I am getting a message from Avast when I try to visit my company website that a “JS:Illredir-W [Trj]” has been found.
Web site: hxxp:\www.triadassoc.net
What does this mean and how do I fix it? I can’t get to the admin page because I get the same message. I can log in thru ftp and see what may be a suspicious script at the end of every page but I delete it and when I view the file it is there again. This is a very simple joomla site using the goldmambo template. The site was fine a couple weeks ago.
The company is very small and I have never had a web site hacked before. Please help.
Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
I think we need to contact its webmaster.
Check here how to clean and make a website secure.
That’s the problem. There is no one to contact. There are only two of us with any computer knowledge in a reduced company of 15. I have never had any experience in this area and neither has the other person. I just took the site offline until I can figure out what the heck to do. Looks like it will be a long weekend.
I think you have a bigger problem tan just avast alerting, as using firefox and it blocks the site completely as an attack site (safe browsing), see image.
I would normally be happy to have a look at the site using firefox, but there is no way I would try that with IE.
You may have to contact your Host and see if they can offer any suggestions. Sites are often hacked because some of the content management software is out of date and vulnerable, like Joomla.
The company wanted to make the page unaccessible until we had time to get back to it. I manually renamed the index pages to make the site unavailable. They are named normally now so I can work with them. I have contacted our host company. I will go thru and try to make headway on the suggestions here. Thanks to all.
Please do not post the code on the page that is causing the problem (even a part of it), as even that could result in the forums topic causing avast to alert and no one could access the topic to help.
It is much better to use an image, see example image, please modify your post removing the code.
Also showing the code in isolation doesn’t help if it is outside the closing HTML tag it is more suspect, but what should be more suspicious is if you didn’t place it there or don’t know about it.
/*Exception*/ document.write(.....)
try{window.onload=function(){(.....)
The SCRIPT tag above is not present in javascript(.js) files.
Well it is just another type of IFRAMER worm. Once deobfuscated, it loads javascript from
[http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/[POPULAR-DOMAIN-NAMES]/google.com/
This loaded Javascript then loads an iframe with src which contains actual payload
[http][POPULAR-DOMAIN-NAMES].easylifedirect.ru:8080/index.php?ys
some urls may also have "thechocolateweb.ru" or "tartband.ru" or "bestbondsite.ru" or "trueworldmedia.ru" or "avattop.ru" in place of "easylifedirect.ru"
The major files infected are
Javascript files .JS
index files such as
index*.html,
index*.htm,
index*.php,
default*.php,
mainframe*.php,
application*.php,
default*.html,
default*.htm
index*.asp
(index*.* and default*.*)
The javascript code can be found to be changing since the day it was launched and at another day it was noticed that they have removed tags in javascript files.
The payload hasn't changed much from previous attacks. When one visits a compromised site, the malicious JavaScript loads more JavaScript that contains an iframe tag, which opens another page containing two links. One link goes to a PDF file, which is detected as Trojan-Downloader.JS.a or Trojan-Downloader.JS.b or Trojan-Downloader.JS.c or Trojan-Downloader.JS.d. The other is to a JAR (Java ARchive) file, which is detected as Downloader.
Those two files use the following vulnerabilities to infect the computer with malware:
* Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID 27641)
* Adobe Reader and Acrobat 'newplayer()' JavaScript Method Remote Code Execution Vulnerability (BID 37331)
* Sun Java Runtime Environment and Java Development Kit Multiple Security Vulnerabilities (BID 32608)
The final payload includes malware like Trojan-Downloader.JAVA.Agent.al or Trojan-Downloader.JAVA.Agent.exe or Trojan.Bredolab, Downloader.Fostrem, and Trojan.Zbot, along with security risks such as PrivacyCenter and a number of other misleading applications that may be detected as Trojan.FakeAV. It's important to keep your definition files up-to-date as these files are frequently being updated.
