Author Topic: Redirector-HS [Trj] detected on my website  (Read 2480 times)

Offline eltopo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Redirector-HS [Trj] detected on my website
« on: December 26, 2011, 10:03:31 AM »
Hello,

Avast detects the Trojan js:Redirector-HS on my Wordpress website. Here's the page: hxxp://prog-inna-babylon.fr/audio/. As far as I can see, all the Javascripts called in the header correspond to legitimate plugins (NextGen Gallery and Shadowbox), and the Javascript in the footer is to scramble an email address in the code.

Am I missing something? Kaspersky doesn't see anything on that page, and the Sucuri SiteCheck WP plugin doesn't turn up anything either. Only Avast does on my friend's pc, and every page but the home one is inaccessible to him - on the same network with another antivirus the site works fine though. To add to my confusion, all the online web scanners I've tried, whose credibility I'm admittedly not sure about, say the page is safe.  ???

Thank you.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64873
  • Gender: Male
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #1 on: December 26, 2011, 10:33:53 AM »
Check here how to clean and make a website secure.
I'll report this to the virus analyst and hope they correct the detection soon.
The best things in life are free.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #2 on: December 26, 2011, 10:41:00 AM »
could you attach a screenshot of the avast warning


urlQuery report - suspicious  
http://urlquery.net/report.php?id=13446

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=0de8b7e2ee03f9f693dbe04925489572&t=1324900047&type=js



and it is not only avast that does not like it

VirusTotal - audio.htm - 9/43
http://www.virustotal.com/file-scan/report.html?id=e810facc1fb040ec09bb0b35b909b4ceabe6214a74dc9b159cb263937198342d-1324899746


« Last Edit: December 26, 2011, 11:04:22 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4138
  • Gender: Male
  • There is no magic, only lost physics
    • spg SCOTT
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #3 on: December 26, 2011, 10:53:41 AM »
avast! seems to be alerting on the code shown in the image. Odd since it appears to be an obfuscated email address?

Not sure why...possibly a false positive.

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #4 on: December 26, 2011, 10:58:56 AM »
yepp...and that mail show in the wepawet report
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #5 on: December 26, 2011, 11:43:45 AM »
Norman lab confirms infected
Quote
Detection is added for the malicious redirect pages
audio.htm : Processed - HTML/Agent.RA
prog-inna-babylon.fr.htm : Processed - HTML/Agent.QZ

Quote
The detection is added for the redirect prog-inna-babylon.fr that transacts medicmagic.net which is related to ads . Hence these detctions are added in PUA category
The written data feteched here is  <a class="footer" href="mailto:joelliron@yahoo.co.uk"> Contact</a>
wherein the registar details are -http://www.myiptest.com/staticpages/index.php/whois/joel-liron.net

It is to alert the user that he is aware of a redirect

PUA category = Possible Unwanted Application
some use the PUP name = Possibel Unwanted Program - http://searchsecurity.techtarget.com/definition/PUP
« Last Edit: December 26, 2011, 04:12:13 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20123
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #6 on: December 26, 2011, 03:34:14 PM »
Here the suspicous part of the code:

suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
-prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 suspicious
[suspicious:2] (ipaddr:82.165.108.214) (script) -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05
     status: (referer=-prog-inna-babylon.fr/audio/)saved 1750 bytes aecd83a288c7f7a8094e58df045e5703aeda4599
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     info: file: saved -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 to (aecd83a288c7f7a8094e58df045e5703aeda4599)
     file: aecd83a288c7f7a8094e58df045e5703aeda4599: 1750 bytes
     file: a4cad35d4ebf6dd99082e86577790468309c57ca: 2080 bytes
     file: 93a6e87828b6629a588539e8dce94fe6ef7523d4: 2086 bytes
     file: 000eb96c77da1a6c3e013c691bc26c7bdde1a630: 2295 bytes
     file: d7b9dabdca7e87c255f6b2d6e5d3318e97c90d30: 2487 bytes
     file: bdbe42bcb7e0c0608f6a708235fcf8a3e362b7f1: 2201 bytes
     file: d748b293f6fa509600be0050eeb12e03ff38577e: 2325 bytes
Check if the latest WP version is sinstalled:
Wordpress internal path: /homepages/7/d341462386/htdocs/PIB/wp-content/themes/Starkers/index.php

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline eltopo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #7 on: December 26, 2011, 03:58:42 PM »
Hello all

Thank you for your quick replies - what a great community this is.  :)

Here is the screenshot (in French): hxxp://prog-inna-babylon.fr/wp-content/uploads/2011/12/ProgJS.jpg

I can't see any suspicious code in my WP theme, which is custom-made, and I'm not proficient enough to go looking through the Wordpress files themselves. I upgraded to the latest version of WP last week I think, from a fresh install oof 3.2. I've just changed the permissions on files and folders such as htaccess, wp-config.php, wp-content, in accordance to recommendations by BulletProof Security, a WP plugin, so maybe there was a security hole there.

I have deactivated and deleted the NextGen Gallery plugin, which was calling the ngg.slideshow.min.js file in the site's header - thanks Polonus. Avast still shows the error when I navigate to the site - does that mean there's some more evil code somewhere, or that this .js file wasn't to blame?

I can restore the site to about two weeks ago, not sure if that's the best thing to do right now...?

Thanks again for all your help, it's appreciated.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #8 on: December 26, 2011, 04:04:43 PM »
i got some extra info from Norman...see my post above

Hope that helps   ;)
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline eltopo

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #9 on: December 26, 2011, 04:26:35 PM »
Thanks a lot Pondus, you da man! I took out the js code obfuscating the email address in the Html source code, and both Avast and Wepawet report the site clean now - so I assume I'm good?

I'd gotten the Js code from some online site where you enter the email address and out pops some scrambled code... with some extra baggage apparently.

What a relief, it's like a second Christmas. Thanks again!

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
« Last Edit: December 26, 2011, 04:35:35 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20123
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Redirector-HS [Trj] detected on my website
« Reply #11 on: December 26, 2011, 06:23:22 PM »
Also wepawet scan confirms,

The last time we found it to be benign was at 2011-12-26 09:34:48.
The last time we found it to be suspicious was at 2011-12-26 03:47:27.

Someting has changed, the difference was Evals Writes - that is now gone...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now