HTML:RedirBA-inf [Trj] on my web site!

[Seko3]

Hello all,

I get a HTML:RedirBA-inf [Trj] alert for my forum pages and threads. And I think my web site is black listed. I can not open any single page. I uploaded a new asd.html page with "asd" written in it and avast did not allow me to view. Can anyone please help me to get rid of this trojan.

hxxp://webhatti.com/

hxxp://webhatti.com/genel-sohbet/

Thanks.

[DavidR]

Your domain is being blocked because it appears on a malicious sites list so the Network Shield is blocking it. Have you had any recent problems with malware being on the site ?

You can report it to virus (at) avast (dot) com, with possible false positive - network shield in the email subject.

WOT (Web of Trust) also has it flagged, see http://www.mywot.com/en/scorecard/webhatti.com.

[Seko3]

When I deactivate the  Network Shield, I get a HTML:RedirBA-inf [Trj] alert. I am trying to clean my forum pages but so for I couldn't do anything. It could have been hacked.

DavidR, can you please help me.

Thanks.

[DavidR]

Well the redirect is an indication that your site has been hacked (which could be the reason for the original block).

I didn't get an alert on the home page link but I did get the on in the second link.

The page source code is packed and possible encrypted as I can't read anything in it to even try to point you in the right direction.

This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

[polonus]

Hi Seko3,

You can also run your pages through a stripper like this one: http://www.zubrag.com/tools/html-tags-stripper.php
HTML Tags Stripper is designed to strip HTML tags from the text. It will also strip embedded JavaScript code, style information (style sheets), as well as code inside php/asp tags (<?php ?> <%php ?> <% %>). It will also replace sequence of new line characters (multiple) with only one. Allow tags feature is session sticky, i.e. it will remember allowed tags list, so you will have to type them only once.

You can either provide text in text area below, or enter URL of the web page. If URL provided then HTML Tags Stripper will visit web-page for its contents,

Enjoy,

polonus

[kubecj]

It was infected in the past and thus blocked. I've removed the block, it should stop to be detected.

[Seko3]

Thank you kubecj.