Author Topic: JS:Obfuscated-BN [Trj] , what does it do ?  (Read 12190 times)

0 Members and 1 Guest are viewing this topic.

Koreus

  • Guest
JS:Obfuscated-BN [Trj] , what does it do ?
« on: July 19, 2009, 02:55:36 PM »
Hi,

I haved surfed on a website with this virus JS:Obfuscated-BN [Trj].  What does it do ? Is my system compromised ?
If you have any info about what this virus do, thanks in advance.

It seems to be a javascript trojan but that's all I can find on google.

Thanks



spg SCOTT

  • Guest
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #1 on: July 19, 2009, 03:21:26 PM »
Hi Koreus,

What website was it that avast alerted to? (Make sure the link is inactive, i.e. change http to hXXP to prevent others potentially becoming infected.)

Was it a webshield alert? (see image)

-Scott-

Koreus

  • Guest
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #2 on: July 19, 2009, 03:34:53 PM »
An iframe has been added in a page of my website (koreus.com)

The  iframe adress was   : -http://bn2z.cn/ww/
You can find the source code here : -http://temp.koreus.com/hack.txt

I'm using avast but with the shield protection disabled.

The capture below is not mine. It's one from a member of my website

« Last Edit: July 19, 2009, 03:40:09 PM by Koreus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #3 on: July 19, 2009, 05:49:07 PM »
WOT (Web Of Trust) doesn't like that domain either, http://www.mywot.com/en/scorecard/bn2z.cn. So avast is blocking access to a malicious site and you have to be crazy to disable the web shield and risk infection.

What is the page on your site where the iframe has been inserted and avast alerts, as I get no alerts on the home page and I'm not going to rummage around trying to find it ?

- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Koreus

  • Guest
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #4 on: July 19, 2009, 07:00:43 PM »
I have remove the iframe with the malicious website. Koreus.com is now safe :)
But it was not the case friday.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #5 on: July 19, 2009, 07:05:28 PM »
Simply removing the iframe isn't going to address how the site was hacked to be able to place it there. Unless you address that there is a strong possibility that it will happen again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Koreus

  • Guest
Re: JS:Obfuscated-BN [Trj] , what does it do ?
« Reply #6 on: July 20, 2009, 12:59:44 AM »
I know :) The necessary has been done.