Author Topic: False Website Detection  (Read 6092 times)

0 Members and 1 Guest are viewing this topic.

Offline MuMonkey

  • Newbie
  • *
  • Posts: 4
False Website Detection
« on: February 18, 2010, 11:42:33 PM »
Hello, I am an admin at Mumonkey.com and some of our users were using avast, and then it pops up with an error about a "http://www.mumonkey.com/js/jquery.resize.text.js" as a JS:Illredir-R [Trj], also a jquery.anchor.js file it calls a JS:Illredir-R [Trj], and the javascript to resize text comes up as a JS:Illredir-R [Trj]. For some, the browser then closes. What can be done to get rid of these 3 false positives? They are clean files.

Thank you.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37109
Re: False Website Detection
« Reply #1 on: February 18, 2010, 11:53:59 PM »
This page seems to be <suspicious>
http://www.UnmaskParasites.com/security-report/?page=www.mumonkey.com


scroll down to " Suspicious Inline Scripts "
« Last Edit: February 18, 2010, 11:57:56 PM by Pondus »

Offline MuMonkey

  • Newbie
  • *
  • Posts: 4
Re: False Website Detection
« Reply #2 on: February 19, 2010, 12:22:03 AM »
Thank you for that, I fixed the 2 javascript errors in the files it was detecting by getting rid of w/e the vars were, and they did no seem to be affecting anything. We still have the problem of the index page only getting a JS:Illredir-R [Trj] in the object "http://www.mumonkey.com/index.php|>{gzip}". Any clue on that one? sometimes it makes firefox come up with an error "connection reset", which avast! says it aborted the connection. Any suggestions? Thank you.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37109
Re: False Website Detection
« Reply #3 on: February 19, 2010, 12:48:31 AM »
Quote
Any suggestions? Thank you.
Sorry no expert on this, but Polonus or DavidR probably have an idea.....when they are back online

Offline MuMonkey

  • Newbie
  • *
  • Posts: 4
Re: False Website Detection
« Reply #4 on: February 19, 2010, 01:09:51 AM »
Im just wondering if the vars at the end of all of our javascripts, that i have no idea what do, is causing this. here is the 2 vars that show up as suspisious. Could they be the culprit?
« Last Edit: February 19, 2010, 02:12:40 AM by MuMonkey »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 85797
  • No support PMs thanks
Re: False Website Detection
« Reply #5 on: February 19, 2010, 01:59:37 AM »
Virtually all of your .js scripts appear to have been hacked in the same way as the UnmaskParasites report.

I got alerts on over 6 of them before I killed the page.

Modify and Remove the attachment in your post as avast is alerting on that too.

What created your .js files ?
Hacks like this are usually down to out of date/vulnerable content management software being exploited.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline MuMonkey

  • Newbie
  • *
  • Posts: 4
Re: False Website Detection
« Reply #6 on: February 19, 2010, 02:17:05 AM »
Ok, i removed the attachment. Ermmm..... what in the world is that? encrypted javascript? I will try removing it from the site. As to who made the javascript, I don't think it was there at first. It just started recently, so I am guessing this was an attack on the site (it has happened before). >.> Thanks

Found the problem, an Iframe that shouldn't be there....
Thanks for the help! Problem is solved on avast! side of things
« Last Edit: February 19, 2010, 02:24:34 AM by MuMonkey »

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 85797
  • No support PMs thanks
Re: False Website Detection
« Reply #7 on: February 19, 2010, 04:39:09 AM »
JavaScript is a plain language scripting language, under normal circumstances there should be no need to encrypt it, but this attachment I don't believe the is encrypted or it couldn't easily be scanned as it would first require decryption.

This attachment was a zipped (packed) javascript file, the act of zipping it actually obfuscates the javascript code trying to hide its true purpose or intent.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security