Author Topic: JS:Redirector-MR [Trj]. Please help me.  (Read 21905 times)

0 Members and 1 Guest are viewing this topic.

pieter_dj

  • Guest
JS:Redirector-MR [Trj]. Please help me.
« on: December 10, 2011, 09:13:31 PM »
my site is -http//www.gadget-talk.com  I have see the source of my site, but i cannot find the malware script like the people said in this forum about this thread before. What should I do to remove the malware? Help me please. When I browse my site, Avast blocked me and showing the site is infected with the "JS:Redirector-MR [Trj]" Trojan. Can you give me step by step wolution what to do?

spg SCOTT

  • Guest
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #1 on: December 10, 2011, 09:14:39 PM »
Hi, pieter_dj, welcome to the forum :)

The code is embedded in the last line (very long) of the source code of the page.
Look in the middle of the code for the script.

A search for eval( will reveal the embedded code.

Scott


Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #2 on: December 10, 2011, 09:22:47 PM »
From Sucuri...

1. Wordpress internal path: /home/bermain/public_html/gadget-talk.com/wp-content/themes/welding/index.php  Wordpress version outdated: Upgrade required.

2. Malware found on javascript file:
hxxp://www.gadget-talk.com/404javascript.js (Just an example, there are many more..!!)

Known Spam detected.
Details: http://sucuri.net/malware/entry/MW:SPAM:SEO
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #3 on: December 10, 2011, 09:24:04 PM »
Sucuri report malware found here

-http://www.gadget-talk.com/
-http://www.gadget-talk.com/404javascript.js
-http://www.gadget-talk.com/404testpage4525d2fdc
-http://www.gadget-talk.com/about-us/
-http://www.gadget-talk.com/sitemap/
-http://www.gadget-talk.com/contact-us/
-http://www.gadget-talk.com/useful-links/
-http://www.gadget-talk.com/category/apple/
-http://www.gadget-talk.com/category/camera-camcorder/
-http://www.gadget-talk.com/category/cellularphone/

MDetails: We have many articles about this issue on our blog:
http://blog.sucuri.net/category/spam

wepawet
http://wepawet.iseclab.org/view.php?hash=818126a161566b21f078488d90919a66&t=1323548465&type=js



« Last Edit: December 10, 2011, 09:30:00 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #4 on: December 10, 2011, 09:29:53 PM »
Hi Asyn and Pondus,

Verdict = malicious: http://urlquery.net/report.php?id=11280
See for the second link Pondus gave:
-rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr suspicious
[suspicious:2] (ipaddr:72.21.207.5) (iframe) -rcm.amazon.com/e/cm?t=onlineforex06-20&o=1&p=12&l=ur1&category=-amazonwireless&banner=13A670EB10W0N2FZPE02&f=ifr
     status: (referer=-www.gadget-talk.com/404javascript.js)saved 2247 bytes 5cdcd519ab333c7e372f364dfa8bb5f38df93348
     info: [img] -ecx.images-amazon.com/images/G/01/img10/associates/med-rec/aw-gen-300x250.gif
     info: [iframe] -s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: missing ) after argument list:
          error: line:3: ; function encodeStr(b) { return b && encodeURIComponent(b).replace(/&/g, "&amp;").replace(/"/g, "&quot;").replace(/</g, "&lt;").replace( />/g, "&gt;"); } document.write("<iframe src="-http:/s.amazon-adsystem.com/iu3?d=assoc-amazon.com&rP=" + encodeStr( (           error: line:3:
could be the response of this now dead?

polonus
« Last Edit: December 10, 2011, 09:34:29 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #5 on: December 10, 2011, 09:35:04 PM »
Yes pol, the OP has to clean up his site..! ;)
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

pieter_dj

  • Guest
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #6 on: December 10, 2011, 09:36:08 PM »
why i can't find the script in the source code of the site? I really don't know what to do to delete the code. Could you give me a detail step by step explanation how to delete the code? If I go to my hosting, then I go to what file name and where I will find that script so I can delete the code? So what should I do to get rid of this "Dean" issue?

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #7 on: December 10, 2011, 09:39:42 PM »
A search for eval( will reveal the embedded code.

Highlight the embedded code in spg SCOTT's picture and press delete.
« Last Edit: December 10, 2011, 09:47:08 PM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #8 on: December 10, 2011, 09:43:50 PM »
Sucuri will do it for you   ;)

.....but not for free   :-\    http://sucuri.net/signup

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76037
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #9 on: December 10, 2011, 09:44:32 PM »
Isn't it removed?

No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
W8.1 [x64] - Avast Free AV 23.3.8047.BC [UI.757] - Firefox ESR 102.9 [NS/uBO/PB] - Thunderbird 102.9.1
Avast-Tools: Secure Browser 109.0 - Cleanup 23.1 - SecureLine 5.18 - DriverUpdater 23.1 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #10 on: December 10, 2011, 09:46:34 PM »
Isn't it removed?

No, it isn't and I also never said so.
I said that he has to clean it, thought I was clear.
Didn't see the 'has to' part. :-[

More information about the malware dump: http://sucuri.net/new-malware-evalfunctionpacked.html
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

pieter_dj

  • Guest
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #11 on: December 10, 2011, 09:47:35 PM »
Can't you give me the steps how to delete that scripts that contain p,a,c,k,e,r from my site? Please give me the detail step like when I go to my hosting, I should go to what folder or file? Because I am using wordpress. How to delete that script from the html code? I am confuse.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #12 on: December 10, 2011, 09:49:38 PM »
Again PHP has initially been compromised. Very interesting read link here: http://25yearsofprogramming.com/php/findmaliciouscode.htm (source author: Steven Whitney)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

spg SCOTT

  • Guest
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #13 on: December 10, 2011, 10:13:06 PM »
Could you remove that script (modify your post) incase it prompts an alert.
Done, thanks David.

That looks like it *may* be what is adding the code to the pages in the site.

Remove that code (from functions.php), and check all of your pages (html/php/js) files etc. for this eval script.

« Last Edit: December 10, 2011, 10:17:03 PM by spg SCOTT »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: JS:Redirector-MR [Trj]. Please help me.
« Reply #14 on: December 10, 2011, 10:15:03 PM »
I have removed the original post, to remove suspect code to avoid avast alerting on its own pages.

I have find this in my functions.php file

See image of code example

Can you help me from that code, I should delete the scripts that contains p,a,c,k,e,r from where to where?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security