JS:Redirector-AM [Trj] warning pops up on websites

[prkw]

Going to my websites I got these Avast Warnings
"JS:Redirector-AM [Trj]" has been found in "ht  tp://1718neworleans2018.com/" and others.
Other computers without Avast don't see anything.
The sites (using IE) re-direct to:
ht  tp://apart-leo.com.uvirt3.active24.cz/adv/security.php?b=1003\{gzip} which gets flagged too as JS:FakeAV-CH [Trj] Trojan
and also
ht  tp://dammekro.com/webcfg/security.php?b=1003 - same Trojan
and also
ht  tp://toomi.sk/admin/security.php?b=1003 - same Trojan

Both the dammekro and toomi sites are red-flagged by Google but apart-leo isn't

I am having the server team get on this and hope they rid the sites of this malware.

Without Avast, I would have no clue.    

[YoKenny]

Read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

I am having the server team get on this and hope they rid the sites of this malware.

Without Avast, I would have no clue.   

That's a good plan and avast! is good at detecting infected sites.

[DavidR]

@ prkw
Please 'modify' your post change the first active URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

[polonus]

Hi pkrw,

This is at the root of your predicament, vulnerable websoftware: Generator:   WordPress 2.7.1 - Warning: Old version of WordPress. It may be vulnerable. Please upgrade. Say, we did not warn you, you do not want to be re-infested, won't ye?

polonus

[prkw]

I have 44 domains on that IP (64.62.148.103).   

About half have Wordpress, so its not a WP issue (versions 2,8 to 2,5).   Some have Joomla, PhPBB, or straight HTML.
There are a total of 480 domains on the IP and  just about all are affected.   The strange thing is that the files flagged may be small ICOs or GIFs or text files with a line or two; basically anything.

This leads me believe there is something else going on.   There is DEFINITELY something wrong.

I used a sacrificial laptop to let the malware run its course and it came up with a phony anti-spyware warning (it was using Symantec, not Avast).   I have that laptop just for that purpose and it gets re-imaged weekly!

The server team could not find anything amiss on my domains.

I am having them check the nameservers next.   

Whatever this is, it's well cloaked!

[polonus]

Hi prkw,

Consider the info here: http://forums.oscommerce.com/topic/335941-site-infected-by-infected-jsredirector-h3-trj/

polonus

[spg SCOTT]

Polonus is saying that the chances of sites being hacked are higher if it uses older software. Updates are very often released for security, and close up many vulnerabilities. Running old software, makes is easier for the hackers...

You will have to go through all of the sites, and look for suspicious things...such as iframes etc.

For example...hxxp/1718neworleans2018.com, is full of links, all on line...

and there is an obfuscated script before that (image 1) and the next bit is a way of assigning hidden attributes to all of the links...


Then, take the first link: hxxp/keygenguru.com, without even considering anything, look at the name.

Then look here:
http://www.mywot.com/en/scorecard/keygenguru.com#page-2
http://hosts-file.net/?s=keygenguru.com

If as you say, this is on practically all of the sites you own, then you have some work to do to find it all...

Good luck

-Scott-

Also, a post worth reading by DavidR: http://forum.avast.com/index.php?topic=45869.msg384581#msg384581

[polonus]

Hi spg SCOTT,

Thanks for explaining here into some detail where our friend pkrw has to look. One day he also will be writing his own cleansing scripts in perl for instance. Just analyzing the code with the Bad Stuff detektor will give many a clue, as a detailed analysis on Google's unmasked parasites will also give indications.
Not every webmaster is fuly aware of the fact that there are massive iFrame injections that may infest some hundred thousand websites due to vulnerable software (be it PHP, Joomla, WP etc.), all external input should be distrusted, for the massive infestations go on on a daily basis now,

pol