Avast WEBforum
Other => Viruses and worms => Topic started by: luinwe on February 07, 2012, 01:52:11 AM
-
Hi everyone,
When i try to enter my website (hxxp://hotmobilepress.com), its giving js:Redirector-NT [Trj] alert from Avast.
I download whole site from FTP server and scan with Avast and Ad-Aware, but nothing found :(
I checked my database file for any redirect address, but nothing found :(
Also Sucuri report is clean too...
But Avast still giving js:Redirector-NT [Trj] alerts..
What can i do for remove this trojan from my website?
PS: I think its because my easy SQL database password. If you have same problem check your database password if it strong enough..
-
also kaspersky detect
https://www.virustotal.com/file/6f4f647cee08df0cbbd1567cbc2bc886d5e97ad9fdfd785e3bb5dc3cc25e28c4/analysis/1328594043/
-
Same problem here:
hxxp://linky.es
the avast alert occurs randomly, maybe one time each 10 times I go to the web... usually when I go to the web first time in a few hours. Then I try to refresh and nothing. I have downloaded the home page when alert occurs, but not difference with the home page when nothing occurs.
-
Yes, alerts ccours randomly...
Still there is no solution...
-
Hey! King Polonus :)
I'm waiting for your advices...
-
@luinwe there is no detection today
https://www.virustotal.com/file/3e41001417bb1a03984177cde4cb57c619632be344ddf9e24eb1f260e6507686/analysis/1328650188/
@weblanzarote no detection here
https://www.virustotal.com/file/4dcda4c11ba5d507022a56f8ba288d2afd39758e9418ae1ece03c326e5b6e31f/analysis/1328650253/
-
I just ran virustotal check...
https://www.virustotal.com/url/6f862765b29f8e568b7a71577372d7c8776974ba52b9a1d0ab37843ac35ffa1a/analysis/1328651337/
What should i do?
Redirecting addresses are;
hxxp://piz.de.tf/in.cgi?2
hxxp://gone.jp.mn/in.cgi?2
-
This script appears to point to a site that is blocked by the network shield. This is most likely the result of the alert.
If you look at the script, you can see a link that is pieced together.
There are a couple of threads about this particular detection at the moment...with different sites.
-
Wow! Which file/files should i look at for this script?
-
Hi luinwe,
The general method of insfection can be achieved from what spg SCOTT gave on the other site mentioned in this thread.
The only issue I spot through the generic JS unpacker is this part of the code here for -hotmobilepress dot com is:
Your Wordpress should be updated and patched here: Wordpress internal path: /home/hotmobil/public_html/wp-content/themes/LondonLive/index.php (sucuri alert for that theme)
-hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/jquery-ui.min.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:46.28.239.195) (script) -hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/jquery-ui.min.js?ver=3.3.1
status: (referer=-hotmobilepress.com/)saved 183557 bytes fe810f47883364fbc4dc2c61e03a3aca0f74fed7
info: [iframe] -hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/javascript:false;
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: ....^
suspicious
Avast shield does not alert, but the site is still given as suspicious here: http://urlquery.net/report.php?id=19657
For the redirect (it could be non-responsive now). see: http://demon117sec.blogspot.com/2012_02_01_archive.html (link author = Paul from demon177)
That is a redirect to blackhole exploit kit malware....
polonus
-
Wow! Which file/files should i look at for this script?
That script is on the home page, on line 31 of the source.
-
Thank you but i cant find this script code anywhere at my index.php, footer.php, header.php and others...
Wow! Which file/files should i look at for this script?
That script is on the home page, on line 31 of the source.
-
I have just had another look at the page, and it appears as though the script has been removed. Have you changed anything?
-
Nop, i didnt change anything.
And i cant understand why sucuri giving to this red alert for my index.php file? There is no explanation... My wordpress version is 3.3.1.
I have just had another look at the page, and it appears as though the script has been removed. Have you changed anything?
-
I am not sure on that one. 3.3.1 is the most recent version according to wordpress.org...
-
Well the sucuri alert is not for an outdated WordPress version, the alerts is foir that specific theme: wordpress London live theme
Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,
polonus
-
Thank you so much guys... spg SCOTT and polonus... you are great!
I found the problem. It was old timthumb.php file!!!
Exploit Scanner show me all of infected files and now everything is ok with my website...
Well the sucuri alert is not for an outdated WordPress version, the alerts is foir that specific theme: wordpress London live theme
Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,
polonus
-
You're welcome :)
That is interesting, the timthumb vulnerability again...saw that a while ago with slightly different script infections...
