Author Topic: HTML:IFrame-EJ [Trj] Found on my website( It's back!)  (Read 39761 times)

0 Members and 1 Guest are viewing this topic.

MonsterKat

  • Guest
HTML:IFrame-EJ [Trj] Found on my website( It's back!)
« on: May 10, 2009, 07:32:15 PM »
Hey Everyone!

I went on my website today that I am the owner and web designer of, hxxp://www.valskidsline.com and AVAST came on and said that it had the HTML:IFrame-EJ [trj] located on xxx.valskidsline.com then seconds later it comes up again saying its located in my firefox cache. If I do this on IE, it says its in the Temporary folder, obviously.

Now, I went on my FTP Control Panel, and it the pop-up shows up there aswell. I also went on Gensap.com my website hosting service, and of course the pop-up is there aswell. These are the only sites that it is showing up on, I can go on everything else.

I've tried to log into my Control panel, to check that out and find the virus, but once the Avast popup comes on, it prevents me from logging in.

I've sent an email to my tec support, and if being Sunday, doesn't help. They are also quite slow are replying.

I have Avast Virus running right now, as well as Spybot and Adware.

Don't click on the link, unless you know what you are doing.

Any help I can get would be fantastic.

Edit: Avast Home Scan, Through Disk Scan was completed and no viruses were found. Or so it said anyways.

Happy Mothers Day to your moms!
« Last Edit: May 28, 2009, 10:58:05 PM by MonsterKat »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #1 on: May 10, 2009, 08:56:39 PM »
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #2 on: May 10, 2009, 09:04:26 PM »
There is a large chunk of obfuscated script on the same single line, directly after the opening Body tag (two inserted script tags), so it looks like your site has been hacked.

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #3 on: May 10, 2009, 09:23:19 PM »
Thank's alot for your help guys. This is so disappointing, I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before. What should I do next? The thing that would make sense to me is log into my cpanel, delete the files or clean them, then re-upload everything right? Change my password info and all of that if it hasn't been already changed by the hacker. I try and go onto the cpanel but when the Avast comes up, I can't log into it, obviously. What else should I do?

Thanks very much everyone

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #4 on: May 10, 2009, 09:29:05 PM »
I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before.
Can you overwrite the files uploading the new ones (maybe by ftp transfer) and without having to log the site hosts?
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #5 on: May 10, 2009, 10:38:48 PM »
Thank's alot for your help guys. This is so disappointing, I'm good at making sites, but not so good at knowing how to fix or what do to in this situation as this has never happened before. What should I do next? The thing that would make sense to me is log into my cpanel, delete the files or clean them, then re-upload everything right? Change my password info and all of that if it hasn't been already changed by the hacker. I try and go onto the cpanel but when the Avast comes up, I can't log into it, obviously. What else should I do?

Thanks very much everyone

You're welcome.


Commonly this happens because of vulnerabilities in the site content management software (PHP,SQL, WordPress, etc.) being exploited, usually because of old versions of the software. So you will need to talk to your Host for advice in that regard if it is them that provide this and ask about how they/you can secure your site to prevent future occurrences.

If avast gets in on the act when you open control panel, I take it this is server hosted ?
If so then you would need Host help in resolving that. However, if you aren't actually running the file and the alert is the web shield then you could pause it. You would have to be extra careful and only be on-line as short a time as possible and enable the web shield again.

If as suggested you just upload and overwrite existing files by ftp, it is entirely possible they end up infected too as has happened in at least one topic that I remember.

This is by no means easy but the first thing is to change passwords for any area to do with uploading/modifying or controlling content, etc.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #6 on: May 10, 2009, 10:42:44 PM »
Can you overwrite the files uploading the new ones (maybe by ftp transfer) and without having to log the site hosts?

If as suggested you just upload and overwrite existing files by ftp, it is entirely possible they end up infected too as has happened in at least one topic that I remember.

Sorry. Out of my knowledge limits  :-[
The best things in life are free.

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #7 on: May 10, 2009, 11:11:05 PM »
David R hit the nail right on the end! Your very good at this haha, but I'm sure you already know that.  ;)

I emailed the host first thing when I found out that this had happened, telling them everything and this was the response. I was stunned to get a reply, I've had issues before and waited weeks for a response. Prompt isn't there forte.
I actually got a response!

Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and
changed some default settings to help prevent these coding
compromises. The weaknesses were not server wide but rather just made
it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into
their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers
into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess
files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password,
the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and
NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any
resurfacing of the hackers efforts. In some cases you may still have
coding which allows for injection. All user input fields hidden or not
should be hard coded, filtered, and sanitized before being handed off
to php or a database which will prevent coding characters from being
submitted and run through your software.

