Author Topic: Infection: JS: Iframe-XJ [Trj]  (Read 14665 times)

0 Members and 1 Guest are viewing this topic.

mamozio

  • Guest
Infection: JS: Iframe-XJ [Trj]
« on: January 04, 2013, 11:22:31 AM »
Hi all.
Suddenly, three of my sites based on Joomla, are blocked by Avast because it tells me that: "avast! Prevented you from visiting an infected page"
The infection that I detect is:
URL: http://www.miosito.com/index.php | {gzip}
Process: C: \ Program Files (x86) \ Mozilla Firefox \ f ...
Infection: JS: Iframe-XJ [Trj]

And 'this ever happened to anyone else? What is it? How can we ensure that the site is nopn more 'blocked? It 'sa flso positive? :-(
Please help!
I also tried to crawl the URL with VirusTotal, but I do not by any virus or infection :-(

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33979
  • malware fighter
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #1 on: January 04, 2013, 08:45:29 PM »
Content after the < /html> tag should be considered suspicious.

440: < !-- 20130104172010 -->

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #2 on: January 04, 2013, 11:24:46 PM »
I have the same problem with my Joomla Sites ... Current Version on Joomla 1.5.

I guess its a iframe hack on Joomla :-(.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37642
  • F-Secure user
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #3 on: January 04, 2013, 11:29:53 PM »
and what is the URL ?
post it none clickable.....http as hxxp and www as wxw


selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #4 on: January 04, 2013, 11:57:28 PM »
htxp://wxw.radialcrush.com

selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #5 on: January 04, 2013, 11:59:32 PM »
i have two more with the same problem ...

sucuri SiteCheck tells me...

Known javascript malware.
Details: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

and the infected files :-(

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37642
  • F-Secure user
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #6 on: January 05, 2013, 12:21:48 AM »
urlQuery.  http://urlquery.net/report.php?id=604786

yepp infected......so not a avast problem

selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #7 on: January 05, 2013, 12:24:10 AM »
any idea how i can remove the malware?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37642
  • F-Secure user
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #8 on: January 05, 2013, 12:29:58 AM »
any idea how i can remove the malware?
you can ask Sucuri to help you.  http://sucuri.net/signup.    it is not free

i will PM a guy that is good at this, he may have some idea

 

selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #9 on: January 05, 2013, 12:32:05 AM »
any idea how i can remove the malware?
you can ask Sucuri to help you.  http://sucuri.net/signup.    it is not free

i will PM a guy that is good at this, he may have some idea

would be nice... if you can find somebody who can help me, it will not be for free.

but sucuri.net is too expensive.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89428
  • No support PMs thanks
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #10 on: January 05, 2013, 12:50:39 AM »
In all honesty $89.99 for a year is very cheap in regard to cleaning a site and having: Website Integrity Monitoring; Manual Website Scanning; Blacklist Removal, etc. But that is for one site, with multiple sites it does become more expensive $189.99 for 2-5 sites.

I have seen services like this charging considerably more.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

selon

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #11 on: January 05, 2013, 12:52:40 AM »
In all honesty $89.99 for a year is very cheap in regard to cleaning a site and having: Website Integrity Monitoring; Manual Website Scanning; Blacklist Removal, etc. But that is for one site, with multiple sites it does become more expensive $189.99 for 2-5 sites.

I have seen services like this charging considerably more.

Well the price for one site is ok, but i got 3 Sites infected with joomla 1.5.
Lucky all my sites with Joomla 2.5 are not infected.

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33979
  • malware fighter
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #12 on: January 05, 2013, 12:58:16 AM »
Howdy selon,

I give you an indication of what might be wrong there and that is all for free as we all here on avast volunteers to help each other out with malcode. Welcome to the avast webforum community!
Run all through redleg's fileviewer. And then we get to the following issues. Also considered the IDS snort http inspect alert urlquery.net provided for us.
Well it is obfuscated script in the header buffer that will give this IDS alert. It is with HTTP server response, so it is a server misconfiguration attack with Blackhole landing redirection as a result. What can be seen from the code Redleg give as suspicious: document create element document body and what follows: all on line 47 is malcode. Mind the malicious spacing here:
Code: [Select]
try{window.docum ent.body++ that was intentional, and repeated Content after the < /html> tag should be considered suspicious.  Reinstall php: probably the majority of infected files are index.htm and index.php, then ucp_main.php and mcp_main.php etc. can be infected by the virus landing attack. Template folder might be infected also. Upgrade and harden website server software... The hack was performed through your hosting server, so you should take that up with them!

polonus

P.S. About the attack read: htxp://malwaremustdie.blogspot.com/2012/11/plugindetect-079-payloads-of-blackhole.html
link article author = unixfreaxjp
« Last Edit: January 05, 2013, 01:38:32 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #13 on: January 05, 2013, 02:20:08 AM »
any idea how i can remove the malware?

Hi selon,

I do not use Joomla but I will try to provide useful feedback.

I suggest looking for abnormal code on the FTP index.php and scanning the /templates and /media folders with avast for other potential suspects to examine.

As Polonus states, it would be helpful for you to update your software,
~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Ddraig

  • Guest
Re: Infection: JS: Iframe-XJ [Trj]
« Reply #14 on: January 16, 2013, 02:15:05 PM »
My website just got hit with this also.

Is this an issue of the host server being infected, or someone figured out ftp account passwords and is uploading the infected code?

Thanks,
Ddraig