Author Topic: Website shows infected with JS:HideMe-B [Trj]  (Read 63875 times)

0 Members and 1 Guest are viewing this topic.

clsiburt

  • Guest
Website shows infected with JS:HideMe-B [Trj]
« on: August 04, 2013, 05:36:12 PM »
I have tried to go to the website for a local concert venue and Avast has alerted me that it is infected with JS:HideMe-B [Trj].  I did some searching here and found that I should check a few sites to confirm infection.  None of those other sites show it as infected, just Avast.  Is this a false positive or are the other sites wrong?


hxxp://centennialterrace.org is the site in question.

http://sitecheck.sucuri.net/results/centennialterrace.org shows clean and not blacklisted.

http://www.UnmaskParasites.com/security-report/?page=centennialterrace.org also listed as safe.

Anyone have any thoughts here?

Thanks,
Chris

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #1 on: August 04, 2013, 05:50:01 PM »
Hello Chris,

i looked up some sites either and it looks safe to me.

Here you can the results for many website check sites: http://ScanURL.net/?u=centennialterrace.org#results

For some you have to copy the URL into a box or a field and then click scan.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #2 on: August 04, 2013, 05:51:44 PM »
You can report a false positive over this site here: http://www.avast.com/contact-form.php

Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

clsiburt

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #3 on: August 04, 2013, 06:21:24 PM »
Thanks!  I will try reporting it and see what happens.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #4 on: August 04, 2013, 06:59:33 PM »
Various malware reported for same IP: http://support.clean-mx.de/clean-mx/viruses.php?as=AS31815&sort=email%20asc&response=alive
indicator obfuscation possible for  JCEMediaBox....update to JCE 2.3.2. please or report to twitvid.com/player/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

mike c

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #5 on: August 05, 2013, 08:39:32 PM »
Hi,

I have experienced the same issue, same error/infection from Avast, relating to this site hxxp://www.graceniagara.ca

These two scans look clean,
http://sitecheck.sucuri.net/results/graceniagara.ca
http://www.unmaskparasites.com/security-report/?page=graceniagara.ca

I have already reported it to Avast (yesterday), I haven't heard back yet.

Thanks for any help.

Lain SE

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #6 on: August 05, 2013, 10:04:51 PM »
PLEASE, help me...My site is CLEAN, but Avast has alerted me that it is infected with JS:HideMe-B [Trj]...

How can i fix it??

I have already reported it to Avast, but nothing yet...  :(




Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #7 on: August 06, 2013, 10:03:52 AM »
Hi all,

JS:HideMe-B is triggered when seeing this piece of code:

Code: [Select]
<div id='hideMe'>components inside recipe ingredients referred to as lifestyle Daily cia lis pill <a href="hxxp://sotrueradio .org/">Cia lis without prescription, canada</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
Of course the exact ad may vary, but this is the template.

From my experience, this is most often appended right after <body> tag.

Honza Zíka
avast viruslab

mike c

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #8 on: August 06, 2013, 02:32:15 PM »
Hi all,

JS:HideMe-B is triggered when seeing this piece of code:

Code: [Select]
<div id='hideMe'>components inside recipe ingredients referred to as lifestyle Daily cia lis pill <a href="hxxp://sotrueradio .org/">Cia lis without prescription, canada</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
Of course the exact ad may vary, but this is the template.

From my experience, this is most often appended right after <body> tag.

Honza Zíka
avast viruslab



Thank you for that... I did find that in my site. I removed it.

How do I get access back to the site now since Avast is still blocking it? Is there some "unblock" feature, I can't find one.

Thanks

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #9 on: August 06, 2013, 03:34:55 PM »
When we are talking about ScriptShield, there is no database of URLs. If avast cannot see the signature, it does not raise popup message. Maybe you still have the infected version in browser cache?

jbates

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #10 on: August 06, 2013, 07:46:36 PM »
When I visit my work's main page http://yumalibrary.org/public I get the same thing. I searched for the <div id='hideMe'> in the code, but can't find it. What gives?

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1038
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #11 on: August 07, 2013, 09:17:19 AM »
When I wget your page (yumalibrary.org/public), I can see it:

Code: [Select]
<div id='hideMe'><p>The drugs also treat..........................Buy branded vi a gr a</a> .</p></div>
<script type='text/javascript'>
if(document.getElementById('hideMe') != null){
document.getElementById('hideMe').style.visibility = 'hidden';
document.getElementById('hideMe').style.display = 'none';
}
</script>

Keep in mind that this code does not have to be on the server in plain text, but if you use any server-side scripting, such as PHP, it can be inserted via some obfuscation (base64, gzinflate, rot13, ...).

Daffy

  • Guest
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #12 on: August 17, 2013, 05:33:17 PM »
Same with my works website.
Kfum-mus.dk

And now we cant enter it. Pls fix this
« Last Edit: August 17, 2013, 05:35:06 PM by Daffy »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #13 on: August 17, 2013, 06:09:29 PM »
Hello Daffy,

you can report this as a false positive ofer this form here: http://www.avast.com/contact-form.php
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Website shows infected with JS:HideMe-B [Trj]
« Reply #14 on: August 17, 2013, 06:25:01 PM »
Please follow the instructions given in previous posts.

Thanks,
~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."