Author Topic: Ho to remove JS:Redirector-H7 [Trj] (Read 6884 times)

davindersingh · « **on:** May 21, 2009, 01:33:17 AM »

I got JS:Redirector-H7 [trj] virus on my website. I figured it out that its a messed up script on my index files and javascript files

My site is in Joomla, and this virus is spread all over site. How can i remove this. Is there any automated software for that? Or is their any programme through which i can know which all files are infected?

Thanks in advance

!Donovan · « **Reply #1 on:** May 21, 2009, 01:56:37 AM »

Whats your FULL website name?

Example: hXXp://www.your-website-name-here.com

DavidR · « **Reply #2 on:** May 21, 2009, 02:07:37 AM »

Well first you don't mention the site, change the http in the url to hxxp, to avoid accidental exposure.

Ensure that you are using the latest version of Joomla as old version are vulnerable and being exploited.

You will also have to change and passwords, ftp, control panel, etc. Any template files should also be checked as this is a common means of spreading it to new pages, etc. You will have to look for script tags containing obfuscated javascript and remove those tags or upload clean versions after you have taken care of any software updates, etc. You should also speak to your Host.

davindersingh · « **Reply #3 on:** May 21, 2009, 04:20:38 AM »

its
hxxp://www.uwcm.org/shareyourself/

davindersingh · « **Reply #4 on:** May 21, 2009, 08:18:21 AM »

I just checked it.. its on all websites on server

Is there any way to remove that?

zeroality · « **Reply #5 on:** May 21, 2009, 08:52:13 AM »

I had this on my site too. What I did was download the latest copy of my CMS (using CMSMS) and uploaded all the files, overwriting the old ones. I had to do that for my vBulletin forum as well.

That got rid of the virus.

DavidR · « **Reply #6 on:** May 21, 2009, 05:13:53 PM »

Quote from: davindersingh on May 21, 2009, 08:18:21 AM

I just check it.. its on all of my websites on server

Is there any way to remove that?

I don't believe there is an easy to resolve this as the script tags, although the same sort of format, I believe are different so you can't easily use something like a find and replace. You can't use wildcards to remove the opening and closing script tags and the contents as you have legit scripts on the pages.

That is why I said you would effectively have to use your off-line clean back-up files to replace the infected ones.

If you haven't got back-ups, a good time to do some future planning:
Presumably the injected scripts are in the same location after the closing Head tag and before the opening Body tag (see image).

So you might be able to do a find and replace find <Head/>*<Body> (where the * is a wildcard, depends on the software used.) replace with <Head/><BR><BR><Body>. So you are putting the original tags back in place with a couple of line breaks between them.

Author Topic: Ho to remove JS:Redirector-H7 [Trj] (Read 6884 times)

davindersingh

Ho to remove JS:Redirector-H7 [Trj]

!Donovan

Re: Ho to remove JS:Redirector-H7 [Trj]

DavidR

Re: Ho to remove JS:Redirector-H7 [Trj]

davindersingh

Re: Ho to remove JS:Redirector-H7 [Trj]

davindersingh

Re: Ho to remove JS:Redirector-H7 [Trj]

zeroality

Re: Ho to remove JS:Redirector-H7 [Trj]

DavidR

Re: Ho to remove JS:Redirector-H7 [Trj]