JS:Redirector-H7 [Trj]

[Peter T]

At one of my favourite sites Avast is giving me this warning. I emailed the blogger and he says 'Fsecure' shows him nothing - though he's doing further checking. The site is:

hXXttp://dcscience.net/

Is this a real problem?

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
Maybe you could contact its webmaster.

[igor]

There's an encrypted piece of javascript near the beginning of the page... I'd say the detection is correct.

[Marky-aCe]

“Re: JS:Redirector-H7 [trj]” I am also getting this from visiting certain websites.

hxxp://www.ultracapacitors.org/templates/rt_chromatophore_j15/js/rokslidestrip.js :

hxxp://www.htid.co.uk/ :

This is very strange as the last site is run by a mate of mine and he would have told me if they had any problems. My gut feeling is that this Trojan as been picked up by my system whilst trawling the web and it has remembered some of the sites that I go to as this thing is very selective and has only appeared so far when I type into a search engine these URL’s, but everything else I type in appears cool.

P.S. After reading items on pirate bay’s blog, I discovered something called chans, they seem to be some type Japanese orientated  image board, now the last one I looked at was called something like roki? And note that the first report I got ended with js/rokislidestrip.js. I wonder if this is something that has been injected into my system from there, and makes a selective note of the sites you go to then kicks in when you type in those addresses, making you think it is the actual website that you visit that has the problem.

[igor]

Well, how would he know they have any problems?
If the site is hacked and silently starts to spread malware, without modifying the original page design... how do they find out?

[Marky-aCe]

Like many here I am not an expert just a normal computer user, I specialize in 3D stuff but the rest is still a mystery to me most times, so everything I say has to be premised with this simple fact in mind. My mate’s site’s has many thousands of hits everyday and is linked into all the social networking hangouts, so that if his users had a problem, someone would have contacted them pretty quickly or posted as such on MySpace or Bebo etc. I have had a look round some of them and see nothing mentioned about this issue.

The reason I stated what I did was that in my humble opinion, two out of the dozen or so URL’s that I typed in today were effected, now this would mean that the percentage of infected sites must be massive or the creator of this malware just happened to have exactly the same on-line taste’s as me, obviously this can not be true or most of the net would be shouting out and loudly too, which I have not seen so far, so I come to the conclusion that it must be my machine with the problem, sort of makes more sense from here if you get my drift.

[DavidR]

So your friend says htdi.co.uk is OK as he would have told you, well that URL redirects to hXXp://site.htid.co.uk/ and that alerts because it has a dirty great chink of obfuscated javascript (on a single line after the closing Head tag, see image.

I doubt that this is placed there intentionally by your mate.

[Marky-aCe]

Thanks DavidR for the updated info. If its there its there, but my point about the percentage of my on-line habits being effected is still relevant. Could it be some type of over sensitivity to web optimization used by sites or is this a truly new and a massive threat come about since today as yesterday I had no problem with ether of the sites mention above in my previous posts. I will email the web site concerned later and let you all know the score, every little bit helps I guess.

[DavidR]

Relevant yes, because this is by far the fasted spreading means of infection, hacked sites are on the increase rapidly as a browse of the avast forums will attest.

Of all of the reported problems like this (hacked site, etc.) that I have checked in the forums 'all' have proved to be good detections.

Check out this page, http://www.avast.com/eng/latest-virus-report.html, looking for HTML:iFrame-inf or any of the JS:Redirector, JS:Script or VBS:Obfuscated and you will find just what I mean.

There are very few AVs that even check for this but avast is all over it like a rash, whilst the rest could be totally oblivious to the problems existence.

[Marky-aCe]

Mucho Gracious and thanks once again David for the info. I have contacted the owner of the said site and shown them the image you posted and they are getting the web developers to have a gander. All I have to do now is work out how to put my mug shot on this here message board

Dank u weel, vaarwel.

[DavidR]

You're welcome.

Unfortunately you have to have 20 posts to be able to edit your profile details, which includes the avatar.

The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can't use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

[xe-cute]

I've just signed up here as 8hrs ago I went to the website I own to get avast! giving me the message about 'JS:Redirector-H7 [trj]' and blocking me from my own site.

I couldn't work out what was wrong, but to cut a long story short most the pages on my website has code there that I never put there and which was not there 9hrs ago.

basicaly somehow the sites been hacked and I have no idea how. most php, html, txt and js files are affected and I am having to revert back to a previous backup.

But how did this happen in the 1st place? I have a very secure cpanel code only I know and cpanel and logs show no other person going in there. My IPB forums are up to date and even if someone had injected malicous code via them, it does not explain how the code ended up on unrelated html pages.

It's like the code magicaly apeared, all files affected where in the space of 3mins.

HTML pages have ecoded javascript below the header and php pages have encoded php before the main php.

It's driving me up the wall trying to work out how it's ben done and how to stop it in future.


If it was not for avast! I would be none the wiser. Also, I have no idea what the code does as it does not seem to redirect anyone or anything... I have no idea how dangerous it is or anything.

I'm just hoping I have caught it quick enough before any search engines blacklist my site.


Does anyone have any more information on this "JS:Redirector-H7 [trj]" and how these hackers put it in place and so fast?

[DavidR]

It doesn't matter if it is JS:Redirector or one of the other code injection alerts, iframe, etc. the exploit could effectively place any code in there avast would detect what it is according to what it tries to do.

You most certainly need to speak to your Host.
-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site. This may help you to resolve the problem and some information on what questions you ask your host.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

[Marky-aCe]

HI DavidR. Many thanks mate for your assistance in identifying the problem on the HTID website. They have now removed the offending item and would like to thank you for your invaluable help in this matter. So you were right all along. I guess the internets can be a scary place.

Important information regarding my previous posts on this page: I went back to the Chan pages last night to see if I got infected from there. Warning! If you want to look on these boards, be very careful, at first I thought it was just a cool anarchist sort of place in keeping with the pirate ethos’s, but on more inspection have found parts of it to be very dark and disturbing, so if you are curios about this place then I would recommend using a proxy service, turn off Java and the option to download graphics. Then go to one of its many Wiki sites and learn what the codes mean or you will find some very nasty things.

I know this is off subject on a virus site but as I mentioned it on previous post thought it important to fully inform potential users of the dangers.

[DavidR]

You're welcome.