JS: Bulered and/or Obfuscated-P, Q

[bearkie]

I have been geting warning messages regarding JS:Bulered, JS:Obfuscated-P and JS:Obfuscated-Q when usein a machine that is proteced by avast, in most cases I am offed a option to take no action but with the home version it will block the connection.

This is most evident with some sites that use Joomla and/or vTiger

see example at site http://rostech.net

Any ideas why and how to correct this?

[DavidR]

Content management software, Joomla, etc. are vulnerable to exploit if the version being used is old as it may have security vulnerabilities, which have been closed in the latest software versions.

The site does appear to have been hacked there is an obfuscated script tag inserted just before the closing body tag. This is on a single very long line, see image, I have broken that long line to make it easier to see (the arrow indicates it goes on for some way still).

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

So unless you own the site the only thing you can do is inform the owner/webmaster, etc.

[polonus]

Hi bearkie,

Break the link for clicking by the curious of heartthat may get themselves infected in the way DavidR described above, these are good security practices in case of an infected site, and indeed mentioned site has three malicious scripts. Joomla! 1.5 - Open Source Content Management is the generator,
3 suspicious inline scripts found:
Long suspicious script

Code: [Select]

var LIfp91eM="L%3u753u";var TR5x="33u673u";var qLsaa="ar aaF";var WpF0aXrA="e61ye6B";var MZMd="var...Long suspicious script

Code: [Select]

var ndvT3="74Y%66Y%43Y%";var Jo9nW="scape(pY5qG";var Xb78AM="3v%eY%64Y";var jPJ3mmiv="U4ESiU44Si";v...Long suspicious script

Code: [Select]

var xV9oh="aP9%7%SaP%";var O8jjlET="al(unesc";var RB65CgV="DO72DO6EDO";var tiFnpU="Ax6EOq4h7Ax";var...
Exploit Prevention Lab LinkScanner Online did not find any exploits, WOT does not like the site,
rostech.net/
checked at Dasient WAM   
Not Blacklisted on:
Google   Firefox   Google Chrome   Norton Safe Web
Blacklist Check Results

Sources checked: 4
Entries found: 0

polonus

[colesent]

Message for Davidr

I am the owner of a holiday cottage website www.colesent.co.uk on which we advertise our 3 holiday cottages in Cornwall. When people using avast visit the site they are getting the same "Bulered trojan" warning as mentioned in this post. Obviously this will probably be putting people off from visiting the site and might be the reason for poor bookings and decreased site visits. I have an extremely rudimentary understanding of the code that goes to make up a website and sort of understand the replies you have given on this post and others but I would be very grateful if you could perhaps look at my site and give me a clue as to what is causing the problem. I am hosted by uk2.net and do not relish having to contact them for help as in the past that has not been very easy! Thank you! Gary.

[YoKenny]

Message for Davidr

I am the owner of a holiday cottage website w w w.colesent.co.uk on which we advertise our 3 holiday cottages in Cornwall. When people using avast visit the site they are getting the same "Bulered trojan" warning as mentioned in this post. Obviously this will probably be putting people off from visiting the site and might be the reason for poor bookings and decreased site visits. I have an extremely rudimentary understanding of the code that goes to make up a website and sort of understand the replies you have given on this post and others but I would be very grateful if you could perhaps look at my site and give me a clue as to what is causing the problem. I am hosted by uk2.net and do not relish having to contact them for help as in the past that has not been very easy! Thank you! Gary.

Make the website not selectable as it is infected

Code: [Select]

7/3/2009 6:42:33 AM SYSTEM 1308 Sign of "JS:Bulered [Trj]" has been found in "http://www.colesent.co.uk/" file. 
7/3/2009 6:42:57 AM SYSTEM 1308 Sign of "JS:Bulered [Trj]" has been found in "C:\Users\Ken\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MLEG5PGK\colesent_co_uk[1].htm" file. 
Probably you need to read:
http://blog.avast.com/2009/06/03/gumblarcn-summary

You will have to contact uk2.net to get them to fix the infection.

[colesent]

Thank you YoKenny for your reply and interest in my post. The damage to my business happpens when people see the warning and do not visit. Other users, however, without avast, visit my site and do not get a warning and do not seem to suffer any ill effects. Do trojans like "bulered"  actually do anything or do they just trigger the alert?

[DavidR]

No the damage to your business comes not from the alert but the fact the site has been hacked.

There is a huge chunk of obfuscated javascript just before the closing Body tag in the frameset page. This script tag is all on a single line and doesn't follow conventional javascript format (a plain language scripting language) and is almost certainly the part avast is alerting on.

avast is one of only a few that is even looking for these hacked sites much less detecting them. Of all the ones that have been reported that I have personally checked they have been good detections.

