Can someone check out this site

A friend’s website seems, according to avast, to harbor the JS:ScriptIP-inf [Trj] trojan. I have alerted my friend to alert his host. His host sees no problems.

I don’t want to be an alarmist, but I do want my friend’s site to be safe. After all, I can’t even visit it if it harbors malware.

Could someone with the appropriate version of avast check out hXXp://www.miraclesmagazine.org/, click on one of the QUICK LINKS, and tell me if they, too, are getting a virus alert?

Please send you response to this e-mail address and thanks!

Felix222

Welcome Felix222

I was a devout follower of a Course in Miracles for a long time and have seen Marianne Wiliamson many times and have several of her books.

The site has been hacked and it is a common occurrence right now

9/15/2009 4:37:49 PM SYSTEM 1928 Sign of "JS:ScriptIP-inf [Trj]" has been found in "hxxp://www.miraclesmagazine.org/new%20Miracles%20Magazine%20Info.htm" file.

Jsure Javascript Checker found nothing.

Bad Stuff (Jutakys) Detector found nothing saying Empty source - Could not connect to site?.

Hi felix222,

Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected. (You too YoKenny ;D)

This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

The site has been hacked, and I think it is caused by this:

Just after the closing html tags there is a script tag (see image). This is against web standards to do this, and is out of place.
To be honest I am not exactly sure if this is what is being alerted to, but it is suspicious…

jsejtko, DavidR any ideas?


A post worth looking at by DavidR:

-Scott-

I saw the <‘javascript’>postamble(); reference at the foot of the pages as you demonstrated. It seems, however, according to other references to this across the web, that this line is endemic to using Zone Alarm software somewhere in the development environment.

I agree that the site’s been hacked. No doubt about it. But I require a powerful argument, though gentle, to convince the hosting or developers to take action. Currently they claim there is no issue when clearly there is. This is a disservice to the client (not to mention visitors without adequate security in place) and needs to be rectified.

I reset the http to hXXp. Thanks for heads up on that. I don’t frequent forums so I didn’t consider. Thanks again.

Yes, it is not the script I posted about. I just checked it…although it shouldn’t really be there…

I will keep looking for what it is, and see if I can find it. Someone else may find it in the meantime though…

It seems as though most/ if not all of the ‘quick links are infected’…

spg SCOTT,

Avast is reporting the issue as an occurrence of JS:ScriptIP-inf [Trj]. I just need others with avast or a reliable malware detection product to corroborate this issue. I’m fairly certain that with a dozen or so corroborations that JS:ScriptIP-inf [Trj] is reported as being served via this site that the host or developer will give my complaints greater credence. Maybe not. But I owe it to the innocent friend who merely wants to disseminate info via his site.

Thanks.

I know that avast! is alerting on the site, but my problem is that I cannot seem to see what is causing it (most likely due to my lack of knowledge ;)). Usually is it something like a script tag or something like that which is clear to see…

Hence:

I saw the script tag after the closing html tag (a standards no, no, so a little suspect). This script tag is somewhat strange it would appear to be set to run another script postamble(); and we are not able to see what that script contains

I also note that whilst waiting for this site to load (takes absolutely ages on dial-up) my trusty firewall reported an attack detection from that IP address, 209.237.150.20, unfortunately that will block that IP for 5 minutes.

So there is most certainly something strange going on with the site. Exactly what is the question as there is no sign of this postamble () script.

I did a whois check on the IP address image1 and that brought up a different domain name, I then did another whois on the miricalesmagazine.org and that brought up the same IP image2; so again I don’t know what is going on.

So now I’m wondering if the actual malwear name is pretty descriptive, a JS (JavaScript) IP injection, I don’t know but that seems close to what has been going on.

Have the Webmaster look at this topic.

Website by Fran Cosentino: fran@miraclesmagazine.org

YoKenny and gang . . .

Said party is running a scan on her machine now. I didn’t make the connection that she was the webmaster. You cats out sharp me by miles. We’ll see how it goes. Thanks for all of the assistance.

Felix222

She shouldn’t have to scan as avast is one of the few AVs that are even looking for this much less detect it. She needs to look at that script tag after the closing html tag and if there is no legit reason for it being there it should be removed.

More importantly if she didn’t place it there then there is an exploit inserting it, e.g. likely a hacked site.

Hello,

It is probably not hacked - but it uses webstat.net which is blocked. Please switch to some other statistic, because webstat.net was distributing malware in the past.

Best Regards

Thanks jsejtko, do you know what does that weird script tag do at the bottom of the page that we have been talking about ?

Also jsejtko, where resides the evidence that they are using webstat.net? I would need to point that out.

Thanks.

if you mean this it looks that it can be caused by ZoneAlarm:
http://www.tek-tips.com/viewthread.cfm?qid=994082&page=2
http://forums.zonealarm.com/archive/index.php/t-57581.html

Milos

Thanks for the update, you are correct, as usual. :smiley:

Just copied the webstat script into notepad and tried to save it and avast! alerted…Good call :smiley:
(also no alert without it.)

@felix222

This script can be found in the source code of the sites marked as infected. The easiest way to find it is to look through the source code and search (usually Ctrl F ) for webstat.

I have also attached a pic of the code.

You will have to remove the highlighted code from <script… to </script…
There is also a link after to webstat (highlighted in red) which could also be removed - along with the next bit of text which I think is part of it…

-Scott-

[EDIT] Interesting read Milos, thanks for the links.

Good work scott. :slight_smile:

Cool, Scott. Yet, when I view the source, I don’t get all of this. You must be viewing the source in a different manner than I am. I’m just doing the typical “right click/view source” malarky. What’s your secret?

I am just using an online source code viewer…but the method you use should also show it I think.

Which on are you looking at, it is not on the home page, but the quick links pages. This means you would have to visit them.