Thanks,

So I grabbed my guts and tried to log into the host server, so I could see the files. I was quite nervous that the trogan would start to download as soon as I signed in, the pop-up warnings from Avast and AdAware were a site to see. I went on real quickly, searched for any of the files that he had reccomended, and did not see any. There was no files added, BUT my files were altered and the javascript was injected. I went in and editted the index.php & index.html and found the HUGE long injections. The one on index.php was loaded with links and all this crazy stuff, I deleted it and reloaded it. The index.html was all crazy with foreign letter and number combos of a java script. I deleted that and re uploaded it. I then went and looked on the site, and I nolonger recieved any notifications on Avast or Adaware and it looks perfectly normal. I am still looking through all of my pages and making sure nothing has been added. I will then change my passwords, and clear out my computer, run avast again, just to be safe.

I've always been kinda paranoid/ better safe then sorry with everything, so I was shocked to say the least that this has happened. But it was a releif to know that this wasn't at my end, and more so the hosts end.

Thank you everyone for your help, your really awesome! I appreciate David showing me exactly where the problem was when he uploaded the picture. That was a big help for me.

Now that the pop-ups are all clear, is it safe to say the website has been taken care of?

Also, I just noticed this as I was typing this message. I went on my log in-page for the host, and the exact same pop-up is there! hxxp://cpanel2.page14.com and on hxxp://www.gensap.com - my hosts site.

I emailed the host and told them this, but is this a problem caused by my computer or is it at there end? I'm not to sure.

Thanks everyone!
« Last Edit: May 11, 2009, 12:09:19 AM by MonsterKat »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #8 on: May 10, 2009, 11:38:20 PM »
You're welcome.

Thanks for posting the response from the Host, it could help others (I have saved it as there is no identifying detail) in how they go about cleaning house. I too am presently surprised by your Hosts prompt and very helpful response, if only they were all like that instead of ignoring or blaming the user for giving out their passwords.

I don't believe the log-in page alerting has anything to do with your computer as a) this is a server side page, b) and c) you can't modify it because it isn't in your control. I could be wrong (don't think so though ;D), it has been a very long time since I did any web design and securing my site and importantly I didn't use any content management software.

So it may be that all the control panel log-in pages are contaminated by remnants of infected pages on the server side, this is exactly as the infected pages on your site, huge chunk of obfuscated javascript (again two script tags all on one line), see image.

Can you modify the links in your last post, change http to hXXp to avoid accidental exposure to malware.
« Last Edit: May 10, 2009, 11:40:05 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #9 on: May 10, 2009, 11:41:36 PM »
Hi MonsterKat,

Can't you please break the links you gave, like hxtp://suspicious-link.com or www dot suspicious-link dot com, so the curious aren't able to click these links. Why we hold this policy all over these webforums, you can read here where I have explained the reasons for this security principle: http://forum.avast.com/index.php?topic=45139.0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #10 on: May 11, 2009, 12:15:32 AM »
Links are edited and I apologize. I made a mental note to edit them, and then I just simply forgot. Stupid me, I wouldn't want to cause any issues for anyone else, especially after receiving wonderful help.

I emailed the host and told them I have cleaned up the mess at my end, and pointed out the log in page and the main site being infected and I won't be logging into the server until they get it cleaned up, just in case. I managed to get on long enough to clean my site up, and that was it. It's not allowing me to log in anymore, so maybe they have started.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #11 on: May 11, 2009, 12:21:10 AM »
No problem (one down, millions more to go, sorry in joke), we avast users feel a little immune to these types of attack, but it is just good practice not to have links active to suspect sites.

You are fortunate to have a Host that is somewhat more proactive than most, hopefully they are cleaning house also. Lets us know how you get on.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #12 on: May 11, 2009, 11:50:08 PM »
MonsterKat,

The site now seems OK: http://www.blacklistdoctor.com/bld/diagnose.php?URL=www.valskidsline.com&scan_id=5830
Unmaks parasites says: This page seems to be <clean>
Exploit Prevention Labs: LinkScanner says:
Congratulations! LinkScanner Online did not find any exploits.
Scanned:    
Monday, May 11, 2009


pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

MonsterKat

  • Guest
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #13 on: May 12, 2009, 11:11:08 PM »
Thanks alot Pol, that's a great help. I didn't know about that site, and I'm glad that  I managed to find all the injected files. I can't thank everyone here for the help enough!

My host still has not replied to my email regarding the log in pages and there site being infected. The prompt reply they gave me, was really a one hit wonder afterall :P :P

So as of now, our site is clean but I can't log in and do anything further because they still haven't fixed it at there end. But our site is now good, and that's my major worry.

Thank-you everyone!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: HTML:IFrame-EJ [Trj] Found on my website PLEASE HELP
« Reply #14 on: May 12, 2009, 11:24:01 PM »
You're welcome.

After such a promising start by your Host :P
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security