Author Topic: False alert in www.unlock-all-gsm.com  (Read 9887 times)

0 Members and 1 Guest are viewing this topic.

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #15 on: January 26, 2010, 12:30:09 PM »
When i type www.unlock-all-gsm.com
there is no alert, only in the FAQ page and the blog http://blog.unlock-all-gsm.com
I Think that i downloaded a plugin for wordpress ( Blog ) is the cause  ???

Help please
« Last Edit: January 26, 2010, 01:03:25 PM by kadiross »

Offline sp@rky13

  • Jr. Member
  • **
  • Posts: 38
Re: False alert in www.unlock-all-gsm.com
« Reply #16 on: January 26, 2010, 01:28:44 PM »
Still detecting it

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #17 on: January 26, 2010, 01:44:23 PM »
Still detecting it

Thank you, it detects a virus at www.unlock-all-gsm.com  ????? or where, because mine doesn't detect any think on www.unlock-all-gsm.com  exept www.unlock-all-gsm.com/faq.html

Thanks again

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #18 on: January 26, 2010, 07:12:10 PM »
When i type www.unlock-all-gsm.com
there is no alert, only in the FAQ page and the blog http://blog.unlock-all-gsm.com
I Think that i downloaded a plugin for wordpress ( Blog ) is the cause  ???

Help please

There is an obfuscated script tag after the closing HTML tag (in the blog index page) a standards no, no, aside from it being highly suspicious, see image.

There are a few other scanners that detect this, don't be fooled by the low number of detections as many doen't even look for this much less detect it.
See http://www.virustotal.com/analisis/af1f3d9474347178316aa95dcb8c680b28e630f136c765b466e4086eb7c5ebf4-1264529114.

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline chevymanusa

  • Newbie
  • *
  • Posts: 6
Re: False alert in www.unlock-all-gsm.com
« Reply #19 on: January 26, 2010, 07:51:00 PM »
Hi
I'm the owner of www.unlock-all-gsm.c0m, when i use AVST it  says that there is a virus ( .js )
That's not TRUE, because it's a java script file,

So please Try to correct  this error i'm loosing too much customers because of that.

Best Regards

Can somebody tell me what are the files infected to remove them please, because i'm working on Mac osx PLEASE

Thanks


When i type www.unlock-all-gsm.c0m
there is no alert, only in the FAQ page and the blog http://blog.unlock-all-gsm.c0m
I Think that i downloaded a plugin for wordpress ( Blog ) is the cause  ???

Help please


Thank you, it detects a virus at www.unlock-all-gsm.c0m  ????? or where, because mine doesn't detect any think on www.unlock-all-gsm.c0m  exept www.unlock-all-gsm.c0m/faq.html

Thanks again

I smell a troll.


Edit:
Changed URL's to be void as per DavidR's Suggestion
« Last Edit: January 27, 2010, 09:15:39 AM by chevymanusa »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #20 on: January 26, 2010, 08:17:40 PM »
Troll or not is neither here nor there. Your quotes however, only expand that exposure (if link popularity is the game), not to mention replicate the unbroken links to suspect sites.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Gizbar

  • Jr. Member
  • **
  • Posts: 74
  • So long and thanks for all the fish!
Re: False alert in www.unlock-all-gsm.com
« Reply #21 on: January 26, 2010, 09:18:51 PM »
Picked it up as Trj-Redirector here as well with Avast! 5 free.

Don't really understand html at all, having never learnt any of it (it's in my list of things to do as I'd like a small website, just haven't got round to it yet...).

regards, Gizbar.
Phenom II 955 @ 3.6Ghz, 4GB Ram, Win 7 64-bit HP
2 x 500GB HD, Firefox 3.5, Avast! 5 Free. Ccleaner, Spybot S&D 1.6.2, MBAM free

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #22 on: January 26, 2010, 09:51:16 PM »
When i type www.unlock-all-gsm.com
there is no alert, only in the FAQ page and the blog http://blog.unlock-all-gsm.com
I Think that i downloaded a plugin for wordpress ( Blog ) is the cause  ???

Help please

There is an obfuscated script tag after the closing HTML tag (in the blog index page) a standards no, no, aside from it being highly suspicious, see image.

There are a few other scanners that detect this, don't be fooled by the low number of detections as many doen't even look for this much less detect it.
See http://www.virustotal.com/analisis/af1f3d9474347178316aa95dcb8c680b28e630f136c765b466e4086eb7c5ebf4-1264529114.

Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Hi there,
Thanks for your help, i don't understand wich code i must remove ??  ???
Please can you clear it for me, sorry for my english

Thank you everyBody for your help

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #23 on: January 26, 2010, 09:57:31 PM »
Click on the image I posted to expand the image size and you will see the suspect inserted script tag (after the closing HTML tag) that you need to remove.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #24 on: January 26, 2010, 10:00:07 PM »
Click on the image I posted to expand the image size and you will see the suspect inserted script tag (after the closing HTML tag) that you need to remove.

You mean this line : </html><script>/* Eception*/ Document.write  .......... until the end ?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #25 on: January 26, 2010, 10:15:45 PM »
Yes, as in the image, remove everything after the </HTML> tag
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #26 on: January 26, 2010, 10:18:06 PM »
Yes, as in the image, remove everything after the </HTML> tag

When i open index.php from my blog i find only this :
Code: [Select]
<?php
/**
 * Front to the WordPress application. This file doesn&#39;t do anything, but loads
 * wp-blog-header.php which does and tells WordPress to load the theme.
 *
 * @package WordPress
 */

/**
 * Tells WordPress to load the WordPress theme and output it.
 *
 * @var bool
 */
define(&#39;WP_USE_THEMES&#39;, true);

/** Loads the WordPress Environment and Template */
require(&#39;./wp-blog-header.php&#39;);
?>

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #27 on: January 26, 2010, 10:23:37 PM »
Then it is code injection in the actual wordpress software but the end result of the displayed page source code shows the injection of the code.

You need to ensure that you are using the latest version of wordpress so any vulnerabilities are closed.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline kadiross

  • Newbie
  • *
  • Posts: 18
Re: False alert in www.unlock-all-gsm.com
« Reply #28 on: January 26, 2010, 10:26:24 PM »
Then it is code injection in the actual wordpress software but the end result of the displayed page source code shows the injection of the code.

You need to ensure that you are using the latest version of wordpress so any vulnerabilities are closed.

I've updated it this morning, i replaced all WP files ....
All .js are infected  ??? i'm in a trouble  HELP Please

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81777
  • No support PMs thanks
Re: False alert in www.unlock-all-gsm.com
« Reply #29 on: January 26, 2010, 10:31:09 PM »
I'm sorry I can't physically help you clean your site, I don't use wordpress, etc.

If all .js files are infected then you will have to replace them with clean ones, check the link in Reply #5 and #6 of the first page to get an idea of the problem and what to do. You should also speak to your Host if they have any support or advice.

- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.494)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/