system
September 10, 2013, 7:24am
1
Hi to all,
I’m trying to access this website:
(www).informatikserver.at
and avast is always warning me of a JS:HideMe-I (tr)infection on this site. Did anyone come across this? The site normally is clean, an austrian website with informations about computing and school.
Thank you, fl
CraigB
September 10, 2013, 7:33am
2
Please modify the link so it is unclickable, we don’t want unsuspecting users clicking on malicious links thankyou.
polonus
September 10, 2013, 8:00am
3
Our forum member craigb is right, and here you see why: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.informatikserver.at%2F
and http://urlquery.net/report.php?id=5060516
/media/jui/js/jquery.min.js
Quttera scan result:
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string
[['=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26async=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%260=%26=%26']]
of length 551 which may point to obfuscation or shellcode. (ad malvertiser malcode- vulnerable through bad Joomla configuration)
File size[byte]: 93637
File type: ASCII
MD5: 24BD97B1DE158C4F1A162336EECA4AA6
Scan duration[sec]: 78.746000
polonus
P.S. Also see my posting for similar issue here: http://forum.avast.com/index.php?topic=116107.0
D
system
September 10, 2013, 8:08am
4
Hi and thank you for your hints. I have changed the URL in my first post.
I have tried to inform the site owner about the problem, but there has not been any reaction yet.
fl
Pondus
September 10, 2013, 11:13am
5
and avast is always warning me of a [b]JS:HideMe-I [/b] (tr)infection on this site.
Website Malware – SPAM Injections – HideMe – KickeMe
blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html
HideMeBetter – SPAM injection Variant
blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html
system
September 10, 2013, 12:09pm
6
ahh, mhhm, and now? what does that mean?
fl
Pondus
September 10, 2013, 12:25pm
7
info about what avast detect … JS:HideMe-I (tr)
By the way this javascript malware is two times in there. (Screenshots)
polonus
September 10, 2013, 5:00pm
9
Hi Pondus,
Make this link non-click-through as avast! Web Shield blocks PHP:Backdoor-BG[Trj] there
http://blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html
Damian
Milos
September 11, 2013, 7:16am
10
Hello,
Avast complains about using certain extensions (such as “sharethis”), which use bad practice (hidden links). Either disable them, or delete the code that hides the links (function dnnViewState() { var a=0,m,v,t,z,x=new Array(‘9091968376’…)
More info can be found here: http://forum.joomla.org/viewtopic.php?t=795946
Milos