Avast WEBforum

Other => Viruses and worms => Topic started by: stevecobb on April 29, 2009, 06:08:56 PM

Title: JS:Redirector-H [Trj] at website
Post by: stevecobb on April 29, 2009, 06:08:56 PM
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???
Title: Re: JS:Redirector-H [Trj] at website
Post by: Omid Farhang on April 29, 2009, 06:12:07 PM
Hello and Welcome to the forum.

when you want to send link to infected websites, please use this format: hXXp://www.infected-site.com/

Good Luck.
Title: Re: JS:Redirector-H [Trj] at website
Post by: stevecobb on April 29, 2009, 06:17:58 PM
OK... is hxxp://www.gmdny.com legitimately infected??
Title: Re: JS:Redirector-H [Trj] at website
Post by: onlysomeone on April 29, 2009, 06:19:45 PM
I think what Omid meant was that you should modify your first post - make the link there unclickable...  ;)
Title: Re: JS:Redirector-H [Trj] at website
Post by: Omid Farhang on April 29, 2009, 06:20:59 PM
well, I did not find anything wrong about this site, look like clean.
Title: Re: JS:Redirector-H [Trj] at website
Post by: stevecobb on April 29, 2009, 06:23:16 PM
Why am I getting the warning of JS:Redirector-H [trj] from Avast for the site then?
Title: Re: JS:Redirector-H [Trj] at website
Post by: DavidR on April 29, 2009, 06:30:27 PM
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???

The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.
Title: Re: JS:Redirector-H [Trj] at website
Post by: Omid Farhang on April 29, 2009, 06:44:02 PM
The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.
David, do you know a tool to make this script able to read a little easier than what it is now?  ???
Title: Re: JS:Redirector-H [Trj] at website
Post by: polonus on April 29, 2009, 07:13:29 PM
Hi stevecobb,

Here is information about this malware: http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.H
In general about these SQL-injecting threats read: http://blogs.technet.com/antimalware/
A list of compromised sites you can find here:
http://www.shadowserver.org/wiki/

Sites that were infected with JS-redirector-H:
Domain

nihaorr1.com                               
free.hostpinoy.info         
xprmn4u.info                 
nmidahena.com             
winzipices.cn                 
sb.5252.ws                   
aspder.com                 
11910.net                     
bbs.jueduizuan.com       
bluell.cn                     
2117966.net                 
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
yl18.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
a.ka47.us
a188.ws
qiqi111.cn
   
Approximate # of
Pages Injected between ranking between 440,000 and 230

What to do?
Empty the temporary java cache. [Located in the java console].
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

From the Start button, click Settings > Control Panel
In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
pictures: http://www.dslreports.com/forum/remark,13803204

To verify current version of Java installed use this tool: »www.java.com/en/download/installed.jsp

polonus
Title: Re: JS:Redirector-H [Trj] at website
Post by: Omid Farhang on April 29, 2009, 07:24:33 PM
Hi stevecobb,

**
polonus

Thanks for the info :)
Title: Re: JS:Redirector-H [Trj] at website
Post by: DavidR on April 29, 2009, 08:14:37 PM
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???

The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.

I don't have a definitive script to check it, ther is a site I use on occasion, http://www.felgall.com/javamet6.htm (http://www.felgall.com/javamet6.htm) when trying to look at unescape script like that above. However, there are frequent times when even that doesn't reveal the true intent. Alwil software have their own script checking tool so they are able to decode what the intent is (redirection, probably to a malicious site/script).

So suffice to say that javascript is a plain language scripting language, so when people go to these length to hide the purpose that makes me very suspicious.
Title: Re: JS:Redirector-H [Trj] at website
Post by: Omid Farhang on April 29, 2009, 08:20:04 PM
Thanks David for the link, I appreciate it :)
I know about Alwil and their program to read those kind of script.
Title: Re: JS:Redirector-H [Trj] at website
Post by: FKonline on April 29, 2009, 08:21:02 PM
Another website where my avast alerts detecting such a JS:Redirector-H [trj]:
- hXXp://www.4allclients.de/?action=4&id=1894777&utm_source=GB_DE [+ blocked bad network (hXXp://gumblar.cn/rss/?id=5818702)]
Title: Re: JS:Redirector-H [Trj] at website
Post by: DavidR on April 29, 2009, 08:55:46 PM
Yes this is a fast growing exploit hacking legit sites and injecting either iframe or script tags into the page/s to redirect to a malicious site where the payload resides. The script responsible for the redirect is at the bottom of the page, see image1

There is also another alert on that site as the favicon.ico file has been replaced with an html page purporting to be a 404 error page redirecting also to a malicious site, image2 & 3.

