Author Topic: My wordpress site infected by JS:Redirector-NT [Trj], please help  (Read 19414 times)

0 Members and 2 Guests are viewing this topic.

moonheart

  • Guest
When I searching for this issue I see lots of wordpress user posted about the trojan infection in this forum. Same thing happened with my wordpress gaming site.

When I try to open my site ifreecrazytaxigames.com, my avast antivirus show this infection JS:Redirector-NT [Trj] and connection aborted. I informed my hosting service provider about the issue, but they could not able to find out the this infection.

Can any one please look into my site and inform me how can I remove this infection.

true indian

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #1 on: February 06, 2012, 02:24:54 PM »
check your site here:

http://sitecheck.sucuri.net/


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #3 on: February 06, 2012, 03:56:43 PM »
This is suspicious inside the code:
-xs.mochiads.com/static/pub/swf/leaderboard.js suspicious
[suspicious:2] (ipaddr:23.15.7.81) (script) -xs.mochiads.com/static/pub/swf/leaderboard.js
     status: (referer=-ifreecrazytaxigames.com/category/truck-games/)saved 14370 bytes feb68d3c9cb1014d17f3fca533b50b34aaac0373
     info: [javascript variable] URL=-xs.mochiads.com/static/pub/swf/
     info: [javascript variable] URL=-x.mochiads.com/mochiBridge/
     info: [script] :
     info: [decodingLevel=0] found JavaScript
     suspicious
and -www.facebook.com/plugins/like.php?href=http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light suspicious
[suspicious:2] (ipaddr:69.171.224.11) (iframe) -www.facebook.com/plugins/like.php?href=-http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light
     status: (referer=-ifreecrazytaxigames.com/crazy-taxi-be/)saved 1466 bytes 5692e78b88c5679844f2950c44d45d315d0e4db7
     info: [meta refresh] URL=www.facebook.com/common/browser.php
     info: [decodingLevel=0] found JavaScript
     error: undefined function window.location.replace
     suspicious:

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

3ukman

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #4 on: February 06, 2012, 10:48:41 PM »
Avast is reporting JS:Redirector-NT [Trj on my site , can you please take a look and point me what code may be wrong ? the site is WEBKINSON.COM

roamingk

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #5 on: February 06, 2012, 10:54:19 PM »
I am now getting it on my site. - hxxp://gaysitgesguide.com/serendipity/2012/02/03/carnival-at-el-candil-sitges-2012/

I have run a webscanning software on the site, but no luck... :-\
« Last Edit: February 07, 2012, 12:09:43 AM by igor »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #6 on: February 06, 2012, 11:06:49 PM »
Avast is reporting JS:Redirector-NT [Trj on my site , can you please take a look and point me what code may be wrong ? the site is WEBKINSON.COM
Not only avast detect on it
https://www.virustotal.com/file/4aad3097e299d62415858cba7fc64d41268217528d6a5926b2f86a436ddb8052/analysis/1328565886/


wepawet
http://wepawet.iseclab.org/view.php?hash=6ae7c6290ea4f6ee7c2f403a32f49ab3&t=1328566335&type=js
« Last Edit: February 06, 2012, 11:29:10 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
« Last Edit: February 06, 2012, 11:29:33 PM by Pondus »

spg SCOTT

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #8 on: February 06, 2012, 11:28:40 PM »
I am now getting it on my site. - hXXp://gaysitgesguide.com/serendipity/2012/02/03/carnival-at-el-candil-sitges-2012/

I have run a webscanning software on the site, but no luck... :-\
Sucuri report: wordpress outdated
http://sitecheck.sucuri.net/results/http://gaysitgesguide.com/serendipity/2012/02/03/carnival-at-el-candil-sitges-2012/

No detection here
https://www.virustotal.com/file/48dbaf9b3d5ab838cc744c8af15e2acec118814117a8468e843ccc221c44829e/analysis/1328566127/

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks. (You too Pondus ;))

It's there.


It will be easier to follow these topics if everyone creates their own topic...Please can that be done?

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #9 on: February 06, 2012, 11:49:49 PM »
Hi spg SCOTT,

Fully agree that new victims should start their own new thread, and not add their related case into an existing thread. This will not help rather complicate analysis and explanation of the malcode at hand.
Also making the link non-click-through is a precaution for obvious reasons (infection related and/or web-content related issues could demand this). Furthermore website owners and webmasters should refrain fromgetting and  implementing free plug-ins that they can find anywhere on the Internet. A lot of those plug-ns are suspicious or malware ridden or are risky because they have vulnerabilities or are not fully updated and patched, and so are hackable and injectable. One such plugin-module in this case might be wp-content/plugins/jetpack/modules/wpgroho.js, verdict suspicious,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

moonheart

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #10 on: February 07, 2012, 06:26:44 AM »
This is suspicious inside the code:
-xs.mochiads.com/static/pub/swf/leaderboard.js suspicious
[suspicious:2] (ipaddr:23.15.7.81) (script) -xs.mochiads.com/static/pub/swf/leaderboard.js
     status: (referer=-ifreecrazytaxigames.com/category/truck-games/)saved 14370 bytes feb68d3c9cb1014d17f3fca533b50b34aaac0373
     info: [javascript variable] URL=-xs.mochiads.com/static/pub/swf/
     info: [javascript variable] URL=-x.mochiads.com/mochiBridge/
     info: [script] :
     info: [decodingLevel=0] found JavaScript
     suspicious
and -www.facebook.com/plugins/like.php?href=http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light suspicious
[suspicious:2] (ipaddr:69.171.224.11) (iframe) -www.facebook.com/plugins/like.php?href=-http:/ifreecrazytaxigames.com/crazy-taxi-be/&locale=&layout=count&action=like&width=92&height=20&colorscheme=light
     status: (referer=-ifreecrazytaxigames.com/crazy-taxi-be/)saved 1466 bytes 5692e78b88c5679844f2950c44d45d315d0e4db7
     info: [meta refresh] URL=www.facebook.com/common/browser.php
     info: [decodingLevel=0] found JavaScript
     error: undefined function window.location.replace
     suspicious:

polonus

Hi as per you mention here, I figure out both of the infected location on my site and rectify it. Now virus infected notification is not showing when I open my site. Please have a look on my site and please let me know whether my site is still infected.

I have also another website that is coolmathgamesonline.net, which is also infected, please inform me the exact location of infection on this site.

moonheart

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #11 on: February 07, 2012, 01:05:30 PM »
check your site here:

http://sitecheck.sucuri.net/

Hi I have checked my site that is hxxp://coolmathgamesonline.net through that online scanner site, there nothing any virus alert showing. But when I open my site on browser Avast alert me for virus. Please guys help me how I will recover from this issue. I even downloaded the files on my local harddisk, scan the files but no any virus threat shown on the files.

true indian

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #12 on: February 07, 2012, 01:06:34 PM »
Can u give us a screenshot of the alert.

moonheart

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #13 on: February 07, 2012, 01:53:23 PM »
Can u give us a screenshot of the alert.

Sure here is the screenshot.


true indian

  • Guest
Re: My wordpress site infected by JS:Redirector-NT [Trj], please help
« Reply #14 on: February 07, 2012, 01:55:05 PM »
Hey! u are using a old version of avast! download the latest free version from here:

http://www.avast.com/free-antivirus-download