Author Topic: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]  (Read 14760 times)

0 Members and 1 Guest are viewing this topic.

FireDart

  • Guest
[Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« on: June 16, 2012, 12:32:15 AM »
Hello,
I need some advice on a Avast reported threat. One of the sites I manage for a client (wxw.orlandokayakfishingclub.com/, It's recommend to put wxw from what I have read.) was getting redirect issues. After some checking and scanning I found a disgusting .htaccess files with tons of redirects. Out of my stupidity and me frantically trying to fix the problem I forgot to save the file!

With the threat neutralized it was time to hunt down the source, fist culprit was the slightly out of date Modx manager that was going to update eventually, however when I navigated to it I got Threat: JS:Iframe-FG [Trj], with a warning from FireFox "The connection was reset"

Screnshot: http://i.imgur.com/WavLg.png

Looking threw the code I see no threats, and Sucuri SiteCheck is reporting clean.

Any advice?
« Last Edit: June 16, 2012, 04:31:01 AM by FireDart »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #1 on: June 16, 2012, 12:52:13 AM »
Probably WP plug-in issues that led to html malware, misused server issues in the past...
These scripts are said to be suspicious by zulu Zscaler: http://zulu.zscaler.com/submission/show/461599dc78f6f8d9a1ec21fcc2824d45-1339799729
htxp://orlandokayakfishingclub.com/assets/js/jquery-1.7.1.min.js   script   
htxp://orlandokayakfishingclub.com/assets/js/jquery.custom.js
See also:  [iframe] static.ak.fbcdn dot net/rsrc.php/v2/yD/r/  (could be abused by a race condition in Facebook Graph API)
     info: [iframe] static.ak.fbcdn dot net/rsrc.php/v2/yD/r/javascript:false
     info: [decodingLevel=0] found JavaScript
     error: undefined variable __d
     error: undefined function __d
The heuristical malware detection for the site IP seems to be dead now: HEUR/HTML.Malware, avast detected that as JS:Obfuscated-T,
General site security status is given as secure here: http://com.saferpage.de/orlandokayakfishingclub

polonus
« Last Edit: June 16, 2012, 01:00:40 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #2 on: June 16, 2012, 12:57:21 AM »
Hi FireDart,

Are we having the same restrictions? It is required a username and password before I can view the content. See:
http://urlquery.net/report.php?id=69490


~~~~~~~~~~~~~~~~~~~~

Also, eval is evil. It's best to avoid it whenever possible. This is because any attacker can input malicious code into eval and it will be ran on your server.

Do you know why the double extension is required here? It makes the file suspicious:
http://zulu.zscaler.com/submission/show/5f97426732acf9fa27f2a198716f2178-1339800290
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #3 on: June 16, 2012, 01:04:49 AM »
Hi !Donovan,

It is Header and Content returned by request,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

FireDart

  • Guest
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #4 on: June 16, 2012, 01:05:35 AM »
Polonus,
Thanks for the data, those files seem to be clean.

!Donovan,
That is what the site should look like, after doing the research and reloading the page it's working now. Was Avast! just temporarily blocking the page for m protection? It's still reporting "Blocked" in the Web Shield Scan Logs

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #5 on: June 16, 2012, 01:15:30 AM »
Polonus do you know why avast alerted iframe? ???


@FireDart

Can you update Modx now?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

FireDart

  • Guest
Re: Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #6 on: June 16, 2012, 01:17:36 AM »
Am working on it updating it now, thanks for your help guys. It's nice to know you can get quality help.

@polonus
Thanks for the http://zulu.zscaler.com/ site, deferentially bookmarking it for the future.

drongo

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #7 on: June 17, 2012, 05:56:29 AM »
First off, I am not a code jockey. Most of this discussion means nothing to me.
However, I document inventions and have a background in electronics, so I can follow explicit directions.

Avast has started blocking my company website and reports the cause is they found the JS:Iframe-FG [Trj] virus.

Ok, so now what? If I had found this in a system scan, I would be given options of removing or moving, etc. There are no options. I did a system scan of the desktop which houses the files that make up my website, and nothing was found. Nor were any other virus' found. So I looked in the log, and apparently this virus had been found, and it was successfully moved to the "chest".

Obviously this wasn't good enough because I can't even view my own website right now.

Can anyone here please tell me what to do next?

Thanks ahead,

drongo

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #8 on: June 17, 2012, 03:17:11 PM »
You should start your own new thread here and mention that address, made non-click-through by giving in hxtp or wXw, then we can have a look what in the code is being alerted,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

drongo

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #9 on: June 17, 2012, 05:23:42 PM »
SPEAK ENGLISH!

"made non-click-through by giving in hxtp or wXw, then we can have a look what in the code is being alerted,"

means nothing to me.

I just wasted an entire night doing a boot time scan and the virus messages are still showing up.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #10 on: June 17, 2012, 05:35:36 PM »
Hi drongo,

We are trying to help you. Flaming does not help us or you in any way. We do not have to help those who do not wish to be helped.

Polonus' first language isn't english and if you know so much as to tell that the sentence isn't proper grammar then you should be able to assume what is being said. I have produced a "SPEAK ENGLISH!" version of what Polonus said for you.

