JS:Decode-AVX[Trj]

[orchidee]

this is what I see when I try to log in on the site of wxw.circleofthemoon.net

is this a worm/trojan/virus and what does it do? Please iniform me so I can warn other people who are trying to log in

[Pondus]

as the suffix say [trj] a java script trojan

sucuri.   http://sitecheck.sucuri.net/results/www.circleofthemoon.net/

Security report  http://www.UnmaskParasites.com/security-report/?page=www.circleofthemoon.net

quttera. http://quttera.com/detailed_report/www.circleofthemoon.net

urlquery.... see the snort report.   http://urlquery.net/report.php?id=3980634
 

[polonus]

Site is enganged in sending spam, untrusty webreputation status ->
http://www.mywot.com/en/scorecard/urlm.co?utm_source=addon&utm_content=popup-donuts
See: http://zulu.zscaler.com/submission/show/b4f2c15ecf896be946921d8abbbdfd94-1374674337
avast! Web Sshield also flags this trojan, JS;Iframe-CSU[Trj] here: http://urlquery.net/report.php?id=3979670
Site has insecure Joomla software: Joomla Version 1.6.x for: htxp://www.circleofthemoon.net//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required, therefore site was also been hacked back in 2010: http://www.zone-h.org/mirror/id/10506661
So something wrong with this site's security management, alas,

polonus

[orchidee]

thank you!!  I will pass it.


edit: the quttera was blocked with the same warning.

[Pondus]

edit: the quttera was blocked with the same warning.

probably because the code avast detect on that site is also on display in the quttera report.   

[orchidee]

ah thanks.. 

[polonus]

The snort IDS alert 120 boils down to:

Alerts
======

HTTP Inspect used generator ID 119 and 120.  HTTP Inspect can generate the
following alerts under generator ID 119:

SID   Description
---   -----------
1     ASCII encoding
2     Double decoding attack
3     U encoding
4     Bare byte Unicode encoding
5     Base36 encoding   # Deprecated in Snort 2.9.1
6     UTF-8 encoding
7     IIS Unicode codepoint encoding
8     multi-slash encoding
9     IIS backslash evasion
10    self-directory traversal
11    directory traversal
12    Apache whitespace (tab)
13    Non-RFC HTTP delimiter
14    Non-RFC defined char
15    Oversize request-URI directory
16    Oversize chunk encoding
17    Unauthorized proxy use detected
18    Webroot directory traversal
19    Long header
20    Max headers
21    Multiple Content-Length headers
22    Chunk size mismatch
23    Invalid True-IP/XFF Orginal Client IP
24    Multiple Host headers
25    Hostname exceeds 255 characters
27    Chunked encoding - excessive consecutive small chunks
28    Unbounded POST (without Content-Length or Transfer-Encoding: chunked)
29    multiple true IPs in a session
30    both true_client_ip and XFF hdrs present
31    unknown method
32    simple request (HTTP/0.9)


The following alert is generated with generator ID 120:

SID   Description
---   -----------
1     Anomalous HTTP server on undefined HTTP port
2     Invalid HTTP response status code
3     No Content-Length or Transfer-Encoding in HTTP response
4     UTF Normalization failure
5     HTTP response has UTF-7 charset
6     HTTP response gzip decompression failed
7     Chunked encoding - excessive consecutive small chunks
8     Invalid Content-Length or chunk size in request or response
9     Javascript obfuscation levels exceeds 1
10    Javascript consecutive whitespaces exceeds max allowed    That is the one we can pinpoint here!
11    Multiple encodings within Javascript obfuscated data
   

info credits go to PioneerAxon on http_inspect rules by Daniel Roelker from Snort-ML.

polonus