Does any know anything about JS:Illredir-B[Trj]

Viruses and worms
1

When I attempt to go to my website, Avast gives me a warning that it is infected with a Trojan Horse, and it says it is JS:Illredir-B[Trj]

I do not know if this is a real Trojan or a false positive. Does anyone know anything about this problem? And how do I fix it???

Thanks,
Lezlie

2

Hi chromenum,

Can you give the address like hxtp or with wXw sothat we can see what is there.
More about this attack onto websites here:
http://www.wjunction.com/showthread.php?t=21715
and the subject also treated here:
http://forum.avast.com/index.php?topic=52476.0

polonus

3

I am sorry, I should have posted the URL for the site…
It is wXw.obebooks.com

And thanks, I will take a look at the links you provided…

4

Is that the link to the alert as I have checked that out an no alert ?

Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe

  • Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.

When posting URLs to suspect sites, change the http to hXXp so the link isn’t active (clickable) avoiding accidental exposure.

However there is a rather strange looking script tag on the home page after the closing HTML tag, a bit of a standards no, no. So you could check out that and see if it should be there. Looks like it is trying to create an obfuscated scritp tag and that may be what the redirect is about, see image.

5

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.obebooks.com

and norton is blocking it also (HTTP Fragus Toolkit Download Activity)

6

I am sorry, I didn’t realize about the “live” link thingy…Now I understand…

I think my friend must be working on killing the virus/trojan because I just went there myself and I got no warning this time…

As soon as I hear from him, I will let ya’ll know if he is taking care of it…

Thanks for trying to help!!!

7

And, Pondus, thank you so much for the link about the online security place, unmaskparasites.com. I was not aware of that site.

Thanks for all the help ya’ll are giving me…

8

Ok, here is the log from Avast:

1/6/2010 6:16:42 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js” file.
1/6/2010 6:17:21 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/6/2010 6:26:52 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js” file.
1/6/2010 6:26:52 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/6/2010 6:27:09 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/6/2010 6:50:07 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js” file.
1/6/2010 6:50:07 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/6/2010 6:50:30 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/6/2010 10:10:46 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/lang/fcklanguagemanager.js” file.
1/6/2010 10:10:53 PM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/FCKeditor/editor/js/fck_startup.js” file.
1/7/2010 11:06:31 AM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/” file.
1/7/2010 11:07:03 AM SYSTEM 476 Sign of “JS:Illredir-B [Trj]” has been found in “http://www.obebooks.com/” file.

9

Hi chromenun,

Suspiscious inline script

 /*LGPL*/ try{ window.onload = function(){var Ilsyqujcs9bk8 = document.createElement('s^#^$c&#^!(r#^

And here about the vulnerability of using that particular script with inline handlers:
http://cross-browser.com/talk/event_interface_soup.php

On the Fragus toolkit: http://www.finjan.com/Content.aspx?xmlid=500449&id=607 &
http://www.efblog.net/2009/08/fragus-new-botnet-framework-in-wild.html

polonus

10

OK, looks like there is a lot of work to do in cleaning these files as I suspect that they too may have been hacked.

You will also have to edit your list to break the links to suspect locations, like I have done in the quote above.

This looks like content management software possibly being exploited:

  • This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

11

Ok, I just spent a good while going through a lot of my files on my website. In most of the php files there is a weird code that looks a lot like this:

/GNU GPL/try{window.onload=function} (and then a bunch of random type characters that go on for about 8 lines, and then ends with append.child, catch and then the end of script) I was afraid to post the actual code here...anyway, is that the virus??? Do I just delete that code from each file that contains it?? Thanks, Lezlie
12

Wise choice not to post the script…could cause more problems than good…

I have checked, and that seems to be the code that is causing the alert from avast!

What you will need to do is as you said, delete it from all of the files that contain it, and also follow the instructions set out by DavidR to prevent re-infection.

-Scott-

13

hi

I got this virus on my server.

I write a simple script to remove this scram from all files.

here some one lost to remove this script from serwer so you can check how it’s work

http://www.romania-virtuala.ro/remove-js-illredir-b.php

and here you got opinion about this script

http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/

and here is link for script

http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz

enjoy

14

Welcome to the forums, trzykas. :slight_smile:

Thanks for posting information.

15

I actually upgrade the script to remove JS:Illredir-B and JS:Illredir-C in same time
If you got some other similar trojan on your website please contact me i try to help and upgrade the script.

16

Yesterday I ran across a site that has this trojan – no problem, though: I had Avast installed, which warned me and aborted the download. Then I googled the name of the trojan and discovered this forum.

The site’s url:

http://www.almahatwary.org/

Regards all,

widgeteer

17

Looks like the site has been hacked there is an obfuscated script tag at the bottom of the source code (see image, click it to expand). The script is obfuscated to hide its purpose and is suspicious, the line extends way, way, beyond the end of the image example.

18

Hi widgeteer,

There are two viruses on the site - make the link in your posting non-clickable by putting htxp or WxW:
Virus
Threat found: 2 virtumonde.sci trojan

Name of threat: 53833
Location: hXtp://www.almahatwary.org/

Name of threat: 53833
Location: hXtp://www.almahatwary.org/index.htm

pol

19

HI my website is affected by the same virus also, can you send me the script to remove the virus ? as detected i suspected the virus contented is JS:Illredir-C
can you send the script to my fifa76@gmail.com. thank you

20

First we aren’t clairvoyant so we need to know what your site URL is, change the http to hxxp to break the link.

Even if we know your site address, we can’t send you any script to remove it you have to find the injected script, remove it and close the vulnerability that allowed the script to be injected.

I suggest you remove your email address as a) it can get harvested by spambots trawling the internet and b) we help people through the forums and not email.