Avast WEBforum
Other => Viruses and worms => Topic started by: mauther on October 22, 2019, 10:08:46 PM
-
Avast is reporting this virus: JS: Downloader-FHO [Trj] (print below) on my blogger. I have tested with several anti-viruses, including online and everything went negative. Can someone help me, please?
(https://3.bp.blogspot.com/-blZOGPk8BKc/Xa9hTDJtYSI/AAAAAAAAoP0/JoDTO_k_eek92nG3EVrRyiAk58uDroMnACLcBGAsYHQ/s1600/avg%2Balert%2Bpapermau%2B01.JPG)
My blog: http://papermau.blogspot.com
-
entering your blog (-hxxp://papermau.blogspot.com) give these messages
Chrome report: This site try to load unsafe script
Sophos AV block it: hostingcloud.racing - C2∕Generic-A
Norton AV block it saying: intrusion attempt from hostingcloud.racing - JS-coinminer
hostingcloud.racing
https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection
https://sitecheck.sucuri.net/results/hostingcloud.racing
"This specific URL was identified in malicious campaigns to disseminate malware. Reason: crypto miner"
-
Avast is reporting virus JS: Downloader-FHO [Trj]
Screenshot you posted is from AVG and not avast (yea i know, on the inside they are one and the same)
-
Hi Pondus & mauther,
I see nothing than the default index page: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=aF1zdFtuZ15sXXUjLn18XltuZw%3D%3D~enc
Nada - http://isithacked.com/check/http%3A%2F%2Fhostingcloud.racing%20
It is a general IP detection: https://www.virustotal.com/gui/url/44385784099f6c463f7a02e639ca884ed0c31d6f94e4f24abf63fc368545148e/detection
Dutch Leaseweb has kind of an abuse rep: https://www.virustotal.com/gui/ip-address/212.32.255.93/relations
Scan of 31 minutes ago: https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection
Reanalyzed results, but that is not a final verdict:
https://www.virustotal.com/gui/url/d94830cfbd38691a9f25f05382d0e4f059ba4cfa8832ebfb95167ce5f8b13ac9/detection
Final verdict should come from an avast team member, as they are the only ones to come and unblock under te present
situation of that website, as we here are volunteers with relative knowledge, but cannot come and unblock, just advise.
By the way uBlock Origin blocks access to your site according to the EasyPrivacy list.
Webbug renders: HTTP/1.1 200 OK
Server: nginx
Date: Tue, 22 Oct 2019 21:06:54 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Wed, 24 Oct 2018 10:52:39 GMT
Connection: close
ETag: "5bd04ef7-264"
Accept-Ranges: bytes
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="-http://nginx.org/">-nginx.org</a>.<br/>
Commercial support is available at
<a href="-http://nginx.com/">-nginx.com</a>.</p>
<p><em>Thank you for using -nginx.</em></p>
</body>
</html>
That's all we know ;)
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
Many thanks for all. I will wait for more results.
-
Hello mauther.
Pondus said is really.The detection is file cryptocurrency xEhO.js in an html line of code.
attached
https://www.virustotal.com/gui/file/7241e823b417d4caf938f9263856c00e9b41632b18f6cd513106011230c39a5b/detection
https://zulu.zscaler.com/report/c96086a8-f582-4e51-a54d-0fdb7a193442
-
Hello, jefferson sant,
I will take a look at this line. Many thanks for the support.
I really appreciate all the effort of all you, guys! You are great!
Greetings from Brazil!
Mauther
-
To jefferson sant and all friends of the forum,
I take a look at the file below and I don`t find the lines at my blog html. Can you be more specific about where are located these lines, please?
(https://3.bp.blogspot.com/-gwTxCwyxxtg/XbBN3RDRHPI/AAAAAAAAoRA/CxYahI2AD_039HzvEao2Qb1VIE9cvtwWgCLcBGAsYHQ/s1600/papermau.blogspot.JPG)
Thanks in advance and greetings from Brazil.
Mauther
-
Using any browser Click the F12 (developer tools) and inspect DOM
https://developers.google.com/web/tools/chrome-devtools
https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools
-
Thanks again, Mr. jefferson sant, you`re very kind.
Greetings from Brazil!
Mauther
-
Thanks again, Mr. jefferson sant, you`re very kind.
Greetings from Brazil!
Mauther
You're welcome.
-
Hello again,
Sorry for bothering you again, I spent several days racking my brains over this. Mr. jefferson sant instructed me to look for DOMusing developer tools on the template, but what I found was that (image below). I could not find the malicious script in these lines. Can anyone help me?
(https://1.bp.blogspot.com/-D8jet_9chb8/Xcoau8oZxcI/AAAAAAAAosU/xFnJCZhCXk0rqFzMy5ELoR7b1vV3D5ynACLcBGAsYHQ/s1600/DOM.JPG)
Thanks in advance.
Mauther
-
Avast can identified why code is still back in the same place.New Mozilla Firefox 70.0.1 was also able to block cryptominerators with its Enhanced Tracking Protection.
-
This was prevented from loading for me: -https://feedjit.com/serve/?vv=955&tft=3&dd=0&wid=3592ed36b3fbc106&pid=0&proid=0&bc=FFFFFF&tc=000000&brd1=012B6B&lnk=135D9E&hc=FFFFFF&hfc=2853A8&btn=C99700&ww=200&wne=10&wh=Live%20Traffic%20Feed&hl=0&hlnks=0&hfce=0&srefs=0&hbars=0
without parameters = -https://feedjit.com/serve/
vv = 955
tft = 3
dd = 0
wid = 3592ed36b3fbc106
pid = 0
proid = 0
bc = FFFFFF
See pocket_miner detections here: https://www.virustotal.com/gui/ip-address/74.207.249.166/relations
polonus
tc = 000000
brd1 = 012B6B
lnk = 135D9E
hc = FFFFFF
hfc = 2853A8
btn = C99700
ww = 200
wne = 10
wh = Live Traffic Feed
hl = 0
hlnks = 0
hfce = 0
srefs = 0
hbars = 0
Also consider this scan report: https://webcookies.org/cookies/papermau.blogspot.com/28630090?998999
This seems OK: https://dnsviz.net/d/papermau.blogspot.com/dnssec/
pol
-
Avast can identified why code is still back in the same place.New Mozilla Firefox 70.0.1 was also able to block cryptominerators with its Enhanced Tracking Protection.
Hello for all,
I have been blogging for almost ten years and it has always been a place of fraternization for paper model hobbyists, always free of charge. I have received several messages from friends warning about this infection and I myself feel slow to load the blog.
Thanks everyone for your support, but despite blogging all this time, I don't understand anything about scripts and things like this and I don't understand how to proceed: I can't find this line "Hostincloud.Racing", either in HTML or in the console of blog.
I don't know if it's allowed at this forum, but I'd like to know if anyone can be more specific about this line "Hostincloud.Racing" and how can I effectively visualize it?
Sorry for the bad English, thanks is advance and greetings from Brazil!
Mauther
-
Thanks everyone for your support, but despite blogging all this time, I don't understand anything about scripts and things like this and I don't understand how to proceed: I can't find this line "Hostincloud.Racing", either in HTML or in the console of blog.
You could ask Sucuri to help you, but it is not free >> https://sucuri.net/
-
Hello, Pondus,
I will contact Sucuri and see if I can afford this service. Thanks for the tip and greetings from Brazil!
Mauther
-
Hello for all,
Just to close this thread, I would like to say that I contacted Sucuri, but the annual fee is prohibitive for me, since the blog is not for profit, just a hobby. So I decided to disable the blog so that the Trojan no longer affects any computer.
Many thanks to everyone here on the forum for all the tips and help. I learned some things that will help me in the future.
Greetings form Brazil!
Mauther