JS:Redirector-H [Trj] Malware

[annumed]

Hi everybody;
I have installed Avast into my laptop, and just finished developing my new website : hxxp://www.annumed.fr
When i try to access to my pages, i receive a waring from avast telling that this website is infected by JS:Redirector-H [trj].
In the beginning, i've monitored the htm pages, i've found a stong js script, deleted it, but now, this code is added just into the temporary page when trying to display the page  :'( :'(.

So do you have a solution for me??? it's very emergency, what i should do??
Thanks for you quick reply.

Miss Annumed.

[polonus]

Hi annumed,

Malicious software includes 11 scripting exploit(s).

Malcode is been hosted on 1 domain, namely 94.247.2.0/
Malicious software includes 32870 scripting exploit(s), 20 trojan(s), 8 exploit(s).

This site was hosted on 1 network(s) including AS41186 (ISPFR),

polonus

[annumed]

Thanks for you reply;
But please do you any solution to resolve this problem, cuz i can't work properly.
It's very important for me .

[DavidR]

The only solution is for the owner/webmaster to remove the malware as their site has been hacked. So you could report it to them if you have an email address for them.

There is a block of obfuscated javascript before the opening Body tag on the page

[Omid Farhang]

now one question from me,

I visited this site and got no warning from my AV, also I allowed JavaScript to run via NoScript in firefox, now what happened to my windows, I think this is a script that load other Virus into browser, but why it did not works for me?!! it seems it's a buggy threat!! 

[DavidR]

The flash opening page isn't infected but when you click on one of the options, I choose Morocco, because of the OP's country then avast alerted.

[Omid Farhang]

The flash opening page isn't infected but when you click on one of the options, I choose Morocco, because of the OP's country then avast alerted.

I did, also I went in other pages too... I used that site, but it seems my computer is still working normal, I did everything with that site without avast!... I'm waiting to see suspicion behavior in my computer 

[annumed]

Thanks for your replies;
You are right, the first page (Flash) doesn't send any alerts, but the other pages yes , I'm the developer of this website using shared hosting (not a dadicated server), all my pages are clean, but the weired script is added temporary when the page is displayed (This is the prb  ) Plllllllz Help.

Thanks again;

Miss Annumed;

[Omid Farhang]

Thanks for your replies;
You are right, the first page (Flash) doesn't send any alerts, but the other pages yes , I'm the developer of this website using shared hosting (not a dedicated server), all my pages are clean, but the weird script is added temporary when the page is displayed (This is the prb  ) Plllllllz Help.

Thanks again;

Miss Annumed;

change your password, don't save your password in upload tools, ask server admin to update and patch software with latest updates, clean your files. hope these steps help a bit, but anyway I'm not expert in this problem.

[DavidR]

You need to ensure that any content management software, PHP, WordPress, SQL, etc. is up to date as many of these hacks use vulnerabilities in older software versions. You should change your ftp passwords to something harder to crack.

So you should also speak to your Host to ask how they/you can prevent this hacking from happening in the future.

Essentially something is able to inject this sctipt tag into your page/s.

I did try to visit the French section and got the same alert.

[annumed]

Thanks lot for all your replies,
Sincerly, everytime, i upload the clean version without this weird script, and get same alerts, that means the problem is with the server, the hosting company is 1and1, i've already tried to explain ti them the problem, and of course they ignored it.
Do u suggest me any other security plus to changing the ftp password?

Thanks again,
Miss Annumed;

[DavidR]

Then give them the link to this topic.

If it is server side then it may be related to what was suggested earlier somehow the content management software is exploited.

If the file is clean on your system it would be clean on the ftp upload. Does your ftp program have the ability to view the page code in uploaded location, to try and find when and how it is injected. I don't know what permission levels you set on the uploaded pages, e.g. the ability for users to read write or execute the files as that needs to be very tight.

[annumed]

I use smarty in this website and Filezilla as FTP software to upload files, but however i develop my own script without using any open source or other external script, i get same problem.

For permission, i give 644 to all files, means just the owner has the right of writing.
This is the first time when meeting this issue. i've develped many websites and scripts.
 Anyway, if you have any other suggests plz don't hesitate.

Thanks;
Naima;

[DavidR]

Sorry no other suggestions it has been a long time since I did any web design and setting security settings, etc. But, 644 should be enough to block write access to your files and that is something that you should ask your Host about, why when set to 644 can 'others' write to your files if they aren't exploiting the hosting software.

Other than that if they aren't happy to help and basically ignoring you I would be looking for another Host and I would be starting to look by asking the same sort of security questions, your existing site has been hacked how would your hosting package help protect me against this fast growing malware problem.

[annumed]

Thanks lot;
i'll then change my FTP password and ask the hosting company, i think also changing them cuz it isn't pratic at all.
If someone has other idea, welcome;

Thanks youuuu;
Naima;