Author Topic: JS:Redirector-MR [Trj]. Please help me.  (Read 9873 times)

Offline pieter_dj

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
JS:Redirector-MR [Trj]. Please help me.
« on: December 10, 2011, 07:13:31 PM »
my site is -http//www.gadget-talk.com  I have see the source of my site, but i cannot find the malware script like the people said in this forum about this thread before. What should I do to remove the malware? Help me please. When I browse my site, Avast blocked me and showing the site is infected with the "JS:Redirector-MR [Trj]" Trojan. Can you give me step by step wolution what to do?

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4138
  • Gender: Male
  • There is no magic, only lost physics
    • spg SCOTT
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #1 on: December 10, 2011, 07:14:39 PM »
Hi, pieter_dj, welcome to the forum :)

The code is embedded in the last line (very long) of the source code of the page.
Look in the middle of the code for the script.

A search for eval( will reveal the embedded code.

Scott

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24887
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #2 on: December 10, 2011, 07:22:47 PM »
From Sucuri...

1. Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php  Wordpress version outdated: Upgrade required.

2. Malware found on javascript file:
hxxp://www.gadget-talk.com/404javascript.js (Just an example, there are many more..!!)

Known Spam detected.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
XP SP3 - avast! 9.0.2017 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21647
  • Gender: Male
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #3 on: December 10, 2011, 07:24:04 PM »
Sucuri report malware found here

-http://www.gadget-talk.com/
-http://www.gadget-talk.com/404javascript.js
-http://www.gadget-talk.com/404testpage4525d2fdc
-http://www.gadget-talk.com/about-us/
-http://www.gadget-talk.com/sitemap/
-http://www.gadget-talk.com/contact-us/
-http://www.gadget-talk.com/useful-links/
-http://www.gadget-talk.com/category/apple/
-http://www.gadget-talk.com/category/camera-camcorder/
-http://www.gadget-talk.com/category/cellularphone/

MDetails: We have many articles about this issue on our blog:
http://blog.sucuri.net/category/spam

wepawet
http://wepawet.iseclab.org/view.php?hash=818126a161566b21f078488d90919a66&t=1323548465&type=js



« Last Edit: December 10, 2011, 07:30:00 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #4 on: December 10, 2011, 07:29:53 PM »
Hi Asyn and Pondus,

Verdict = malicious: http://urlquery.net/report.php?id=11280
See for the second link Pondus gave:
-rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr suspicious
[suspicious:2] (ipaddr:72.21.207.5) (iframe) -rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr
     status: (referer=-www.gadget-talk.com/404javascript.js)saved 2247 bytes 5cdcd519ab333c7e372f364dfa8bb5f38df93348
     info: [img] -ecx.images-amazon.com/images/G/01/img10/associates/med-rec/aw-gen-300x250.gif
     info: [iframe] -s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: missing ) after argument list:
          error: line:3: ; function encodeStr(b) { return b && encodeURIComponent(b).replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace( />/g, "&gt;"); } document.write("<iframe src="-http:/s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=" + encodeStr( (           error: line:3:
could be the response of this now dead?

polonus
« Last Edit: December 10, 2011, 07:34:29 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24887
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #5 on: December 10, 2011, 07:35:04 PM »
Yes pol, the OP has to clean up his site..! ;)
XP SP3 - avast! 9.0.2017 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline pieter_dj

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #6 on: December 10, 2011, 07:36:08 PM »
why i can't find the script in the source code of the site? I really don't know what to do to delete the code. Could you give me a detail step by step explanation how to delete the code? If I go to my hosting, then I go to what file name and where I will find that script so I can delete the code? So what should I do to get rid of this "Dean" issue?

Offline !Donovan

  • LÖVE Scripting Website Analyst
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2138
  • Gender: Male
  • f(x)=2x+1
    • The WAR Against Malware
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #7 on: December 10, 2011, 07:39:42 PM »
A search for eval( will reveal the embedded code.

Highlight the embedded code in spg SCOTT's picture and press delete.
« Last Edit: December 10, 2011, 07:47:08 PM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."
Useful Links: Sucuri SiteCheck | WAR | urlQuery | URLVoid | Wepawet

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21647
  • Gender: Male
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #8 on: December 10, 2011, 07:43:50 PM »
Sucuri will do it for you   ;)

.....but not for free   :-\    http://sucuri.net/signup
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Asyn

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 24887
    • >>>  avast! Forum - Deutschsprachiger Bereich  <<<
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #9 on: December 10, 2011, 07:44:32 PM »
Isn't it removed?

No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
XP SP3 - avast! 9.0.2017 - CIS 3.14 [FW/D+] - MBAM 1.75 [On Demand] - Firefox ESR 24.4 [NS/ABP/EHH/BP] - Thunderbird 24.4 [EM/CH]
Deutschsprachiger Bereich -> avast! Wissenswertes (Downloads, Anleitungen und Infos): http://forum.avast.com/index.php?topic=60523.0

Offline !Donovan

  • LÖVE Scripting Website Analyst
  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 2138
  • Gender: Male
  • f(x)=2x+1
    • The WAR Against Malware
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #10 on: December 10, 2011, 07:46:34 PM »
Isn't it removed?

No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
Didn't see the 'has to' part. :-[

More information about the malware dump: http://sucuri.net/new-malware-evalfunctionpacked.html
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."
Useful Links: Sucuri SiteCheck | WAR | urlQuery | URLVoid | Wepawet

Offline pieter_dj

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #11 on: December 10, 2011, 07:47:35 PM »
Can't you give me the steps how to delete that scripts that contain p,a,c,k,e,r from my site? Please give me the detail step like when I go to my hosting, I should go to what folder or file? Because I am using wordpress. How to delete that script from the html code? I am confuse.

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20117
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #12 on: December 10, 2011, 07:49:38 PM »
Again PHP has initially been compromised. Very interesting read link here: http://25yearsofprogramming.com/php/findmaliciouscode.htm (source author: Steven Whitney)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4138
  • Gender: Male
  • There is no magic, only lost physics
    • spg SCOTT
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #13 on: December 10, 2011, 08:13:06 PM »
Could you remove that script (modify your post) incase it prompts an alert.
Done, thanks David.

That looks like it *may* be what is adding the code to the pages in the site.

Remove that code (from functions.php), and check all of your pages (html/php/js) files etc. for this eval script.

« Last Edit: December 10, 2011, 08:17:03 PM by spg SCOTT »
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69198
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #14 on: December 10, 2011, 08:15:03 PM »
I have removed the original post, to remove suspect code to avoid avast alerting on its own pages.

I have find this in my functions.php file

See image of code example

Can you help me from that code, I should delete the scripts that contains p,a,c,k,e,r from where to where?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now