Author Topic: JS:Redirector-CV [Trj] on my website?  (Read 8609 times)

0 Members and 1 Guest are viewing this topic.

leosc

  • Guest
JS:Redirector-CV [Trj] on my website?
« on: May 15, 2011, 03:56:19 PM »
Hi there everyone, yesterday I got stuck with this one; AvastFree started warning me about my site with that Trojan popup.
I made a reverse DNS lookup and other sites of my webhosting provider also had that so I think it's something in the hosting. But, is it real or just a false positive? I scanned my url ( XXX.fuajedrez.com )  with the sites some guys mentioned before, so here are the results and I look forward to hearing from you about this issue I'm having:

UrlVoid
Quote
URL analysis tool   Result
Avira   Clean site
BitDefender   Clean site
Firefox   Clean site
G-Data   Clean site
Google Safebrowsing   Clean site
Malc0de Database   Clean site
MalwareDomainList   Clean site
Opera   Clean site
ParetoLogic   Clean site
Phishtank   Clean site
TrendMicro   Unrated site
Websense ThreatSeeker   Unrated site
Wepawet   Unrated site
Additional informationShow all
Normalized URL: http://www.fuajedrez.com/
URL MD5: 86b01c4eee9c223b7c2d27499eae704d
Content-Type: text/html

UrlVoid - VirusScan
Quote
Report   2011-05-15 14:59:27 (GMT 1)
File Name   fuajedrez-com
File Size   9123 bytes
File Type   Unknown file
MD5 Hash   26f168ad2cb636b67759f5d95d975afe
SHA1 Hash   472721bfd9db1730a828fbed4a9c6bbe35b2e375
Detections:   0 / 6 (0 %)
Status   CLEAN
Antivirus   Updated   Engine   Result
AVG   15/05/2011   10.0.0.1190   -
Avira AntiVir   15/05/2011   7.11.7.12   -
ClamAV   15/05/2011   0.97   -
Emsisoft   15/05/2011   5.1.0.2   -
TrendMicro   15/05/2011   9.200.0.1012   -
Zoner   15/05/2011   0.2


VirusTotal
Quote
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: index.html
Submission date: 2011-05-15 12:55:18 (UTC)
Current status: finished
Result: 3 /41 (7.3%)

Safety score: -
Print results
Antivirus   Version   Last Update   Result
AhnLab-V3   2011.05.15.00   2011.05.14   -
AntiVir   7.11.8.21   2011.05.13   -
Antiy-AVL   2.0.3.7   2011.05.14   -
Avast   4.8.1351.0   2011.05.15   JS:Redirector-CV
Avast5   5.0.677.0   2011.05.15   JS:Redirector-CV

AVG   10.0.0.1190   2011.05.15   -
BitDefender   7.2   2011.05.15   -
CAT-QuickHeal   11.00   2011.05.14   -
ClamAV   0.97.0.0   2011.05.15   -
Commtouch   5.3.2.6   2011.05.14   -
Comodo   8709   2011.05.15   -
DrWeb   5.0.2.03300   2011.05.15   -
eSafe   7.0.17.0   2011.05.15   -
eTrust-Vet   36.1.8326   2011.05.13   -
F-Prot   4.6.2.117   2011.05.14   -
Fortinet   4.2.257.0   2011.05.14   -
GData   22   2011.05.15   JS:Redirector-CV
Ikarus   T3.1.1.103.0   2011.05.15   -
Jiangmin   13.0.900   2011.05.14   -
K7AntiVirus   9.103.4648   2011.05.14   -
Kaspersky   9.0.0.837   2011.05.11   -
McAfee   5.400.0.1158   2011.05.15   -
McAfee-GW-Edition   2010.1D   2011.05.14   -
Microsoft   1.6802   2011.05.15   -
NOD32   6123   2011.05.15   -
Norman   6.07.07   2011.05.15   -
nProtect   2011-05-15.01   2011.05.15   -
Panda   10.0.3.5   2011.05.15   -
PCTools   7.0.3.5   2011.05.13   -
Prevx   3.0   2011.05.15   -
Rising   23.57.04.05   2011.05.14   -
Sophos   4.65.0   2011.05.15   -
SUPERAntiSpyware   4.40.0.1006   2011.05.15   -
Symantec   20101.3.2.89   2011.05.15   -
TheHacker   6.7.0.1.197   2011.05.15   -
TrendMicro   9.200.0.1012   2011.05.15   -
TrendMicro-HouseCall   9.200.0.1012   2011.05.15   -
VBA32   3.12.16.0   2011.05.12   -
VIPRE   9286   2011.05.15   -
ViRobot   2011.5.14.4459   2011.05.15   -
VirusBuster   13.6.354.2   2011.05.14   -
Additional informationShow all
MD5   : 26f168ad2cb636b67759f5d95d975afe
SHA1  : 472721bfd9db1730a828fbed4a9c6bbe35b2e375
SHA256: e75089b31e015567edc5cff16411ce45ceac305b78651b54dcb581eedc2f221e

Anubis
Quote

http://anubis.iseclab.org/?action=result&task_id=141109c5b30c2aef469356857454b9390

The screenshot:


EDIT: After a while with the window opened, VirusTotal showed up 3 infections. I'll update the quote.
« Last Edit: May 15, 2011, 04:03:30 PM by leosc »

spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #1 on: May 15, 2011, 04:02:06 PM »
Hi leosc, welcome to the forum :)

I get a 404 error on that js file.

Take a look at the file, and check that there is not any extra script added (generally they are added to the end, not definite though)

Scott

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #2 on: May 15, 2011, 04:11:22 PM »
Thank you Scott.
I don't get the warning only for this file; take a look on the report of the Web Shield, seems like every file is infected, when I know those weren't (at least on my computer, before uploading them):






spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #3 on: May 15, 2011, 04:28:25 PM »
Just while looking at what is creating the alert, but can I ask what is supposed to be on the site? (i.e what is on the homepage?)

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #4 on: May 15, 2011, 04:36:49 PM »
Just an index.html with css & images & legit js running , may I upload a screenshot of the main page or you mean what kind of site is it?
Just while looking at what is creating the alert, but can I ask what is supposed to be on the site? (i.e what is on the homepage?)

spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #5 on: May 15, 2011, 04:52:45 PM »
So all those Keygen links are supposed to be there? Thought so... ::)

Seems the initial script is causing the alert...not exactly sure why...

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #6 on: May 15, 2011, 05:01:41 PM »
No, they are not! Where is that code at? How do I clean the site?  :)

edit: Is it possible that all the sites of my hosting provider, were "injected" with this ?

Quote
Reverse Whois: "FUA" owns about 3 other domains
Email Search: is associated with about 557 domains
Registrar History: 1 registrar NS History: 7 changes on 5 unique name servers over 5 years.
IP History: 8 changes on 6 unique name servers over 5 years.
Whois History: 33 records have been archived since 2007-11-03 .
Reverse IP: 129 other sites hosted on this server.
Registration Service Provided By: INETSUR Network Solutions

Quote
Reverse IP Lookup Results—130 domains hosted on IP address 74.53.249.242
Web Site:
acuarelistasuruguayos.com
alejandrokeller.com
talleressolidarios.org
AND 127 other domains…
You must Log In, Open an Account or Buy a Report to access all 130 results of your search

Try to open one of those, to check if you see the same suspicious code you mentioned above

« Last Edit: May 15, 2011, 05:06:33 PM by leosc »

spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #7 on: May 15, 2011, 05:05:33 PM »
That is the contents of the whole page...

Scripts and LOADS of links for torrents/keygens and the like...

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #8 on: May 15, 2011, 05:10:00 PM »
I made a search on the index.html but I can't find those codes and links you are showing me.
Where did you find them? Can I clean it somehow? Do you have a clue of how this could happen? Thank you.

Quote
That is the contents of the whole page...
Scripts and LOADS of links for torrents/keygens and the like...
« Last Edit: May 15, 2011, 05:11:56 PM by leosc »

spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #9 on: May 15, 2011, 05:12:43 PM »
It is the contents of wXw.fuajedrez.com/

I see now what you meant about the index page, I imagine that this page wasn't supposed to even exist?

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #10 on: May 15, 2011, 05:18:33 PM »
The index.html should exist, and existed, but not with the keygens and all that stuff

spg SCOTT

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #11 on: May 15, 2011, 05:19:44 PM »
wXw.fuajedrez.com/index.html exists and it appears clean, but wXw.fuajedrez.com/ shows the junk.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: JS:Redirector-CV [Trj] on my website?
« Reply #12 on: May 15, 2011, 05:42:45 PM »
It is the other items that are on the page that have been compromised, I got 10 alerts (image1) basically on the stuff in the image on Reply #2.

They all have identical content, two very long (rows) strings of obfuscated script (image2) and loading various dubious keygen and software sales sites, etc. etc.

I have broken down the two lines to make it easier to see what that content is, image3.

So it looks very like the site has been hacked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

leosc

  • Guest
Re: JS:Redirector-CV [Trj] on my website?
« Reply #13 on: May 15, 2011, 09:28:12 PM »
Where did you get all those *.tmp files? I don't understand how to proceed to clean the stuff.. I downloaded the infected images and css avast reported but when I open for eg. the css i dont find anything wrong inside, I also opened the *.js files and nothing's wrong with them (I just downloaded the original ones, to replace the bad ones, but I get the same story) .. Do I miss something? Thx
« Last Edit: May 15, 2011, 09:29:53 PM by leosc »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: JS:Redirector-CV [Trj] on my website?
« Reply #14 on: May 15, 2011, 10:25:04 PM »
Avast creates these temp files of the content coming down on the http stream so it can scan them in its localhost proxy (it doesn't use the original file names) if they are clean then they would be passed on to the browser cache and displayed on the browser page. I just harvest them to be able to look inside.

They are essentially what you showed in your image, just renamed in the avast localhost proxy.

I don't know if you use any form of content management software as that if out of date could be vulnerable to exploit, injecting the code into pages/files.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security