Scott
-
Well look here: http://urlquery.net/report.php?id=19989
Site is not beyond suspicion to be a phishing site, and re-directs to cellphonetesters dot com
with undefined variable Bootloader found
http://forums.malwarebytes.org/index.php?showtopic=105879 defined there as a scam site,
See the bizimbal report: http://www.bizimbal.com/odb/details.html?id=935134
polonus
-
I am having the exact same problem, exactly what files was infected? Could you please paste their names.
Regards
Rick
-
I am having the exact same problem, exactly what files was infected? Could you please paste their names.
Regards
Rick
what is the URL you have problem with ?
-
I am having the exact same problem, exactly what files was infected? Could you please paste their names.
Regards
Rick
what is the URL you have problem with ?
hxxp://www.rawfoodtips.se
-
Please add hxxp instead of http u dont want any [non-avast user] curious sucker to fall into clicking on that link...
-
I am having the exact same problem, exactly what files was infected? Could you please paste their names.
Regards
Rick
what is the URL you have problem with ?
-http://www.rawfoodtips.se
That URL is infected...see attached screenshot
Malware entry: MW:JS:6525 - http://sucuri.net/malware/malware-entry-mwjs6525
virustotal
https://www.virustotal.com/file/14c39310395b97daa655024fb369d588f41b5ce6825be846c361467da01f2b37/analysis/1328870962/
-
I am having the exact same problem, exactly what files was infected? Could you please paste their names.
Regards
Rick
what is the URL you have problem with ?
-http://www.rawfoodtips.se
That URL is infected...see attached screenshot
Malware entry: MW:JS:6525 - http://sucuri.net/malware/malware-entry-mwjs6525
virustotal
https://www.virustotal.com/file/14c39310395b97daa655024fb369d588f41b5ce6825be846c361467da01f2b37/analysis/1328870962/
From that screenshot I cant tell what file is infected, do you see it?
Regards
Rickard
-
you may scan it here http://sucuri.net/
does this help...
wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=a02592b01fc3b95155ff474f5ac2b4ec&t=1328885455&type=js
-
When I run sucuri.net check it says that the site is ok, but still avast gives me Infection: js:Redirector-NV [Trj]
And I really cant find out what file contains the trojan script.
-
Finally got it, installed the Exploit Scanner plugin for Wordpress and looked through the files it had in the "severe" section and in one of the code was added.
Thanks alot for the help all you guys.
-
I have a similar problem with js:Redirector-NV [Trj].
The url given is hxxp://www.golfvakantieturkije.org/|%3E{gzip}
Exploit scanner gives me 9 severe issues but all of theme are regular files with no strange stringes.
-
Hi Render,
web site: wXw.golfvakantieturkije.org
status: Verified Clean according to Sucuri Scan
web trust: Not Blacklisted
warn: WordPress version outdated: Upgrade required.
*Cached results from a few minutes ago.
This is suspicious in the code:
wXw.golfvakantieturkije.org/wp-content/themes/woostore/includes/js/tabs.js?ver=3.3 suspicious
[suspicious:2] (ipaddr:91.198.106.30) (script) wXw.golfvakantieturkije.org/wp-content/themes/woostore/includes/js/tabs.js?ver=3.3
status: (referer=wXw.golfvakantieturkije.org/|>{gzip})saved 1073 bytes 813ba92faa731fdce49d619d5e365f66b3c25302
info: [decodingLevel=0] found JavaScript
suspicious:
polonus
-
Thanks a lot!! I will update Wordpress and check the site again.
I hope it works. I use the same plugin for 2 other websites, but they do not have a warning.
-
urlQuery - golfvakantieturkije.org - suspicious
http://urlquery.net/report.php?id=22339
-
Suspicious, but why. It also says 'no alerts detected'. Do you have any idea what to look for?
-
Hi Render,
Maybe this was flagged before: htXps://html5shim.googlecode.com/svn/trunk/html5.js Empty N/A
See: http://www.threatexpert.com/report.aspx?md5=5281fd5adcfc75202622bc586043e282
Malicious trojan horse or bot analysis (go to last line in the analysis of where it says: The data identified by the following URLs was then requested from the remote web server:
= htxp://html5shim.googlecode.com/svn/trunk/html5.js (not https)
polonus
-
Norman lab
website is clean.
golfvakantieturkije.org.htm : Clean!