Author Topic: Malware 404javascript.js (Read 23720 times)

jeronima · « **on:** August 04, 2012, 10:48:52 PM »

Hi everyone,

According to several reports, my website is infected — hxxp://wildgrounds.com
Avast says it's JS:Iframe-EX [Trj]
Kaspersky says it's HEUR:Trojan.Script.Iframer

So, to find more details, I've used several online tools;
https://www.virustotal.com/url/5270b4b018e55dd60546911956a2b2022419a756d9fff267caf6e9b484b39fd3/analysis/1344112173/
http://zulu.zscaler.com/submission/show/e225603d5648a9c16210c0b84c8ba820-1344111932
http://urlquery.net/report.php?id=114528

And nothing was detected.

BUT, then, Sucuri found something;
http://sitecheck.sucuri.net/results/wildgrounds.com

I've checked my .htaccess files - no problem, my wordpress folders - deleted/reuploaded some files, updated/deleted plugins or useless files.

But, it seems it's not enough, the infection is still somwhere according ot Sucuri & Avast.

So, where's the problem? I can't see where it comes from, quite frustrating... $:-\$

Thanks for your help!

Pondus · « **Reply #1 on:** August 04, 2012, 10:52:30 PM »

yes....there is a detection by sucuricata signatures in the urlquery link you posted

!Donovan · « **Reply #2 on:** August 04, 2012, 10:57:40 PM »

You scanned the site for blacklisting on VirusTotal, not the file itself, hence detection was not found.

Zulu couldn't get a return from your site, hence "No external elements were found".

urlQuery never received the iframe write, based on the javascript write results.

These scanners did not detect for a valid reason.

!Donovan · « **Reply #3 on:** August 04, 2012, 11:14:37 PM »

How to edit Wordpress 404 page: http://codex.wordpress.org/Creating_an_Error_404_Page#Editing_an_Error_404_Page

jeronima · « **Reply #4 on:** August 04, 2012, 11:20:42 PM »

Quote from: !Donovan on August 04, 2012, 10:57:40 PM

You scanned the site for blacklisting on VirusTotal, not the file itself, hence detection was not found.

Alright, that would be easy if 404javascript.js was actually on the server, but it's not. I guess, it's externally added/pointed by the malicious script. Which is... I don't know. I've run some ssh commands for the usual stuff - eval, preg, hidden - and I've deleted some files, but it didn't change anything in the end.

You've mentioned the Wordpress 404 page. So, it's not a malicious script after all?

Quote from: Pondus on August 04, 2012, 10:52:30 PM

yes....there is a detection by sucuricata signatures in the urlquery link you posted

What does it mean?

Thanks for your answers

polonus · « **Reply #5 on:** August 04, 2012, 11:27:05 PM »

Hi jeronima,

Site was vulnerable via xmlrpc.php through a WordPress flaw,
Earlier IDS alerts for: FILEMAGIC Macromedia Flash data (compressed),
see: http://urlquery.net/report.php?id=114780

polonus

!Donovan · « **Reply #6 on:** August 04, 2012, 11:42:16 PM »

Quote from: jeronima on August 04, 2012, 11:20:42 PM

You've mentioned the Wordpress 404 page. So, it's not a malicious script after all?

No, quite the opposite.

Wordpress uses a 404.php server-side that gets generated as the return 404. Your site appears to have been hacked. To fix and stop avast's alerts, you can do one of the following:

Look for suspicious elements (e.g: long strings of code) in the file and delete them
Delete the 404.php page and let Wordpress generate a new clean one [recommended]

~!Donovan

jeronima · « **Reply #7 on:** August 05, 2012, 12:39:14 AM »

Quote from: polonus on August 04, 2012, 11:27:05 PM

Site was vulnerable via xmlrpc.php through a WordPress flaw,
Earlier IDS alerts for: FILEMAGIC Macromedia Flash data (compressed),
see: http://urlquery.net/report.php?id=114780

Great, I've made some changes recommended in this article, seems okay now; http://urlquery.net/report.php?id=114808

Quote from: !Donovan on August 04, 2012, 11:42:16 PM

Wordpress uses a 404.php server-side that gets generated as the return 404. Your site appears to have been hacked. To fix and stop avast's alerts, you can do one of the following:
Look for suspicious elements (e.g: long strings of code) in the file and delete them
Delete the 404.php page and let Wordpress generate a new clean one [recommended]

Catch-22 here I come!
I still haven't found any suspicious-malicious elements (!!), and using the thesis framework, I can't delete nor generate a new clean 404 error page - I can only customize it, but doesn't change anything.

Could it be a false report, or Sucuri's cache not cleared yet...?

anyway, thanks for your help.

polonus · « **Reply #8 on:** August 05, 2012, 02:18:43 AM »

Jeronima

Site is no longer alerted/flagged by avast, so you have cleansed it.
Keep your website software up to date and fully patched,
stay safe and secure is the wish of,

polonus

jeronima · « **Reply #9 on:** August 05, 2012, 11:10:21 AM »

Quote from: polonus on August 05, 2012, 02:18:43 AM

Site is no longer alerted/flagged by avast, so you have cleansed it.

polonus,

when you come via google/from an external source, there's still an alert from avast.

I've run a scan of a copy of my site/database on my computer, avast didn't find anything malicious.

That's quite strange.

jeronima · « **Reply #10 on:** August 07, 2012, 12:34:55 PM »

Problem solved - clean sucuri report

The infected file was somehow hidden, it was a fake/useless gif named "searchnav" (found in the wordpress theme folder).

Thanks for you help!

Author Topic: Malware 404javascript.js (Read 23720 times)

jeronima

Malware 404javascript.js

Pondus

Re: Malware 404javascript.js

!Donovan

Re: Malware 404javascript.js

!Donovan

Re: Malware 404javascript.js

jeronima

Re: Malware 404javascript.js

polonus

Re: Malware 404javascript.js

!Donovan

Re: Malware 404javascript.js

jeronima

Re: Malware 404javascript.js

polonus

Re: Malware 404javascript.js [SOLVED]

jeronima

Re: Malware 404javascript.js

jeronima

Re: Malware 404javascript.js