Hi,

I run a forum on my site which utilises vbulletin for its backend. I have had a couple of users recently report that avast is stating we have a js redirect trojan when they are trying to browse. As far as I am aware, no other anti virus is reporting it (I have tried 3 or 4) and we have also scanned the entire server for anything suspicious and found nothing.

We have also looked through the source code and there is nothing being injected as far as I can tell.

You can see the thread on my forum dedicated to it here: fashionbeans.com/forums/questions-support-feedback/6001-forum-trojan-horse-should-now-resolved.html

It seems as though the link being mentioned by AVAST is: forums.fashionbeans.com/clientscript/yui/yuiloader-dom-event/yuiloader-dom-event.js?v

If anyone could shed some light on this and let me know how to solve the problem it would be much appreciated.

Thanks

Is it still happening…??
I don’t get any block or error on your site with avast!..

http://sitecheck.sucuri.net/results/http://www.fashionbeans.com
http://zulu.zscaler.com/submission/show/e73b86f0d7c75c02d2b90307383eab76-1333096074

edit your links so they are unclickable…change http = hxxp…www = wxw

Virustotal
https://www.virustotal.com/file/ecc585cc569368ab46896385e33c52a98071b651f6c2ed69136a10066c4f4dd6/analysis/1333096237/

Interesting, thanks for your input Pondus.
It seems NoScript blocked a possible alert then.

Hi Pondus,

Sorry, I will edit my original links now.

User’s have been saying that it only comes up blocked every so often, whilst one has said it happens on every page.

That is definitely the file that ust be causing the problems then based on the link you show above. How would we get around this? Should we reference it from the Yahoo api direct or something?

Any help in fixing it would be appreciated.

Just an update. I have set my vbulletin to serve the file from Google api now instead in the backend options.

I have just downloaded the latest version of the file from their api direct and ran it through the same scanner:
https://www.virustotal.com/file/fb0768b04af92d670757d4b1289d6745e27b474e4fb15eff5306d9e57226d9b2/analysis/1333098368/

This time it came back clean? I have no idea why but I am pretty sure it was just because the version I was using was out of date?

Hoping this will of fixed the problems with my forum now.

As you updated/cleaned your site now…
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
The guys at the viruslab will check it.

also note that Sucuri report outdated wordpress http://sitecheck.sucuri.net/scanner/

Thank you both.

We are aware of the wordpress update that is required. I was actually checking it locally before all this came up this morning to make sure everything is working before upgrading tonight! I have got some great virus scanning bookmarks for future reference though.

Will also report the false positive to see what they say. I actually contacted support this morning regarding this query, so maybe they will get back to me in due course.

You’re welcome.

Norman lab confirms detection

Yes, it has a redirecting code at the end.

yuiloader-dom-event.js : Processed - JS/Redirector.EV