Does anyone know how to remove this off a website/server? What is this? Friend needs help with this.
File Name: http://www.crumrinephotography.com/ordering/
File Name: http://crumrinephotography.com/index2.html
File Name: http://www.crumrinephotography.com/senior/
Malware Name: JS:Illredir-I [Trj]
Malware Type: Trojan Horse
VPS Version: 100210-0, 02/10/2010
This one hxxp://crumrinephotography.com/index2.html
Is Blocked by Malwarebytes IP block
IP 91.121.7.26 http://hosts-file.net/default.asp?s=91.121.7.26
IP 91.121.108.53 http://hosts-file.net/default.asp?s=91.121.108.53
IP 91.121.24.139 http://hosts-file.net/default.asp?s=91.121.24.139
This page seems to be
http://www.UnmaskParasites.com/security-report/?page=crumrinephotography.com/index2.html
This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.crumrinephotography.com/senior/
What does that mean? I’m not all that tech savvy. Any help on how to remove this would be greatly appreciated!
When malwarebytes are blocking a IP it would mean that there is bad things on those websites
I can send Polonus a PM, he is the one that can give the technical details on this,
check back tomorrow
This one is from the /senior/ link and there is a big chunk of obfuscated script after the closing HTML tag, a standards no, no and highly suspect, it is all on one line, see image were I have broken the single line to make it easier to see.
avast isn’t the only scanner to find that suspect, http://www.virustotal.com/analisis/92af7fe9112bc73763f4ca90d81bf11f96636991726ed7e0b2d33a09f8022709-1265848393
I would suggest that the other infections if they are for the same malware name are the same.
Obviously I get an mysql error trying to go to the ordering link as I’m sure this would require you arrive there from another location with parameters.
hxxp://crumrinephotography.com/index2.html contains yet another window.onload infection, this one going to hxxp://torrentdownloads-net.fixya.com.accuweather-com.thelifetag.ru:8080/google.com.ng/google.com.ng/google.com/pcpop.com/rincondelvago.com/ .
Tell your friend to get rid of the entire embed.js file, the script tag referencing it, and line 49 of index2.html (it’s the last script tag on the page).
hxxp://crumrinephotography.com/senior has the same problem, the same infection, and the same Russian endsite.
Tell your friend to get rid of the entire embed.js file, the script tag referencing it, and line 34 of senior (it’s the last script tag on the page).
I can’t get access to hxxp://www.crumrinephotography.com/ordering/, but it probably has the same infection and the same resolution.
Hi weswoe,
There is a huge block of obfuscated javascript after the closing html tag, a standards no, no, so it is highly unlikely that it is there by design.
Info on this detection for certain JavaScript contained within Web pages:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan:JS/Redirector.BF
What was found on the website - please make the links you gave non-clickable like with wXw or htxp
Suspicious Inline Scripts
Is there any good reason for this script to be outside of … block?
var k;if(k!='' && k!='_'){k=null}-----;var p=document;-----var g='s2c2rSiBp2t2'.replace^^(/[2S\.bB]/g, '');var...
(malcode 'broken" by me, pol)
Suspicious script outside tag: stack smasher code, just like that used with JS.Bulered, this is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site… MS comes up with these sites the malcode Trojan may redirect to:
livejournal-com.qip.ru.6-cn.theaworld.ru:8080/rapid4me.com/rapid4me.com/orbitdownloader.com/clickbank.com/google.com/
xnxx-com.nu.nl.w3-org.goldgolfbag.ru:8080/weebly.com/weebly.com/laredoute.fr/google.com/rincondelvago.com/
sciencedirect-com.lequipe.fr.gamestop-com.superore.ru:8080/verycd.com/verycd.com/google.com/zaobao.com/rakuten.co.jp/
Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security (http://www.stopbadware.org/home/security).
Remove the malicious code from your phpbb,
polonus