Author Topic: [SOLVED] JS:Cruzer-C on my forum!!  (Read 9901 times)

0 Members and 1 Guest are viewing this topic.

SekhemAkassha

  • Guest
[SOLVED] JS:Cruzer-C on my forum!!
« on: May 30, 2009, 06:22:02 PM »
I have a big problem on my forum It is a JS:Cruzer-C Trojan Horse.
My computer is scanned with Avast and Spybot Search & Destroy, and it is clean.
This weekend the host will move the site (with the others) to another server.

I following the instructions over here, but I can't find the trojan horse.

This is de link to my site  www. oude egypte .nl  
  
I don't know if the site is hacked.

Last weekend (may 23) there was a current down in the datacentra and sunday (may 24) the server (where my site is host) crashed and totally died. The hoster has put all the sites on another server, but the file for the ftp, the emails and the directadmin was corrupt and the hoster makes all new one for us.
This weekend the hoster will move all the sites to a new server.

I have mail the hoster about this.

What can I do!
« Last Edit: June 02, 2009, 09:34:43 AM by SekhemAkassha »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87624
  • No support PMs thanks
Re: JS:Cruzer-C on my forum!!
« Reply #1 on: May 30, 2009, 06:40:20 PM »
Well, like Igor and Tech, I have visited the above URL and no detections.

So what is the full path to the detection ?
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Nor

  • Guest
Re: JS:Cruzer-C on my forum!!
« Reply #2 on: May 30, 2009, 07:05:55 PM »
Hi

i have a problem with AVAST giving false positive on THIS: hxxp://itmedia.sk/images/itmediask.gif
you can see a picture from one of my customers who told me about this: http://members.chello.hu/jermij/vir.JPG
There's no way this GIF could be infected, as it's the original one which we're using for years now, and displays correctly.

Please check what gives the false positive, and let me know / fix the search pattern on your database.

Thank you.

SekhemAkassha

  • Guest
Re: JS:Cruzer-C on my forum!!
« Reply #3 on: May 30, 2009, 07:23:12 PM »
Thanks a lot!!

This is the logfile from Avast:

Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://klanten.bwhs.nl/news/nieuws.php" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/index.php" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/index.php" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/viewonline.php" file.  
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/viewtopic.php?f=5&t=130&p=521" file

I will be back tomorrow.
« Last Edit: May 30, 2009, 07:35:44 PM by SekhemAkassha »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87624
  • No support PMs thanks
Re: JS:Cruzer-C on my forum!!
« Reply #4 on: May 30, 2009, 08:01:19 PM »
Hi

i have a problem with AVAST giving false positive on THIS: hxxp://itmedia.sk/images/itmediask.gif
you can see a picture from one of my customers who told me about this: http://members.chello.hu/jermij/vir.JPG
There's no way this GIF could be infected, as it's the original one which we're using for years now, and displays correctly.

Please start a New Topic of your own as this is hijacking the original posters topic and will just confuse the topic and we will try to help.  - Go to this link, http://forum.avast.com/index.php, scroll down to the Viruses and Worms forum and click it, click the New Topic button at the top of the list and post there.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87624
  • No support PMs thanks
Re: JS:Cruzer-C on my forum!!
« Reply #5 on: May 30, 2009, 08:09:18 PM »
This is the logfile from Avast:

Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://klanten.bwhs.nl/news/nieuws.php" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/index.php" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/index.php" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/viewonline.php" file. 
Sign of "JS:Cruzer-C [Trj]" has been found in "hXXp://www.oudeegypte.nl/viewtopic.php?f=5&t=130&p=521" file

I have visited all of those and I don't get any alerts. Are you still getting alerts on these pages ?

You mentioned your host will be putting all sites on another server, perhaps he has done that and things are clean. Though that wouldn't account for the first URL klanten.bwhs.nl/news/nieuws.php unless that site too was hosted on the same original server.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33638
  • malware fighter
Re: JS:Cruzer-C on my forum!!
« Reply #6 on: May 30, 2009, 08:21:00 PM »
Hallo SekhemAkassha,

Ik ben ook naar deze logsite gegaan en geen alerts van avast in Firefox met NoScript actief.
Nagekeken via Exploit Prevention Labs Link Scanner en DrWeb's av link scanner, blacklistdoctor en unmasked.parasites scan gedaan, alles groen en geen teken van JS:Cruzer-C.

