Author Topic: My website is being blocked because of JS:Clickjack-A [Trj]  (Read 26043 times)

0 Members and 1 Guest are viewing this topic.

ncgois

  • Guest
My website is being blocked because of JS:Clickjack-A [Trj]
« on: August 05, 2013, 04:23:36 PM »
Hello

My website in joomla is being blocked by avast.
It's the only one to block it.
I've already reported to avast but still don't get an answer.
I've checked my site and there isn't nothing similar to the trojan they report.
Apreciate any help.

Website:www.naturales-tauromaquia.com

wdws

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #1 on: August 05, 2013, 04:32:40 PM »
I just received the same report from Avast.  I am running a Joomla 2.5 website with an Autson Slideshow.  I am wondering if this may be the culprit.  I am anxious to hear what you find out about your site and if it could be related.

Thanks!

ncgois

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #2 on: August 05, 2013, 04:56:27 PM »
I found this explanation on the net:

MW:SPAM:SEO is a backdoor link malware that redirect your link to another website.   This is usually located in header.php, index.php and footer.php. To remove  MW:SPAM:SEO malware, you will need to locate this code and delete it.

<script language=”JavaScript”>

function dnnViewState()
{
var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’778787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];
t=z=”;
for(v=0;v<m.length;){t+=m.charAt(v++);
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
t=”;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();
</script>

Tip:  Try to sort the date modified so you can check which was recently changed. The file that was changed during the time you did not change anything is the time where your site usually get infected by the malware MW:SPAM:SEO.

Aside from that, you will also need to delete the line which start from <!–start-add-div-content–><p class=”dnn”> to <!–end-add-div-content–>. If this line does not exist, you can skip this step.


The problem is that I don't know where I can find it or which file have this code.
When I find it can I delete it?
What should I do?

Any Help?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37181

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #4 on: August 05, 2013, 08:34:24 PM »
Hi,

What have you already tried?

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33595
  • malware fighter
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #5 on: August 05, 2013, 09:21:51 PM »
See the insecurities listed here: https://asafaweb.com/Scan?Url=www.naturales-tauromaquia.com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

ncgois

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #6 on: August 06, 2013, 01:16:06 AM »
My friends

Finally got the solution.

Go to your file explorer and enter this path: /modules/mod_AutsonSlideShow/tmpl/default.php
Edit the file and go to line 563 (on my case).
You should see this amount of code:

<script language="JavaScript">

function dnnViewState()

{

var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a];

t=z='';

for(v=0;v<m.length;){t+=m.charAt(v++);

if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);

t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}dnnViewState();

</script>


Delete this code. If you don't feel confident to do it you can create a copy of the original file in case in goes wrong.

Know, go to the last line of the file and delete this tag:
<p class="dnn">By A <a href="http://www.autson.com/" title="web design company">Web Design</a></p>

Save it, and enjoy.
Hope it was usefull.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86538
  • No support PMs thanks
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #7 on: August 07, 2013, 04:00:54 PM »
Please obfuscate script or better still only post images of the scripts.

The last thing that we want is avast alerting on example/suspect scripts in it own forums.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.2.6003 (build 22.2.7013.717) UI 1.0.697/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33595
  • malware fighter
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #8 on: August 07, 2013, 04:17:15 PM »
It is a Word Press hack script. Poster should realize that through posting this he could put other users at risk also,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

bubu678

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #9 on: August 17, 2013, 06:30:31 PM »
I just got this message when Avast updated, on 3 sites Joomla 1.5

I did have that module, which I chgd, but I am still getting that error on the one site.  I tried to restore older version, made the chg and still get message.

Must be another module that has problems.  Can we get a better definition of the file that has the problem instead of "|{gzip}"    It would help a lot.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37181
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #10 on: August 17, 2013, 06:33:32 PM »
and the problem URL is?


bubu678

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #11 on: August 19, 2013, 02:28:14 PM »
opps, I tried to edit the original post.   The URL is  xww.instepactivewear.com

Thanks
« Last Edit: August 19, 2013, 04:46:26 PM by Milos »

marcosaop

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #12 on: August 19, 2013, 08:06:08 PM »
Search for the code in the default.php file of all your modules.
I had the same problem, and deleting the lines of the dnnViewState function resolved the problem - as ncgois pointed.
In my case, the modules with problems were AutsonSlideShow and iNowSlider.

Silki

  • Guest
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #13 on: May 07, 2014, 02:13:35 PM »
Hallo forum,

i did the website http://www.aquamail-peseux.ch/. The site doesn't show up if you have installed the anti virus avast.
I have no idea if it is a JS problem or something else.

Can somebody help me?

Thanks

Silki


Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31222
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: My website is being blocked because of JS:Clickjack-A [Trj]
« Reply #14 on: May 07, 2014, 02:19:47 PM »
The first problem I see is that you all are using a outdated version of Joomla.
3.3 is the latest version.
Upgrade and see if the problem is solved.

For xww.instepactivewear.com :
Site is blacklisted
http://zulu.zscaler.com/submission/show/9c5e9fb070bc21d2b113f084825f42f3-1399465231
http://urlquery.net/report.php?id=1399463979523 (same IDS)
http://urlquery.net/report.php?id=1399461221521 (same IDS)
« Last Edit: May 07, 2014, 02:25:56 PM by Eddy »