Can someone check out this site

[felix222]

A friend's website seems, according to avast, to harbor the JS:ScriptIP-inf [Trj] trojan. I have alerted my friend to alert his host. His host sees no problems.

I don't want to be an alarmist, but I do want my friend's site to be safe. After all, I can't even visit it if it harbors malware.

Could someone with the appropriate version of avast check out hXXp://www.miraclesmagazine.org/, click on one of the QUICK LINKS, and tell me if they, too, are getting a virus alert?

Please send you response to this e-mail address and thanks!

Felix222

[YoKenny]

Welcome Felix222

I was a devout follower of a Course in Miracles for a long time and have seen Marianne Wiliamson many times and have several of her books.

The site has been hacked and it is a common occurrence right now

9/15/2009 4:37:49 PM SYSTEM   1928   Sign of "JS:ScriptIP-inf [Trj]" has been found in "hxxp://www.miraclesmagazine.org/new%20Miracles%20Magazine%20Info.htm" file.  

[Jtaylor83]

Jsure Javascript Checker found nothing.

Bad Stuff (Jutakys) Detector found nothing saying Empty source - Could not connect to site?.

[spg SCOTT]

Hi felix222,

Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected. (You too YoKenny )

This kind of detection is very common these days, with many 'legitimate sites' becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

The site has been hacked, and I think it is caused by this:

Just after the closing html tags there is a script tag (see image). This is against web standards to do this, and is out of place.
To be honest I am not exactly sure if this is what is being alerted to, but it is suspicious...

jsejtko, DavidR any ideas?


A post worth looking at by DavidR:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn't clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

-Scott-

[felix222]

I saw the <'javascript'>postamble(); reference at the foot of the pages as you demonstrated. It seems, however, according to other references to this across the web, that this line is endemic to using Zone Alarm software somewhere in the development environment.

I agree that the site's been hacked. No doubt about it. But I require a powerful argument, though gentle, to convince the hosting or developers to take action. Currently they claim there is no issue when clearly there is. This is a disservice to the client (not to mention visitors without adequate security in place) and needs to be rectified.

I reset the http to hXXp. Thanks for heads up on that. I don't frequent forums so I didn't consider. Thanks again.

[spg SCOTT]

Yes, it is not the script I posted about. I just checked it...although it shouldn't really be there...

I will keep looking for what it is, and see if I can find it. Someone else may find it in the meantime though...

It seems as though most/ if not all of the 'quick links are infected'...

[felix222]

spg SCOTT,

Avast is reporting the issue as an occurrence of JS:ScriptIP-inf [Trj]. I just need others with avast or a reliable malware detection product to corroborate this issue. I'm fairly certain that with a dozen or so corroborations that JS:ScriptIP-inf [Trj] is reported as being served via this site that the host or developer will give my complaints greater credence. Maybe not.  But I owe it to the innocent friend who merely wants to disseminate info via his site.

Thanks.

[spg SCOTT]

I know that avast! is alerting on the site, but my  problem is that I cannot seem to see what is causing it (most likely due to my lack of knowledge ). Usually is it something like a script tag or something like that which is clear to see...

Hence:

jsejtko, DavidR any ideas?

[DavidR]

I saw the script tag after the closing html tag (a standards no, no, so a little suspect). This script tag is somewhat strange it would appear to be set to run another script postamble(); and we are not able to see what that script contains

I also note that whilst waiting for this site to load (takes absolutely ages on dial-up) my trusty firewall reported an attack detection from that IP address, 209.237.150.20, unfortunately that will block that IP for 5 minutes.

So there is most certainly something strange going on with the site. Exactly what is the question as there is no sign of this postamble () script.

I did a whois check on the IP address image1 and that brought up a different domain name, I then did another whois on the miricalesmagazine.org and that brought up the same IP image2; so again I don't know what is going on.

So now I'm wondering if the actual malwear name is pretty descriptive, a JS (JavaScript) IP injection, I don't know but that seems close to what has been going on.

[YoKenny]

spg SCOTT,

Avast is reporting the issue as an occurrence of JS:ScriptIP-inf [Trj]. I just need others with avast or a reliable malware detection product to corroborate this issue. I'm fairly certain that with a dozen or so corroborations that JS:ScriptIP-inf [Trj] is reported as being served via this site that the host or developer will give my complaints greater credence. Maybe not.  But I owe it to the innocent friend who merely wants to disseminate info via his site.

Thanks.

Have the Webmaster look at this topic. 

Website by Fran Cosentino: fran@miraclesmagazine.org 

   

 

[felix222]

YoKenny and gang . . .

Said party is running a scan on her machine now. I didn't make the connection that she was the webmaster. You cats out sharp me by miles. We'll see how it goes. Thanks for all of the assistance.

Felix222

[DavidR]

She shouldn't have to scan as avast is one of the few AVs that are even looking for this much less detect it. She needs to look at that script tag after the closing html tag and if there is no legit reason for it being there it should be removed.

More importantly if she didn't place it there then there is an exploit inserting it, e.g. likely a hacked site.

[jsejtko]

Hello,

It is probably not hacked - but it uses webstat.net which is blocked. Please switch to some other statistic, because webstat.net was distributing malware in the past.

Best Regards

[DavidR]

Thanks jsejtko, do you know what does that weird script tag do at the bottom of the page that we have been talking about ?

[felix222]

Also jsejtko, where resides the evidence that they are using webstat.net? I would need to point that out.

Thanks.