REMOVAL STEPS
1. Block these websites on your firewall or router: "thechocolateweb.ru", "tartband.ru", "bestbondsite.ru", "trueworldmedia.ru", "avattop.ru" , "easylifedirect.ru"
2. Update your anti-virus and clean up infection from your machines or whoever is accessing it via FTP
3. Change the ftp password from secure machine which is not infected
4. upload the Manual Trojan Code Remover script to your public_html directory
5. run the script by calling the php file from your browser
PRECAUTIONS
1. Block these websites on your firewall and/or router: "thechocolateweb.ru", "tartband.ru", "bestbondsite.ru", "trueworldmedia.ru", "avattop.ru" , "easylifedirect.ru"
2. Keep your Anti-virus updated.
3. Do not open any suspicious links received on messengers or emails.
It will clean up the files and will also create a backup of files which are infected. (backup files will have extension as .infected.bak)
sourcelink: hxtp://possible.in/products-security-updates.php
Do not visit this link because part of the code can give an alert because
Malicious software includes 4 scripting exploit(s), now 8:'
Malicious software was hosted on 1 domain, e.g. newgolfonline.ru/.
This site was hosted on 1 network(s) including AS11798 (BLUEHOST).
General information
Location of this website is France
Report of found threats
Total number: 8
Drive-bydownloads
Threats found: 8
Full list below:
Name of threat: 23616
Location: hxtp://mixi-jp.milliyet.com.tr.xnxx-com.newgolfonline.ru:8080/fedex.com/fedex.com/google.com.ly/google.com/ca.gov/
Name of threat: 23616
Location: htxp://google-nl.go.com.news3insider-com.newgolfonline.ru:8080/rakuten.ne.jp/rakuten.ne.jp/sonico.com/google.com/chinaren.com/
Name of threat: 23616
Location: htxp://cams-com.news.com.au.pandora-com.newgolfonline.ru:8080/voila.fr/voila.fr/google.com/careerbuilder.com/acer.com/
Name of threat: 23616
Location: hxtp://booking-com.newgrounds.com.zanox-affiliate-de.newgolfonline.ru:8080/google.com/google.com/marketwatch.com/mercadolivre.com.br/sciencedirect.com/
Name of threat: 23616
Location: hxtp://netflix-com.wunderground.com.classmates-com.newgolfonline.ru:8080/nifty.com/nifty.com/google.com/kaskus.us/narod.ru/
Name of threat: 23616
Location: hxtp://pornbb-org.torrentdownloads.net.cnzz-com.newgolfonline.ru:8080/google.com.tr/google.com.tr/tmz.com/google.com/bbc.co.uk/
Name of threat: 23616
Location: htxp://teacup-com.blogbus.com.articlesbase-com.newgolfonline.ru:8080/google.com/google.com/buy.com/forumcommunity.net/smashingmagazine.com/
Name of threat: 23616
Location: htxp://harrenmedianetwork-com.nicovideo.jp.clicksor-com.newgolfonline.ru:8080/kioskea.net/kioskea.net/google.com/feedburner.com/yoka.com/
Enough to shun this malcode drive-by-download obfuscated script, I guess,
polonus
Ensure that you have the latest version of the PHP in use for the site, that may be that it is provided by the Host or yourself. Whoever is responsible for its provision, it needs to be the latest version as old versions may be vulnerable to exploit.
As I went through, I found it had invaded every single folder. I have gotten it cleaned up. I re-submitted to google and they cleared the suspicious rating. I am now trying to backup and update everything. I will look into the PHP as well. Thanks for the links and information.
Again a recap of the information of a previous link from Sze Yen (Malaysia) on removal of the trojan:
For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:
* Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
* Files named home or have the word home in them. E.g. home.html, homepage.htm
* Files named main or have the word main in them. E.g. main.html, main_page.htm
* Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
* Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
* All javascript files with the .js extension. E.g. javascript.js, functions.js
All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.
While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.
I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.
If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.
One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked,