Infection: JS: Iframe-XJ [Trj]

Hi all.
Suddenly, three of my sites based on Joomla, are blocked by Avast because it tells me that: “avast! Prevented you from visiting an infected page”
The infection that I detect is:
URL: http://www.miosito.com/index.php | {gzip}
Process: C: \ Program Files (x86) \ Mozilla Firefox \ f …
Infection: JS: Iframe-XJ [Trj]

And 'this ever happened to anyone else? What is it? How can we ensure that the site is nopn more 'blocked? It 'sa flso positive? :frowning:
Please help!
I also tried to crawl the URL with VirusTotal, but I do not by any virus or infection :frowning:

Content after the < /html> tag should be considered suspicious.

440: < !-- 20130104172010 →

polonus

I have the same problem with my Joomla Sites … Current Version on Joomla 1.5.

I guess its a iframe hack on Joomla :-(.

and what is the URL ?
post it none clickable…http as hxxp and www as wxw

htxp://wxw.radialcrush.com

i have two more with the same problem …

sucuri SiteCheck tells me…

Known javascript malware.
Details: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v49

and the infected files :frowning:

urlQuery. http://urlquery.net/report.php?id=604786

yepp infected…so not a avast problem

any idea how i can remove the malware?

you can ask Sucuri to help you. http://sucuri.net/signup. it is not free

i will PM a guy that is good at this, he may have some idea

would be nice… if you can find somebody who can help me, it will not be for free.

but sucuri.net is too expensive.

In all honesty $89.99 for a year is very cheap in regard to cleaning a site and having: Website Integrity Monitoring; Manual Website Scanning; Blacklist Removal, etc. But that is for one site, with multiple sites it does become more expensive $189.99 for 2-5 sites.

I have seen services like this charging considerably more.

Well the price for one site is ok, but i got 3 Sites infected with joomla 1.5.
Lucky all my sites with Joomla 2.5 are not infected.

Howdy selon,

I give you an indication of what might be wrong there and that is all for free as we all here on avast volunteers to help each other out with malcode. Welcome to the avast webforum community!
Run all through redleg’s fileviewer. And then we get to the following issues. Also considered the IDS snort http inspect alert urlquery.net provided for us.
Well it is obfuscated script in the header buffer that will give this IDS alert. It is with HTTP server response, so it is a server misconfiguration attack with Blackhole landing redirection as a result. What can be seen from the code Redleg give as suspicious: document create element document body and what follows: all on line 47 is malcode. Mind the malicious spacing here:

try{window.docum ent.body++ 

that was intentional, and repeated Content after the < /html> tag should be considered suspicious. Reinstall php: probably the majority of infected files are index.htm and index.php, then ucp_main.php and mcp_main.php etc. can be infected by the virus landing attack. Template folder might be infected also. Upgrade and harden website server software… The hack was performed through your hosting server, so you should take that up with them!

polonus

P.S. About the attack read: htxp://malwaremustdie.blogspot.com/2012/11/plugindetect-079-payloads-of-blackhole.html
link article author = unixfreaxjp

Hi selon,

I do not use Joomla but I will try to provide useful feedback.

I suggest looking for abnormal code on the FTP index.php and scanning the /templates and /media folders with avast for other potential suspects to examine.

As Polonus states, it would be helpful for you to update your software,
~!Donovan

My website just got hit with this also.

Is this an issue of the host server being infected, or someone figured out ftp account passwords and is uploading the infected code?

Thanks,
Ddraig

Got this infection warning when I visit televisionwithoutpity.com

Now when visiting the site on either laptop (Win 7) or Desktop (Win XP) instead of displaying the site it goes to Google. Am I infected?

Hi Iscobee,

When avast! alerted “JS: Iframe-XJ [Trj]”, avast! blocked the infection. In other words, you were not infected from the site.

If you would like to see what exactly avast! blocked: http://urlquery.net/report.php?id=964325

Regards,
~!Donovan

Also being detected here: http://www.avgthreatlabs.com/sitereports/domain/televisionwithoutpity.com/
But nothing here: https://www.virustotal.com/url/e364660e69c72e5ec4b63421d44da053707718d3829775cea86842ebd78a3195/analysis/
But flagged here: http://zulu.zscaler.com/submission/show/d102ddc4868bf70455a49c0fb49c1d93-1360364604
Malicious script given: htxp://api.anaIytics.com/googleapi.js
content could have been removed →

<h1 style='color:#497A97;font-size:12pt;font-weight:bold'>404 - Not Found

see: http://zulu.zscaler.com/submission/show/a316c9a6fe9f1c163d2fe28949dbfe1a-1360364624
Also see: http://www.google.com/safebrowsing/diagnostic?site=http://api.anaIytics.com/googleapi.js
& http://urlquery.net/queued.php?id=12962374 (IP riddled with malware domains-> 98.139.135.21)
description of the attack: http://www.stopthehacker.com/2011/11/07/oscommerce-hacks/

polonus

Hi Iscobee,

When avast! alerted “JS: Iframe-XJ [Trj]”, avast! blocked the infection. In other words, you were not infected from the site.

If you would like to see what exactly avast! blocked: http://urlquery.net/report.php?id=964325

Regards,
~!Donovan

Thanks! Is it safe to assume the site knows about it?

Hi Iscobee,

I think they host malware purposely. See: http://www.google.com/safebrowsing/diagnostic?site=http://televisionwithoutpity.com
If you look closely, you’ll see the “anaiytics.com” site Polonus mentioned.

The site’s acronym doesn’t receive positive feedback either: http://www.urbandictionary.com/define.php?term=TWoP

As of now, the site is blacklisted by both Firefox and Chrome, so I would assume that this site is purposely distributing malware.

~!Donovan