~~~~~~~~~~~~~~~~~~

Create a new topic by following this link: http://forum.avast.com/index.php?action=post;board=4.0

Be sure to mention your website address (using htXp or wXw to avoid accidental clicks).
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

drongo

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #11 on: June 17, 2012, 08:15:13 PM »
OK, I will spell it out in small words since nobody seems to care to actually read what I said.

I am not a programmer. It says newbie for a reason.

I do not know what "hxtp or wXw" or any other arcane acronyms mean.

I am not a mind reader.

I had no idea that the person who started throwing incomprehensible geekspeek at me did not speak english.

I was not referring to his language, country of origin, race, creed, programming language or religion.

I simply meant that I DO NOT UNDERSTAND! (I apologize for being too subtle)

If that offends you or anyone else, because you or they cannot communicate at a level that I can understand, then this is not a help group.

This is not my fault. I asked a simple question. I am willing to provide whatever anyone needs to make that question more precise, as long as their requests are understandable.

Is there anyone out there who can speak to me in simple english sentences which do not include secret codewords that only programmers understand?

Thanks ahead,

drongo


Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #12 on: June 17, 2012, 08:19:38 PM »
Please stop bumping another user's topic.!

Would you kindly make a new topic and post a screenshot of what avast! is alerting?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

FireDart

  • Guest
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #13 on: June 21, 2012, 07:35:12 PM »
Hey guys, am sorry to bring-up my 6 day old topic but I seem to be getting the warning again. Re-checked the .htaccess file and again it was edited with the same looking code.

So I have updated the modx, smf forum, locked down the wiki, check some other scripts and still they are getting in. The wiki is also a tad out of date so am assuming it's that. Just removed it.

This time however I manged to save the .htaccess file, so I have two questions.
1) Should I post the code in the forums, you guys don't want links to infected sites so am guessing the same for code
2) Any idea where I can post this and get more info? If you guys can help that would be great but otherwise I would like to report it or learn more about it.

Since it's the same issue am guessing avast it picking-up a false positive so just need to wait for it to stop blocking the site.

==Edit==

Almost forgot, the user that reported the issue said his browser crashed and a webcam recorder opened-up afterwards (which he never uses). This leads me to believe the site is redirected to is dropping off some kinda of malware. I instructed him to do a full Avast scan and a malware bits scan (Am doing the same). yet to find anything but will defiantly post any news about it.
« Last Edit: June 21, 2012, 07:42:15 PM by FireDart »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: [Solved] Avast! Reports Threat: JS:Iframe-FG [Trj]
« Reply #14 on: June 21, 2012, 08:19:10 PM »
Do you want to take the direct approach? (I check your files directly)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."