Author Topic: Website with suspicious inline script reported..  (Read 20569 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31086
  • malware fighter
Website with suspicious inline script reported..
« on: December 22, 2009, 12:13:45 AM »
Hi malware fighters,

It was reported top me that htXp://www.niburu.nl  has Sign of "JS:Illredir-A [Trj]"  been found in it.
Suspicious inline script reported
Script outside of <HTML>...</HTML> block
 *
Quote
/*GNU GPL*/ try{window.onload = function(){var G85ga3prhrahe = document.createElement('script');G85...

Can someone verify this,
More info on a similar infection:
hxtp://www.vbulletin.com/forum/showthread.php?332174-virus-alert-on-my-forum

There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like the above: *
It attacks any webpage that it finds on your server that meet the following criteria:
webpage name - index* / default* or *.js

HERE IS HOW TO FIX IT IN 4 EASY STEPS

1) Download this file: Cure GNU GPL Virus File hxtp://seoforums.org/remove-virus.zip

2) Extract the file contained in it, its called: remove-virus.php

3) Upload that file to the ROOT DIRECTORY of your website

4) Go to: hxtp://YOURWEBSITENAME.COM/remove-virus.php

Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.

Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.



polonus
« Last Edit: December 22, 2009, 01:32:33 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mpaula

  • Newbie
  • *
  • Posts: 3
Re: Website with suspicious inline script reported..
« Reply #1 on: December 22, 2009, 06:39:16 AM »
Hi malware fighters,

It was reported top me that htXp://www.niburu.nl  has Sign of "JS:Illredir-A [Trj]"  been found in it.
Suspicious inline script reported
Script outside of <HTML>...</HTML> block
 *
Quote
/*GNU GPL*/ try{window.onload = function(){var G85ga3prhrahe = document.createElement('script');G85...

Can someone verify this,
More info on a similar infection:
http://www.vbulletin.com/forum/showthread.php?332174-virus-alert-on-my-forum

There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like the above: *
It attacks any webpage that it finds on your server that meet the following criteria:
webpage name - index* / default* or *.js

HERE IS HOW TO FIX IT IN 4 EASY STEPS

1) Download this file: Cure GNU GPL Virus File http://seoforums.org/remove-virus.zip

2) Extract the file contained in it, its called: remove-virus.php

3) Upload that file to the ROOT DIRECTORY of your website

4) Go to: http://YOURWEBSITENAME.COM/remove-virus.php

Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.

Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.



polonus


I tried the link above and got the same "JS:Illredir-A [Trj]" error thur avast again and lost for sure now ... please help?? As in  1) Download this file: Cure GNU GPL Virus File http://seoforums.org/remove-virus.zip


Offline nycxs

  • Newbie
  • *
  • Posts: 6
Re: Website with suspicious inline script reported..
« Reply #2 on: December 22, 2009, 07:34:46 AM »
I had the same virus, it was a javascript hack. I just replaced the compromised file with the original .js file and the redirect hack was gone.  :)

The problem might be pinpointing what file is being compromised. 

Offline nycxs

  • Newbie
  • *
  • Posts: 6
Re: Website with suspicious inline script reported..
« Reply #3 on: December 22, 2009, 07:44:54 AM »
BTW, the link you were directed to DID give the same warning!  :o Psh,  that was no cure! Once again, reload any .js scripts see if that helps.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31086
  • malware fighter
Re: Website with suspicious inline script reported..
« Reply #4 on: December 22, 2009, 01:34:25 PM »
Hi nycxs,

Deleted all the live links, webmasters to cleanse and repair know what to do anyway.
For browser users, you are well protected with a browser that has JS script blocking via the NoScript extension. Thanks to the avast webshield we know about this issue,

pol
« Last Edit: December 22, 2009, 09:22:47 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline HyperFocus2012

  • Newbie
  • *
  • Posts: 1
Re: Website with suspicious inline script reported..
« Reply #5 on: December 22, 2009, 02:18:58 PM »
I had the same problem at my website.
The virus doesn't indeed not only change the .js files but also the index* and default* files.

The script uses FTP for a brute attack and it seems to be a distributed attack as in the ftp logs it showed multiple IP adresses for this attack from all over the world.
As soon as the first IP had a succesful logon, the brute force stopped from all the other IP's as well.
This probably means the attack was set up to compromise this particular website.

I noticed the site mention was cleaned.

Greetz

HyperFocus2012
« Last Edit: December 22, 2009, 02:25:31 PM by HyperFocus2012 »

Offline Mpaula

  • Newbie
  • *
  • Posts: 3
Re: Website with suspicious inline script reported..
« Reply #6 on: December 23, 2009, 11:18:43 PM »
 ??? I have several website, and the index page on all of them along with all my blogs had been hacked so blogs all deleted and I have deleted and re uploaded all the index pages, a few days ago. Ran the scans and seemed all cleared. Now today I went into index pages and yes they popped again with the same JS:Illframe-A. Looking at FTP it shows that hack was updated today.
So now how do I get rid of this thing. Certainly I am not the techie person and I can get around pretty well but this is making me crazy...
Please assist

Thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80908
  • No support PMs thanks
Re: Website with suspicious inline script reported..
« Reply #7 on: December 23, 2009, 11:43:56 PM »
Cleaning simply isn't enough unless you close the vulnerability that is being exploited. Typically this is out of date software.

-- Every 3.6 seconds a website is infected http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.


Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.2.2364/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Mpaula

  • Newbie
  • *
  • Posts: 3
Re: Website with suspicious inline script reported..
« Reply #8 on: December 25, 2009, 06:12:24 PM »
Grrrrrrrr Now I am getting another one Same as the last but now with a B  Avast warning pops up a viruse has been detected JS:Illframe-B ... I have searched and searched and I really dont know what to do... How do I get rid of this.
As I stated before I have 7 sites (had) alll are down do to that hacking I had and really Need to get them back up and running But I dont know how to get rid of this crap. I am so furustrated I keep reading and reading where do I find this crap at on my pc and how do I get rid of it?? Anyone??/

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 80908
  • No support PMs thanks
Re: Website with suspicious inline script reported..
« Reply #9 on: December 25, 2009, 07:07:14 PM »
It most probably isn't on your PC but on your site/s.

I suggest that you read the quoted text in my last post of what cleanup was done, if you don't clear the vulnerabilities then it will be back. If you have any content management software it is that, if vulnerable can be exploited, where code can be injected into the compiled page source.

Also speak to your Host, more so if they are all hosted with the same host.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.2.2364/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • EC-Council
Re: Website with suspicious inline script reported..
« Reply #10 on: January 01, 2010, 05:46:46 PM »
Hi,

Maybe you need to protect or disable some function at your web server to avoid hacker or cracker upload something can harm your company website.
Yanto Chiang | IT Security Consultants | John 3:30 He must increase, but I must decrease.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31086
  • malware fighter
Re: Website with suspicious inline script reported..
« Reply #11 on: January 02, 2010, 07:00:16 PM »
Hi malware fighters,

The site I reported initially in this thread was again attacked by hackers to-day - has been cleansed now:
http://www.niburu.nl/index.php?articleID=22457
translation of the Dutch announcement:

Quote
As you may have heard, our website this afternoon around 15:00 hours has been attacked by hackers.
 
On the morning of Sunday, December 20th and the evening of Monday, December 21 hackers have already spent at  damaging our site. These scripts are destroyed and they upload a virus into the system, which also can cause damage to your computer when you visit the forum or will  open Niburu  in your browser.
 
Many of you who have a good virus scanner installed, immediately get a warning that a "Trojan" virus tries to enter. Visitors without a virus scanner unfortunately will get ii on their computer  and it can be damaging to your PC.
 
Our webmaster has strengthened the site after the attacks of 20 and December 21 so hackers are less likely to succeed again.
 
Yet again this afternoon they managed to penetrate the system via a botnet, a website from which hundreds of thousands of IP addresses were being attacked simultaneously.
 
During this attack the hackers were again involved in uploading malicious files, with the aim of damaging the site and to provide us with a virus. This could be prevented/halted in time, so the damage was limited.
 
All problems have now been solved by our webmaster.
 
You will understand that we are surprised by such attacks and not always able to intervene in time too. Nevertheless, we apologize for these inconveniences.
 
(If your virus scanner currently still says that a virus attempts to penetrate when you visit our site, then that comes from within the cache of your browser. So you can empty your "Temporary Internet Files" to clean up.)

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline trzykas

  • Newbie
  • *
  • Posts: 3
Re: Website with suspicious inline script reported..
« Reply #12 on: January 18, 2010, 02:46:03 PM »

Offline EagleRecon

  • Newbie
  • *
  • Posts: 1
Re: Website with suspicious inline script reported..
« Reply #13 on: April 10, 2010, 06:23:23 PM »

I followed the steps below. A readme document cam up giveig out a new link with "better code". I tired to load your remove_virus.php but a pop-up showed "Trojan blocked. Files with .js extensions were trying to load on my PC. I'm not that familiar with this stuff. I'm not sure if avast read it as a threat when it's not or your link was hacked and a redirect links was added. In either case, I won't used this one. All my sites were wiped out yet again. I have no viruses on my PC but it looks like they got into my sites via the webhost and not me. A friend of mine who has a different web host had the same thing happen to her.

I wish there was a way to loacate these peopel who are doing this and go to their houses and smash their PCS and wreck their stuff and see how they like it. I used to enjoy web design.... Almost thinking of giving up.

I am using Justhost.com. Does anyone use a webhost that has really good security? I amy consider using another webhost or just giving up all the same.




Hi malware fighters,

It was reported top me that htXp://www.niburu.nl  has Sign of "JS:Illredir-A [Trj]"  been found in it.
Suspicious inline script reported
Script outside of <HTML>...</HTML> block
 *
Quote
/*GNU GPL*/ try{window.onload = function(){var G85ga3prhrahe = document.createElement('script');G85...

Can someone verify this,
More info on a similar infection:
hxtp://www.vbulletin.com/forum/showthread.php?332174-virus-alert-on-my-forum

There is a new virus attacking websites hosted on linux servers, when you go to an infected website it just displays a white screen, but if you view the source you see something like the above: *
It attacks any webpage that it finds on your server that meet the following criteria:
webpage name - index* / default* or *.js

HERE IS HOW TO FIX IT IN 4 EASY STEPS

1) Download this file: Cure GNU GPL Virus File hxtp://seoforums.org/remove-virus.zip

2) Extract the file contained in it, its called: remove-virus.php

3) Upload that file to the ROOT DIRECTORY of your website

4) Go to: hxtp://YOURWEBSITENAME.COM/remove-virus.php

Thats it, it will take a seconds to a few minutes depending on how large your website is, it scans every file that could be infected, backs it up first, then removes the virus if it finds it.

Once its done its thing, and you are happy that the virus is gone, then you can delete your backups.



polonus