resulting in no other option but a reformat and reinstall.

There is just no way to say one way or the other, I just know that there is no way I would disable the web shield to visit a suspect site and I believe I'm better protected than most and able to recover from a serious problem.

Had you reported it when you got the alert then perhaps we could have been able to check it out and give more info. Was it at the URL that you posted that you got the alert or a different one within the site ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

[fflefever]

Thanks for prompt and helpful responses!

In future, I'll be mindful of inserting xxx in URLs.

Busy as she was with Store glitches, our webmaster DID manage to clean up, and I too was able to reach the site with no warning from Avast! a few minutes ago.

Here's what she said:
--------------------------------------------------------------------------
1- It is prudent to avoid visiting any site your browser warns you
about. The hidden links that were on the nyng.org site, were most likely
there in order to make third party sites look more legitimate and
popular to search engines when they indexed the site. They may also have
simulated "clicks" on ads a way for unscrupulous website owners to
generate ad income.

All of the links have been cleaned and you should no longer get any
warnings. Sometimes it is useful to hold shift while reloading the page
in order to insure that your browser does not use cached data.

2-One site "unmaskparasites.com" seems to have the most comprehensive
account of the particular attack that has affected sites in the past few
days. The likely goal was ad revenue generation. It is important to note
that all of the payment information is handled on Paypal's site. Our
store keeps track of who paid (and does not seem to have been affected
in any way), but does not hold onto or use any of the financial
information that would be valuable. In other words credit card numbers,
paypal acount access, etc, are all handled by Paypal, which maintains
their site as carefully as any bank.

3-There were additional legacy scripts and programs used for generating
dynamic parts of the site such as registration forms, and these may have
been the vector. Unlike static web pages, dyanamic ones have execution
priviledged, meaning that they are like small applications, and
something sufficiently out of date, may have had a vulnerability that
was widely known. This was likely an automated attack that found any
website with these old scripts, then exploited them.

According to the timestamps on files it looked like they were doing this
in the middle of the night. All of the legacy code we are no longer
using has been completely removed, and there was no evidence of any
attempts to make changes last night.

4&5-The site is not currently affected, and it seems that the
vulnerability has been closed. There are other services such as Google
webmaster tools which will alert you if your site shows evidence of any
similar new attacks in the future, and that service has been enlisted.

6-It is possible that a sophisticated hacker captured the password to
gain the ability to edit files. The nature of the edits looked like an
automated program, and the nyng site is a relatively low value site for
someone to exert significant effort. Regardless the password has been
changed. Additionally, this computer has anti-virus software that is up
to date, and the timestamps on edited files were at a different times
than legitimate were made.
-------------------------------------------------------------------------