Need help with JS:Redirector-H [Trj]

[darknight]

Hi,

When I visited my friends blog hxxp://www.baba3od.com Avast blocked me and showing the site is infected with the "JS:Redirector-MR [Trj]" Trojan:
 



So is the site really infected or a false positive? Any help would be greatly appreciated

Thanks

[!Donovan]

Sucuri says clean. I didn't find anything significant in the source code, but then again, I skimmed over it.

Domain clean by Google Safe Browsing
Domain clean by Norton Safe Web
Domain clean on Phish tank
Domain clean on the Opera browser
Domain clean on Sucuri IP/URL malware blacklist

Possible false positive. Sirmer found the malicious coding. Tell your friend to get it removed.

[Sirmer]

Hello,
this detection is a correct

[Pondus]

Hello,
this detection is a correct

I am sure the OP would be interested in more details

[Sirmer]

Malicious part of code

[polonus]

Isn't this a detection for the Dean Edwards embedded counter code javascript?
What does it do unobfuscated? See:
http://dean.edwards.name/packer/

pol

[Sirmer]

Yes, this is detection for the Dean Edwards embedded counter code javascript.

[polonus]

@Sirmer,
Thank you for the feedback for all of us, and the heads-up for webmasters/developers out there.
Hack alert (Armorize) had the warning out for this since 09-2011.
Very good it is being detected. It is a mass WordPress infection going on,
read from Dean Edwards here: http://www.stopthehacker.com/tag/dean-edwards/

polonus

[!Donovan]

Sucuri says clean. I didn't find anything significant in the source code, but then again, I skimmed over it.

To think that was a counter (apps that count how many visits for a site).


At least I can now identify some more malicious JavaScript coding!

Ty Sirmer & Polonus.

 

[polonus]

Hi Donovansrb10,

Sometimes malware is made up from two parts of innocent obfuscated script code and together with another piece of innocent code elsewhere on the website. It then becomes malicious code, when  the two script code parts act together as malware.
As you may have read from the link I gave by Dean Edwards:

The injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.

This was/is being used as a mass infection hack. Good avast detects it and the shield blocks it,

polonus

[!Donovan]

This thing always has p,a,c,k,e,r in the coding, so it's easier to detect?

[polonus]

Well this could help towards detecting, but there are good Dean Edwards packed and malicious Dean Edwards packed javascripts. With JS malware the main line of analysis is still being done manually - that is looking at the individual piece of malcode or recognizing a general attack sequence,
jsunpack and other tools can help towards de-obfuscation, but this deobfuscation is not needed if features are carefully extracted then obfuscated malicious code is found as easily (OCRF project - Eric Ching-Hao Ph.D),

polonus

[Pondus]

Norman lab confirms infected

baba3od.com.htm Processed - HTML/Agent.QS

[darknight]

Ah okay, I've notified my friend and linked him to this thread. Thank you so much guys for the help, really appreciate it!!!

[girmy]

hey
im the admin for this site

its only blog i dont know where the trojan come from i cheak all files also talk with support for the host company they also dont know

when i join my site from firefox i dont get any error only when i join it from exporler avast alret

also i cheak many online scan every thing is clean

can anyone help me how i remvoe this trojan and where can i find it