See image of offending script, which I have broken down from a long single line to make it easier to see.

So you most certainly need to speak to your Host/Webmaster about this.

[colesent]

Thank you for your reply and looking at my website for me. I have raised a ticket with UK2.net but I have Microsoft Frontpage. Can I just delete the offending script you have identified? Can I just delete the line?

[DavidR]

Getting rid of the offending script tag will only give you a temporary respite as that doesn't adress what it was that exploited vulnerabilities in your site.

- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

[waded01]

I am not at all HTML or coding savy.  My website shows that it has a trojan Bulered and obfuscated to anyone who uses Avast or a Mac.  Norton and Mcafee dont show anything.  Why is this and how can I fix it?  What happend to my site?  Need this fixed asap!!  Site is www.wadelaserclinic.com.  Only shows issue when linking to other page besides home.

[polonus]

Hi waded01,

Change the link url to htxp or wXw so the curious cannot click on it and get infected!
The malcoded script is placed at the bottom of the web-page, it is a large junk of obfuscated code.
Take the code off, change the PHP log in passwords, else this may reappear within the coming 6 hours, then after you changed the PHP log-in password for a more secure, put the back-ups back and you are secure again where your web-page visitors with browsers are concerned,

polonus

[DavidR]

I am not at all HTML or coding savy.  My website shows that it has a trojan Bulered and obfuscated to anyone who uses Avast or a Mac.  Norton and Mcafee dont show anything.  Why is this and how can I fix it?  What happend to my site?  Need this fixed asap!!  Site is wXw.wadelaserclinic.com.  Only shows issue when linking to other page besides home.

I get no alerts on the home page, went to one page and got the alert, your site has been hacked. On the page I went too (see below) there is a huge block of obfuscated javascript after the closing html tag, a standards no, no. So I doubt you put it there, this is probably the same location for the other pages avast detected.

05/07/2009   21:27:12   1246825632   SYSTEM   1448   Sign of "JS:Bulered [Trj]" has been found in "hXXp://www.wadelaserclinic.com/velashape.html" file. 

So you need to speak to your Host about how they/you can secure your site, read the quoted text in my previous reply and if you can't do that you will need help from someone who can strip out this script tag, etc. etc.

[scurrminator]

hello guys,

i am having the same issue, my site is getting hacked again and again, i always remove the same malicious code from my phpbb3, coppermine, wordpress and the static web pages one by one but its there again after a day or two, contacted my webhosting company but they dont have any solution, my avast antivirus used to tell me that i have some JS:Bulered virus in my pages but i used to ignore till i started getting this on my website hXXp://www.intcube.com though my cpanel was never hacked and i am still able to use it, saw a few posts in the avast forums and some others aswell but no one knows about the exact nature of this malware

http://www.hackthissite.org/forums/viewtopic.php?f=29&t=3849!
http://forum.avast.com/index.php?topic=46176.0
http://forum.avast.com/index.php?topic=46919.0

after going through google advisory pages, i changed my password after cleaning pages from various computers but whenever i would logon my pages would again be infected with the code mentioned above, google says



i checked lemonia.ws google advisory pages and it clearly shows that its the source of virus,



in june there was nothing regarding js:bulered malware in google search, but now we're having alot of forums where people are discussing this, think its spreading more and more and may be some one would help us too, can any one suggest what should i do?

[Lisandro]

You shouldn't have ignored the virus alert.
Generally, avast detection is accurate in these cases.

Isn't it an encrypted/obfuscated script or iframe?

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Check here how to clean and make a website secure.

The vast majority of malware today is distributed over the web, mostly by means of hacked (otherwise legitimate) sites. The attacker usually injects malicious some scripts into some (or all) pages on the site, waiting for an unsuspecting user to visit the site and possible infect his/her machine.

And this is where avast’s detection capabilities really excel. Its abilities to detect these web-based malicious scripts are second to none, and thanks to the Web Shield and Script Blocking providers, they are used exactly when needed, doing an excellent job stopping the web-based malware right on the entry point.

[DavidR]

hello guys,

i am having the same issue, my site is getting hacked again and again, i always remove the same malicious code from my phpbb3, coppermine, wordpress and the static web pages one by one but its there again after a day or two, contacted my webhosting company but they dont have any solution, my avast antivirus used to tell me that i have some JS:Bulered virus in my pages but i used to ignore till i started getting this on my website hXXp://www.intcube.com though my cpanel was never hacked and i am still able to use it, saw a few posts in the avast forums and some others aswell but no one knows about the exact nature of this malware
<snip>

Basically you need to close the vulnerability or it will continue to come back, which is commonly out of date content management software being exploited. So you need to check out the Quoted text in my post Reply #8 above and try to comply as best that you can. This will obviously require some help if the Host provides the content management software they have to have the latest version/s.