Site generating JS:Agent-BA[Trj]

[Mystii]

A website that has been fine for ages started generating a JS:Agent-BA[trj] error today. If one goes directly to a page within the site, no error is shown.  The main page seems to generate this error for those of us running Avast and at least one person running AVG.

Anyone know what causes this? The webmaster is saying it looks like Avast is not reading the javascript menu correctly, but this has never happened previously.

[igor]

Are you saying that both avast! and AVG detect the page? I'd say it's quite likely that the site was hacked and indeed contains something malicious.
What's the address of the website?

[polonus]

Hi Mystii,

For the moment you can try to go to the page using Firefox with the NoScript add-on installed = enabled.
In that case avast won't alert. What is the site's name, make the link cannot be clicked, like:
hxxp://ad.nl for instance,

polonus

[Mystii]

Someone just reported that McAfee got the same error.  The site is a commercial one: hxxp://www.cilm.com (obviously, change the xx)

[DavidR]

Pretty much unanimous then, link scanner doesn't like it either.

[polonus]

Hi Mystii,

Also scandoo.com link checking search engine alerts here:

Scanning Results: Security & Content Safety
   
  - Use Caution.
   
 This site may represent a potential web risk.
Some users may consider this unwanted.

What more do you want to know?

polonus

[Lisandro]

Dr. Web failed to detect anything on that page... Dr. Web is becoming not reliable...

[Mystii]

Apparently the hosting site is dealing with the problem - now that they have acknowledged it as a problem. That's really what I wanted - to know that yes, it was a problem and not just a false positive.

Thanks for the attention to the post!

[Lisandro]

You're welcome. Thanks for posting and feel free to come back any time you need help or just to change experiences

[DavidR]

Yes, the old obfuscated (defeats DrWeb yet again) script tag 16 lines outside of the closing HTML tag on one enormous single line I have broken it up for ease and stripped out the blank lines.

[guateweb]

Please help, when opening hxxp://www.guatemalaweb.com the browser try to open
this page and frezzes the browser, hXXp://116.50.15.25/stats/getfile.php?f=vispdf AVAST reported the JS:Agent-BA[trj] and I have removed the long  script code after the html closing, but still
Thanks

[DavidR]

Well the second IP address you also need to modify as you did for the first as that is likely to be where the malware payload is. However, the IP is for myrdns.com (HostFresh Internet) and is in Hong Kong.

DrWeb link checker also finds malware at the second link.

The guatemalaweb.com site opens now with no alert, so the chunk of script you removed appears to have done the trick.

However, I assume that you didn't place the script after the closing HTML tag, then the page appears to have been hacked, so you might want to do checks for a similar issue on other pages. You might also want to change any site passwords and tals to the Host about how to combat this script injection.

[guateweb]

The problem is that hxxp://www.cybershouts.com techs do not believe me, they claim everything is OK, as the second IP, im not clear about what you mean, I am not very technical I will really will appreciate more details please.  And I have never added the script at all, I deleted it once and is also in other pages like hxxp://www.guatemalaweb.com/index.html wich I will erase as soon I change passwords, how do you think this guy is hacking so many webs at almost the same time? Thanks a lot

[polonus]

Ola guateweb,

Well we had that lately with a Dutch site, then the man showed the threat to those that host the website  or the webmaster himself, and they cleansed it and also changed all the log passwords so new or similar  malware could not be installed anew. So if they do not seem to believe you, you can direct them to this site and confronted with what they see here, I think they can no longer ignore it, but some are in denial or just ignorant. Anyway you should be thanked for reporting this and also for protecting others that may go there. Surf safe and secure, and welcome to our forums,

Con Dios,

polonus

[DavidR]

The problem is that hxxp://www.cybershouts.com techs do not believe me, they claim everything is OK, as the second IP, im not clear about what you mean, I am not very technical I will really will appreciate more details please. 

Who are cybershouts.com, you didn't mention them in your first post ?
I can only assume that they are your web hosts.

The problem being that since you have stripped out the code after the closing html tag the evidence has gone, so when you web hosts checks it might find nothing. Taking a screen shot before removing the script would have given you some evidence.

By modifying the second IP I mean doing this hXXp://116.50.15.25/stats/getfile.php?f=vispdf  changing the http to hXXp so the link isn't active exposing forum members to accidental exposure...

And I have never added the script at all, I deleted it once and is also in other pages like hxxp://www.guatemalaweb.com/index.html wich I will erase as soon I change passwords, how do you think this guy is hacking so many webs at almost the same time? Thanks a lot

So I have visited the hxxp://www.guatemalaweb.com/index.html and gained some evidence in the form of images for you (right click on the image and select 'save image as' or words to that effect. I broke up the single line of the script tag to make it easier to see in the image.

Tell then that at the bottom of that page is a malicious script that you didn't place there.