Virus warning when members try to log onto my site

[Mariner1]

Can you try browsing round the site,visit various pages etc

[Mariner1]

If you read this thread  hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408  it will show you some of the probs some members are having

[cakedoer2]

7.2.2010 г. 15:50:30 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 15:59:29 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 15:59:47 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:00:06 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:00:26 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?p=30072|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:06:27 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:07:31 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:07:51 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)
7.2.2010 г. 16:08:06 ч.   hxxp://www.planetrocklosslessbootlegs.com/showthread.php?t=11408|>{gzip} [L] JS:Illredir-B [Trj] (0)

This is the avast! Log. I don't get avast warnings but that's what the real-time shield says.

Sorry, your site has a bad boy and it's called Illredir JavaScript Trojan, strain B.

Which means almost, if not every page is infected with some form of malicious JavaScript code.

For comparison, it's 16:14 here, right now.

[Mariner1]

Hi

Thanks for looking into this.Whats the best way to remove this place

[cakedoer2]

I have no idea man, I've never dealt with website infections. You're better off asking the evengelists.

[DavidR]

Thanks for registering and checking this out.Im really frustrated at this as my host cant help and i dont know where to turn

If my host (when I did have a few web sites) was this uninformed/unhelpful I would be looking for one that was more technically proficient as hacked sites are invariably down to old and vulnerable versions of content management software, many of which are part of the hosting package, e.g. SQL, PHP, etc.

Whilst that doesn't help you with your problem, but since the forum uses PHP, when php cobbles together the page content it is possible that that is when the malware is inserted. So you have to ensure that the forum software is up to date and any PHP template files are clean.

Now I don't know who provides the forum software, your host or yourself as to who is responsible for updating it. If the Host then they should also bear some responsibility (IMHO) to help clean any template files, etc. otherwise it really is down to you. Sorry I can't help with cleaning as I have never used PHP or forum content management software.

[cakedoer2]

http://www.romania-virtuala.ro/remove-js-illredir-b.php

Read this. It might help.

EDIT: In addition to your website's script, there appears to be some sort of "chrome:" script that I've marked as untrusted. Care to enlight us, if possible?

[Mariner1]

Chrome sript.Havent a clue what that is.Ive never heard of it.Is it possible hackers could have done this.

[cakedoer2]

[DavidR]

- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Also see, Cleansing Gumblar from websites.... (commonly the JS:Redirector- avast detection), http://forum.avast.com/index.php?topic=45517.0.

Also see, Automatic removal of Gumblar/Martuz trojan http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/, if you are also using wordpress.

[cakedoer2]

Okay, but it's Illredir-B, not Gumblar. At least that's what avast! says.

Have you tried the remove JS:Illredir-B thing?

[DavidR]

I just wonder if the cleansing routine/information will point in the same areas to examine. Whilst it may not be grumblar it is another redirect which may be using the same methods.

Personally I haven't tried to remove it.

[spg SCOTT]

Right, I have had a little look at the page in ubuntu, and it seems that the script that has been posted by mariner (so you ) seems to be causing avast! to alert...


I would try removing that script, as it would exist in plaincode in the source and avast! will see it.



here's hoping that it does it...

[Mariner1]

Thanks for looking but if you read my next post in the thread you will see i removed that script on 16th January.Unless ive missed something or done something wrong that is

[spg SCOTT]

Hi mariner,

I actually meant modifying your post there and removing that script that you posted. the fact that you posted it means that avast! will alert on it.

-Scott-