Today I updated Avast and its definitions. When I did, and I visited my own web site, I got a Trojan warning. I have 2 computers. 1 is running Xp with Panda Cloud and the other is Vista running Avast. Avast came up with this Trojan warning and would not allow my site to pull up. The Warning is http://storehouseministries.org/ [L] JS:Illredir-AC [Trj] (0)
I pulled up the site on my Xp computer with no problem. After I pulled it up, I ran a virus scanner just in case. No virus. I even had some other people try the site. They did not get a virus either. Is this a fase positive?
I dont want others to have problems pulling up my web site. Anyone have any ideas on how to fix this? Or if there is a virus on my site, how to get it off?
It looks like your site has been hacked with a large block of obfuscated javascript in a script tage after the closing HTML tag, a standards, no, no and highly suspect.
This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rogue” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
That is indicative of what I said about out of date content management software (read all my post again), if your pages are created/dynamic then that process could be injecting the script tag. So you would need to check any and all template files, etc.
avast isn’t alerting for me using firefox, with noscript enabled, allow the site in noscript and avast alerts, on the script.js file so check that out.
avast is effectively blocking the script.js file as the code isn’t on the home page now, but in the script.js file.
The last line of obfuscated code on the script.js file is the culprit. This is the same as was in the original detection and image I posted.