Avast WEBforum

Other => Viruses and worms => Topic started by: eltopo on December 26, 2011, 12:03:31 PM

Title: Redirector-HS [Trj] detected on my website
Post by: eltopo on December 26, 2011, 12:03:31 PM
Hello,

Avast detects the Trojan js:Redirector-HS on my Wordpress website. Here's the page: hxxp://prog-inna-babylon.fr/audio/. As far as I can see, all the Javascripts called in the header correspond to legitimate plugins (NextGen Gallery and Shadowbox), and the Javascript in the footer is to scramble an email address in the code.

Am I missing something? Kaspersky doesn't see anything on that page, and the Sucuri SiteCheck WP plugin doesn't turn up anything either. Only Avast does on my friend's pc, and every page but the home one is inaccessible to him - on the same network with another antivirus the site works fine though. To add to my confusion, all the online web scanners I've tried, whose credibility I'm admittedly not sure about, say the page is safe.  ???

Thank you.
Title: Re: Redirector-HS [Trj] detected on my website
Post by: Lisandro on December 26, 2011, 12:33:53 PM
Check here (http://www.stopbadware.org/home/security) how to clean and make a website secure.
I'll report this to the virus analyst and hope they correct the detection soon.
Title: Re: Redirector-HS [Trj] detected on my website
Post by: Pondus on December 26, 2011, 12:41:00 PM
could you attach a screenshot of the avast warning


urlQuery report - suspicious  
http://urlquery.net/report.php?id=13446

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=0de8b7e2ee03f9f693dbe04925489572&t=1324900047&type=js



and it is not only avast that does not like it

VirusTotal - audio.htm - 9/43
http://www.virustotal.com/file-scan/report.html?id=e810facc1fb040ec09bb0b35b909b4ceabe6214a74dc9b159cb263937198342d-1324899746


Title: Re: Redirector-HS [Trj] detected on my website
Post by: spg SCOTT on December 26, 2011, 12:53:41 PM
avast! seems to be alerting on the code shown in the image. Odd since it appears to be an obfuscated email address?

Not sure why...possibly a false positive.

Title: Re: Redirector-HS [Trj] detected on my website
Post by: Pondus on December 26, 2011, 12:58:56 PM
yepp...and that mail show in the wepawet report
Title: Re: Redirector-HS [Trj] detected on my website
Post by: Pondus on December 26, 2011, 01:43:45 PM
Norman lab confirms infected
Quote
Detection is added for the malicious redirect pages
audio.htm : Processed - HTML/Agent.RA
prog-inna-babylon.fr.htm : Processed - HTML/Agent.QZ

Quote
The detection is added for the redirect prog-inna-babylon.fr that transacts medicmagic.net which is related to ads . Hence these detctions are added in PUA category
The written data feteched here is  <a class="footer" href="mailto:joelliron@yahoo.co.uk"> Contact</a>
wherein the registar details are -http://www.myiptest.com/staticpages/index.php/whois/joel-liron.net

It is to alert the user that he is aware of a redirect

PUA category = Possible Unwanted Application
some use the PUP name = Possibel Unwanted Program - http://searchsecurity.techtarget.com/definition/PUP
Title: Re: Redirector-HS [Trj] detected on my website
Post by: polonus on December 26, 2011, 05:34:14 PM
Here the suspicous part of the code:

suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
-prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 suspicious
[suspicious:2] (ipaddr:82.165.108.214) (script) -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05
     status: (referer=-prog-inna-babylon.fr/audio/)saved 1750 bytes aecd83a288c7f7a8094e58df045e5703aeda4599
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
     info: file: saved -prog-inna-babylon.fr/wp-content/plugins/nextgen-gallery/js/ngg.slideshow.min.js?ver=1.05 to (aecd83a288c7f7a8094e58df045e5703aeda4599)
     file: aecd83a288c7f7a8094e58df045e5703aeda4599: 1750 bytes
     file: a4cad35d4ebf6dd99082e86577790468309c57ca: 2080 bytes
     file: 93a6e87828b6629a588539e8dce94fe6ef7523d4: 2086 bytes
     file: 000eb96c77da1a6c3e013c691bc26c7bdde1a630: 2295 bytes
     file: d7b9dabdca7e87c255f6b2d6e5d3318e97c90d30: 2487 bytes
     file: bdbe42bcb7e0c0608f6a708235fcf8a3e362b7f1: 2201 bytes
     file: d748b293f6fa509600be0050eeb12e03ff38577e: 2325 bytes
Check if the latest WP version is sinstalled:
Wordpress internal path: /homepages/7/d341462386/htdocs/PIB/wp-content/themes/Starkers/index.php

polonus
Title: Re: Redirector-HS [Trj] detected on my website
Post by: eltopo on December 26, 2011, 05:58:42 PM
Hello all

Thank you for your quick replies - what a great community this is.  :)

Here is the screenshot (in French): hxxp://prog-inna-babylon.fr/wp-content/uploads/2011/12/ProgJS.jpg

I can't see any suspicious code in my WP theme, which is custom-made, and I'm not proficient enough to go looking through the Wordpress files themselves. I upgraded to the latest version of WP last week I think, from a fresh install oof 3.2. I've just changed the permissions on files and folders such as htaccess, wp-config.php, wp-content, in accordance to recommendations by BulletProof Security, a WP plugin, so maybe there was a security hole there.

I have deactivated and deleted the NextGen Gallery plugin, which was calling the ngg.slideshow.min.js file in the site's header - thanks Polonus. Avast still shows the error when I navigate to the site - does that mean there's some more evil code somewhere, or that this .js file wasn't to blame?

I can restore the site to about two weeks ago, not sure if that's the best thing to do right now...?

Thanks again for all your help, it's appreciated.
Title: Re: Redirector-HS [Trj] detected on my website
Post by: Pondus on December 26, 2011, 06:04:43 PM
i got some extra info from Norman...see my post above

Hope that helps   ;)
Title: Re: Redirector-HS [Trj] detected on my website
Post by: eltopo on December 26, 2011, 06:26:35 PM
Thanks a lot Pondus, you da man! I took out the js code obfuscating the email address in the Html source code, and both Avast and Wepawet report the site clean now - so I assume I'm good?

I'd gotten the Js code from some online site where you enter the email address and out pops some scrambled code... with some extra baggage apparently.

What a relief, it's like a second Christmas. Thanks again!
Title: Re: Redirector-HS [Trj] detected on my website
Post by: Pondus on December 26, 2011, 06:29:43 PM
your wellcome...  ;)


yepp....seems the detection is gone

VirusTotal - audio.htm - old file - 11/43
http://www.virustotal.com/file-scan/report.html?id=e810facc1fb040ec09bb0b35b909b4ceabe6214a74dc9b159cb263937198342d-1324920278

VirusTotal - audio(1).htm - new file - 0/43
http://www.virustotal.com/file-scan/report.html?id=00fb716da262d7ba3c9639f2e3609c0e53bee9c8261a762924a6f83ee53f797a-1324920190







Title: Re: Redirector-HS [Trj] detected on my website
Post by: polonus on December 26, 2011, 08:23:22 PM
Also wepawet scan confirms,

The last time we found it to be benign was at 2011-12-26 09:34:48.
The last time we found it to be suspicious was at 2011-12-26 03:47:27.

Someting has changed, the difference was Evals Writes - that is now gone...

polonus