Website Injected

[Yanto.Chiang]

Dear All,

I just access our customer website and found that their website is injected by javascript. But the word things that some web scanner doesn't found any issues on this website : hxxp://www.pgascom.co.id/en/

Summary review :
https://www.virustotal.com/en/url/0fed74e1bf61a07db156ea37796945e6aba3dba6263900414714dc32cdc88a18/analysis/
http://anubis.iseclab.org/?action=result&task_id=1fba2f124a5364ce4f1619ba593e6b80f&format=html
http://www.urlvoid.com/scan/pgascom.co.id/

[polonus]

javascript check alerts: Suspicious

e="javascript"> function dnnviewstate() { var a=0,m,v,t,z,x=new array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990
Spam SEO malware found: http://sitecheck.sucuri.net/results/www.pgascom.co.id/en/
Issue is with Joomla -> http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html

Not flagged here: http://urlquery.net/report.php?id=8274560   nor here: http://maldb.com/www.pgascom.co.id/en/

Code hick-up found with jsunpack:
wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js benign
[nothing detected] (script) wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js
     status: (referer=wXw.pgascom.co.id/en/)saved 1745 bytes d638ada8452da2ecd026da4bf64460719b4b0c0f
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined function d
     suspicious:

pol

[Yanto.Chiang]

javascript check alerts: Suspicious

e="javascript"> function dnnviewstate() { var a=0,m,v,t,z,x=new array('9091968376','8887918192818786347374918784939277359287883421333333338896','778787','949990
Spam SEO malware found: http://sitecheck.sucuri.net/results/www.pgascom.co.id/en/
Issue is with Joomla -> http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html

Not flagged here: http://urlquery.net/report.php?id=8274560   nor here: http://maldb.com/www.pgascom.co.id/en/

Code hick-up found with jsunpack:
wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js benign
[nothing detected] (script) wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js
     status: (referer=wXw.pgascom.co.id/en/)saved 1745 bytes d638ada8452da2ecd026da4bf64460719b4b0c0f
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined function d
     suspicious:

pol

Hi Polonus,

Many thanks for your help to check this suspicious site. May i know what happened with this website which's detected as suspicious site?
Is that because of this website infected by javascript on Joomla?

Cheers,

[polonus]

Hi Yanto.Chiang,

This is known javascript blackhat spam:seo malware: often means that it was hacked and the attackers inserted links to their own sites to increase their page rank on search engines. avast detects as JSL:HideMe-I[Trj]
Read:
htxps://www.google.nl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CEIQFjAB&url=http%3A%2F%2Fvel.joomla.org%2Farticles%2F844-spotting-spam-code-in-malicious-extensions.html&ei=wvqpUtrTE4qI7AaL-oHQDw&usg=AFQjCNHkK310uKc4Wp4C_Hly4Qv4rVun7Q&bvm=bv.57967247,d.ZGU  (avast! Web Shield detects this url as there is enough of that code in the description revealed as JS:HideMe-I[Trj]

polonus

P.S. Sometimes this malware can come within the social-media-widget plugin

D