Possible JS:Redirector-H5 infection

[askfig]

I am a long time Avast user, but new to the forum. I accessed the following website hxxp://www.apostolicfaithonline.org/ but when I tried to access several links; "Instructors";"Student Handbook"; and "Testimonials" the warning popped up informing me that the page was infected with a trojan JS:redirector-h5.  I aborted the link and did a search on this warning and the avast forum had a link to someone else who had experienced this problem.
I contacted the webmaster who assured me that the problem was on my end. Since I maintain regular updates to the Avast AV, is it possible that this is a false warning?
Thank you in advance for any light you could shed on this issue.

[Lisandro]

Do not post live links to malware or suspicious urls (use hxxt: instead of http: to do it).
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

I contacted the webmaster who assured me that the problem was on my end.

A common answer of hacked file owners...

[igor]

I'm not an expert in this area, but I can see a strange encrypted piece of javascript in the beginning of the page, right before the BODY tag. (Instructors page, for example).
So I'd say that it's not a false alarm.

[askfig]

Do not post live links to malware or suspicious urls (use hxxt: instead of http: to do it).

Thank you for reminding me. I apologize for posting the full url. Being new to the forum, I did not think about that. Thank you

Isn't it an encrypted/obfuscated script or iframe?Wasn't the site hacked?

Since I am not associated directly with this site, I cannot testify as to the scripts or whether it has been hacked.

I'm not an expert in this area, but I can see a strange encrypted piece of javascript in the beginning of the page, right before the BODY tag. (Instructors page, for example).

Igor, Thank you for your info. I will contact them and tell them that this has been found in their pages.

I appreciate all the help and the promptness of your help.

[spg SCOTT]

Do not post live links to malware or suspicious urls (use hxxt: instead of http: to do it).

Thank you for reminding me. I apologize for posting the full url. Being new to the forum, I did not think about that. Thank you

Could you also modify you previous post to change the link please?
This will prevent other users from potentially becoming infected.

I'm not an expert in this area, but I can see a strange encrypted piece of javascript in the beginning of the page, right before the BODY tag. (Instructors page, for example).

Igor, Thank you for your info. I will contact them and tell them that this has been found in their pages.

Maybe you could also provide a link to this thread also when contacting them, it may help.

-Scott-

[askfig]

Could you also modify you previous post to change the link please?
This will prevent other users from potentially becoming infected.

Done. Thank you.

[polonus]

Hi askfig,

Definitely gumblar related: From the 352 pages on the site that have been tested during the previous 90 days 13 pages without the user's consent have been downloading and installing malicious software. Found to be there on 2009-07-05.
Malicious software includes 226 scripting exploit(s).

Malcode being hosted on 1 domain, e.g. gumblar.cn/.

This site was hosted on 1 network(s) including AS26496 (PAH).

polonus

[askfig]

Polonus and all:
Thank you for your detailed information and for everyone's help. I have sent the link to the person and hopefully, they can get this cleaned up. We all have to continue fighting together to try to keep the lid on this as much as possible. I appreciate all the assistance.

[askfig]

A final update.

I contacted the webmaster, and after showing the evidence of the infection,  it became evident that he did not know how to begin to fix the problem. Because I knew him personally, he gave the ftp info and I cleaned 15 files that were infected with the gumblar infection. The fix was simple but tedious. I had to download each htm file, delete the gumblar script (located below the HEAD and above the BODY, save and upload the cleaned file.

I am in the process of trying to work with him to determine if his computer has become is infected (highly likely) and if so, how to clean his machine so this is not repeated. In addition, I am trying to help him insure the website stays clean.

I want to thank everyone who contributed to this post. I could not have found the problem as quickly, and probably, not at all without the excellent assistance from everyone.  But special kudos to the Avast product that alerted me to the problem in the first place.

Cleaning up, one file at a time.
Thanks again.

[DavidR]

Generally it is the site which gets exploited because of vulnerabilities in the content management software, ftp software, weak passwords, etc. and not so much an infected original file that was uploaded.

If it were the source computer infected then it is highly likely that 'all' pages uploaded would be infected not just a number of them.

- This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Also see, Cleansing Gumblar from websites.... (commonly the JS:Redirector- avast detection), http://forum.avast.com/index.php?topic=45517.0.

Also see, Automatic removal of Gumblar/Martuz trojan http://www.danielansari.com/wordpress/2009/05/automatic-removal-of-gumblarmartuz-trojan/.