Hier is de listing van de malcode detektor site: No zeroiframes detected!
Check took 2.19 seconds

(Level: 0) Url checked:
hxtp://www.oudegypte.nl
Zeroiframes gedetecteerd op deze site: 0
No ad codes identified

(Level: 1) Url gechecked: (script source)
hxtp://as.casalemedia.com/sd?s=65131&f=1
Blanke pagina / kon geen verbinding maken (blank page could not connect)
No ad codes identified
This could have been it, a link to a WEB OPTIMIZATOR and a 302 re-direct!
Dit had hem eventueel kunnen zijn geweest, link naar een WEB OPTIMIZATOR en een 302 re-direct
(zoeken op sd?s=65131&f=1 geeft malware resultaten)

Just outside the html (Net buiten de html code):
Code: [Select]
^EDITED with ^....^!--0.167895078659::1::0.00925946235657-->....
^!--0.192685127258--><!--a09--
Er moet op een gegeven moment sprake zijn geweest van een omleiden naar een malware-site,
dit hoeft nu niet zo te zijn,

polonus
« Last Edit: May 30, 2009, 08:23:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

SekhemAkassha

  • Guest
Re: JS:Cruzer-C on my forum!!
« Reply #7 on: May 31, 2009, 08:15:54 AM »
@DavidR: I don't get any alerts now. Maybe the site is really move to a another server.

Thank you for looking!

@Polonus:
Dank je wel dat je zo uitgebreid heb gekeken.
Ik krijg nu geen enkele melding meer, dus ik ga er vanuit dat we nu verhuist zijn naar een andere server.
En ik heb mijn pagina's als index.php, viewtopic.php en nog een paar anderen gisteren na gekeken en ik kon na de HTML-tags geen enkele code vinden.
Ik hoop dat het probleem is opgelost nu.
Nogmaals heel erg bedankt!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87624
  • No support PMs thanks
Re: JS:Cruzer-C on my forum!!
« Reply #8 on: May 31, 2009, 03:09:32 PM »
@DavidR: I don't get any alerts now. Maybe the site is really move to a another server.

Thank you for looking!
<snip>

You're welcome, hopefully the Host has resolve it with the move.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33638
  • malware fighter
Re: JS:Cruzer-C on my forum!!
« Reply #9 on: May 31, 2009, 04:03:20 PM »
Hi SekhemAkassha,

Heel erg fijn voor je en nu maar volop aan de slag met de inhoud van je forum, veel succes daar en blijf veilig online,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

John2009

  • Guest
Re: JS:Cruzer-C on my forum!!
« Reply #10 on: May 31, 2009, 05:22:20 PM »
Casalmedia is not bery popular with the WOT users.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33638
  • malware fighter
Re: JS:Cruzer-C on my forum!!
« Reply #11 on: May 31, 2009, 05:38:12 PM »
Hi John 2009,

Yes a site that is adware and spyware or even virus related, programs that find pop-ups launched by it in Firefox, and also questions with tracking cookies, users reported this also to McAfee SuiteAdvisor, see their report, WOT gives it an all red. as.casalmedia.com redirects to:
hxtp://promotionalproductes.net/?tmp=domain_inquiry_form&keepThis=true&TB_iframe=true&height=450&width=760

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

SekhemAkassha

  • Guest
Re: JS:Cruzer-C on my forum!!
« Reply #12 on: May 31, 2009, 06:03:44 PM »
@DavidR: I hope that too.

@Polonus: Met de inhoud gaat het helemaal goed komen, nu dat enge trojan-ding weg is, kan ik weer lekker aan de slag.


I have never heard of Casalmedia, so far as I know and I don't know how they can put trojans on my site. Maybe it came from the share server where we standing after that the first server crashed.
I hope that all the problems are really over now.