Hi all.
Suddenly, three of my sites based on Joomla, are blocked by Avast because it tells me that: “avast! Prevented you from visiting an infected page”
The infection that I detect is:
URL: http://www.miosito.com/index.php | {gzip}
Process: C: \ Program Files (x86) \ Mozilla Firefox \ f …
Infection: JS: Iframe-XJ [Trj]
And 'this ever happened to anyone else? What is it? How can we ensure that the site is nopn more 'blocked? It 'sa flso positive?
Please help!
I also tried to crawl the URL with VirusTotal, but I do not by any virus or infection
In all honesty $89.99 for a year is very cheap in regard to cleaning a site and having: Website Integrity Monitoring; Manual Website Scanning; Blacklist Removal, etc. But that is for one site, with multiple sites it does become more expensive $189.99 for 2-5 sites.
I have seen services like this charging considerably more.
I give you an indication of what might be wrong there and that is all for free as we all here on avast volunteers to help each other out with malcode. Welcome to the avast webforum community!
Run all through redleg’s fileviewer. And then we get to the following issues. Also considered the IDS snort http inspect alert urlquery.net provided for us.
Well it is obfuscated script in the header buffer that will give this IDS alert. It is with HTTP server response, so it is a server misconfiguration attack with Blackhole landing redirection as a result. What can be seen from the code Redleg give as suspicious: document create element document body and what follows: all on line 47 is malcode. Mind the malicious spacing here:
try{window.docum ent.body++
that was intentional, and repeated Content after the < /html> tag should be considered suspicious. Reinstall php: probably the majority of infected files are index.htm and index.php, then ucp_main.php and mcp_main.php etc. can be infected by the virus landing attack. Template folder might be infected also. Upgrade and harden website server software… The hack was performed through your hosting server, so you should take that up with them!
polonus
P.S. About the attack read: htxp://malwaremustdie.blogspot.com/2012/11/plugindetect-079-payloads-of-blackhole.html
link article author = unixfreaxjp
I do not use Joomla but I will try to provide useful feedback.
I suggest looking for abnormal code on the FTP index.php and scanning the /templates and /media folders with avast for other potential suspects to examine.
As Polonus states, it would be helpful for you to update your software,
~!Donovan