So you should report it to the site owner/webmaster, etc.
Title: Re: JS:Redirector-H [Trj] at website
Post by: Allex on April 29, 2009, 10:12:06 PM
Hello, this is my first post here.
I am the owner of a small website with a phpbb forum called hxxt://www.problemefiat.ro . Problem is I've been hit by this  JS:Redirector-H [trj] 3 days ago . So far I tried cleaning the php code...no result. Today I have deleted my files from the hosting and copied a back-up I have made a while back. The site stayed clean for about 16 hours and now is infected again. Does anyone know how to protect your website from these type of atacks? Or do I need to restore my back-up every day ? :(
Thanks!
Title: Re: JS:Redirector-H [Trj] at website
Post by: kubecj on April 29, 2009, 10:47:06 PM
Try the simplest first.
1) Change the passwords
2) Don't store passwords in upload programs (definitely not in older versions of Total Commander)
3) Be sure your computer is not infected.
Title: Re: JS:Redirector-H [Trj] at website
Post by: DavidR on April 29, 2009, 10:57:08 PM
You need to change your passwords for stronger ones for uploading or modifying pages. Speak to your Host and ensure that the PHP software is fully up to date as older versions are vulnerable to exploit. Also tell them about the hack and what they and you can do to ensure it doesn't happen again.
Title: Re: JS:Redirector-H [Trj] at website
Post by: lackofvoice on April 30, 2009, 05:21:58 PM
Hello, this is my first post here.
I am the owner of a small website with a phpbb forum called hxxt://www.problemefiat.ro . Problem is I've been hit by this  JS:Redirector-H [trj] 3 days ago . So far I tried cleaning the php code...no result. Today I have deleted my files from the hosting and copied a back-up I have made a while back. The site stayed clean for about 16 hours and now is infected again. Does anyone know how to protect your website from these type of atacks? Or do I need to restore my back-up every day ? :(
Thanks!

Allex how did you originally go about editing you PHP? I too am having troubles and unfortunately do not have a backup to throw back up.
Title: Re: JS:Redirector-H [Trj] at website
Post by: Allex on May 05, 2009, 07:48:55 AM
Hello lackof voice. In my opinion the files modified are only the index.php ones (all that you have) . You can edit them with wordpad or if you have Dreamweaver which is much better. I examined the fileand saw a big chunk of garbage(crypted stuff) at the begining of the file and an iframe line at the end which was directing me to another website in China. I deleted those thow parts and all seemed to be ok, for about 2 days  ::) I hope this helps.
At this time after 4 days I restored the back-up all seems fine. I also talke dto the HOSTS folks and I hope it will be just fine.
Thanks!
Title: Re: JS:Redirector-H [Trj] at website
Post by: lackofvoice on May 07, 2009, 04:15:09 PM
Allex, i'm attempting to edit in Dreamweaver... but i do not want to screw anything up! the actual site html shows me the injected script, but the php file's a bit more cryptic. based on the pictures, what is the code i should target to delete? thanks.
SOURCE VIEWED:
(http://i479.photobucket.com/albums/rr154/gillettesinterstaterv/JAY/INJECTED.jpg)
PHP:
(http://i479.photobucket.com/albums/rr154/gillettesinterstaterv/JAY/CODETOKILL.jpg)
Title: Re: JS:Redirector-H [Trj] at website
Post by: jsejtko on May 07, 2009, 09:01:52 PM
Allex, i'm attempting to edit in Dreamweaver... but i do not want to screw anything up! the actual site html shows me the injected script, but the php file's a bit more cryptic. based on the pictures, what is the code i should target to delete? thanks.

Hello,

Could you please send those infected php files to virus@avast.com. Its very hard to get original php source. We will analyze these samples that will cause detection on php layer of this threat. Please send those files in compressed archive using password "virus" without qoutes.

We will be grateful, thank you
Title: Re: JS:Redirector-H [Trj] at website
Post by: polonus on May 07, 2009, 09:50:09 PM
Hi Allex,

Read about this malware here: http://blogs.technet.com/antimalware/
Never trust user input, used in a query, always use add-slashes at variables. In a numeric SQL field do not use slashes in a WHERE statement, else you are vulnerable and your open to SQL injection. Encrypted data from a cookie and from a URL-variable should always be add-slashed.
So the following string 'Mtp0cm91Ynk6M2U5YzliNzcxZGZkY2QyMjlhMTk0MDE1ZmViYTQ1MWM=' had been add-slashed(). The decoded base-64 string was not add-slashed as such within a script, and bingo vulnerable! Always do this for cookie, post, variable,

Was the problem here: hxtp://www.problemefiat.ro/scripts/ac_runactivecontent.js

Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals? " - it's quite a bit simple, your browser try to render some additional files, with some specific formats such as flash .swf and I the browser doesn't find installation, than will be start downloading, or you will got the option to download that program. Flash also use AC_RunActiveContent.js please take a look at this js, people usually put this on their webpages

Code: [Select]
if (AC_FL_RunContent == 0) {
alert("This page requires AC_RunActiveContent.js.");^^
} else {
AC_FL_RunContent( 'codebase','xttp://download.macromedia.com/pub/shockwave cabs/flash swflash.cab#version=8,0,0,0','width','981','height','635','id','build5','align','middle','src','build5','quality','high','bgcolor','#ffffff','name','build5','allowscriptaccess^^','sameDomain','allowfullscreen','false','pluginspage','xttp://www.macromedia.com/go/getflashplayer','movie','build5' ); //end AC code
}
vulnerable to SQL exploit

Protecting against SQL injection is easy:

    *

      Filter your data.

      This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated.

    *

      Quote your data.

      If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type.

    *

      Escape your data.

      Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort. But Actually the most effective way to defend yourself against SQLI is using prepared statements: http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

Addslashes() is rather dangerous because it gives a false sense of security. In facts, it can be fooled by exploiting character set mismatches between input and database, and it works (badly) with MySQL only (none of the other SQL-compliant databases use slashes to escape special characters).

If you can't use prepared statements, e.g. because you're stuck with PHP 4 and the its old mysql client API, you must escape all the data you put in your SQL statement with mysql_real_escape(), rather than addslashes()

polonus
Title: Re: JS:Redirector-H [Trj] at website
Post by: lackofvoice on May 09, 2009, 06:30:28 PM
Hi Allex,

Read about this malware here: http://blogs.technet.com/antimalware/
Never trust user input, used in a query, always use add-slashes at variables. In a numeric SQL field do not use slashes in a WHERE statement, else you are vulnerable and your open to SQL injection. Encrypted data from a cookie and from a URL-variable should always be add-slashed.
So the following string 'Mtp0cm91Ynk6M2U5YzliNzcxZGZkY2QyMjlhMTk0MDE1ZmViYTQ1MWM=' had been add-slashed(). The decoded base-64 string was not add-slashed as such within a script, and bingo vulnerable! Always do this for cookie, post, variable,

Was the problem here: hxtp://www.problemefiat.ro/scripts/ac_runactivecontent.js

Websites can detect if you've got Flash installed. How does that work and could it be used for both of my goals? " - it's quite a bit simple, your browser try to render some additional files, with some specific formats such as flash .swf and I the browser doesn't find installation, than will be start downloading, or you will got the option to download that program. Flash also use AC_RunActiveContent.js please take a look at this js, people usually put this on their webpages

Code: [Select]
if (AC_FL_RunContent == 0) {
alert("This page requires AC_RunActiveContent.js.");^^
} else {
AC_FL_RunContent( 'codebase','xttp://download.macromedia.com/pub/shockwave cabs/flash swflash.cab#version=8,0,0,0','width','981','height','635','id','build5','align','middle','src','build5','quality','high','bgcolor','#ffffff','name','build5','allowscriptaccess^^','sameDomain','allowfullscreen','false','pluginspage','xttp://www.macromedia.com/go/getflashplayer','movie','build5' ); //end AC code
}
vulnerable to SQL exploit

Protecting against SQL injection is easy:

    *

      Filter your data.

      This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated.

    *

      Quote your data.

      If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type.

    *

      Escape your data.

      Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort. But Actually the most effective way to defend yourself against SQLI is using prepared statements: http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

Addslashes() is rather dangerous because it gives a false sense of security. In facts, it can be fooled by exploiting character set mismatches between input and database, and it works (badly) with MySQL only (none of the other SQL-compliant databases use slashes to escape special characters).

If you can't use prepared statements, e.g. because you're stuck with PHP 4 and the its old mysql client API, you must escape all the data you put in your SQL statement with mysql_real_escape(), rather than addslashes()

polonus

HOLY! I would not mess with Polonus! Man's got it going on! Don't know what he's speaking about but, IMPRESSIVE!