Is my web site infected or is it a False Positive

I called Godaddy.com today after receiving an avast! Warning that my site (I replaced the T’s with X’s):

hXXp://kingtoss.com

was infected with JS:Illredir-AQ [Trj]

Godaddy.com says that the site is not infected and that this is a false positive. Is there a way to verify this?

Thanks in advance.

Hi Kingtosser, welcome to the forum :slight_smile:

It looks like this is a genuine detection, there is an obfuscated script at the end of the page, outside of the html block that is causing avast! to alert.

http://www.UnmaskParasites.com/security-report/?page=kingtoss.com
http://www.virustotal.com/url-scan/report.html?id=d61870cf888d5bab31e18948463b233c-1281541188

http://www.virustotal.com/file-scan/report.html?id=9d136ddbaa17cee7810f064f2ca39849a05f91e03244d7d440a000f8ab56eaf0-1281548391

From the last link, you can see that it is not only avast! that detects this.

Apparently, GoDaddy need to looking into their security departments or what ever they have for this… ::slight_smile:

Thanks. I have no idea what that is, but I will delete it and see if it clears up the problem.

You’re welcome :slight_smile:

Good luck.

My avast! software will not let me FTP the file down to be fixed. I’ll have to try to do it another way.

Do you have a backup copy that is clean?

Maybe you could re-upload it?

You could also try to get GoDaddy to help you remove that script?

I have a backup copy on a different computer. I’ll give that a shot.

I noticed that there is a “JS” folder on the web site that includes a lot of files with the same date as the page that has the infected script. I didn’t make any changes to the web site on that date. I may delete that folder as well.

Do you have an example of the files in the JS folder? (remember hXXp ;))

If they shouldn’t be there (or weren’t put there by you as part of the site) then they are worth investigating

This is what the “js” folder contains:

hXXp://www.kingtoss.com/js/ajax-dynamic-content.js
hXXp://www.kingtoss.com/js/animatedcollapse.js
hXXp://www.kingtoss.com/js/ddaccordion.js
hXXp://www.kingtoss.com/js/dynamic.js
hXXp://www.kingtoss.com/js/jquery-1.2.2.pack.js
hXXp://www.kingtoss.com/js/jquery-1.2.3.js
hXXp://www.kingtoss.com/js/jquery-1.2.6.pack.js
hXXp://www.kingtoss.com/js/jquery.cycle.lite.js
hXXp://www.kingtoss.com/js/popup1.js

It would appear that, at minimum, they have been added to…It seems as though the same script is in the js files…

They look as though they may be used in the functioning of the site, so you will need to remove the script from all of the js files.

I would check all other pages on the site as well.

Will do. I sincerely appreciate your help with this.

Just a follow up. I had to get the developer of the web site to “scrub” the malicious script out of the web site. Godaddy.com was less than helpful. The Tech Support person with whom I spoke said there had been an incident (he originally used the word “outbreak” but immediately corrected himself and said it was contained quickly) where malicious code had been injected into some web sites Godaddy.com hosted. He said he was 100% certain that my site was not affected, but could not give any reason for his conclusion. In any event, the malicious script was present in the index.html file of every web site on my hosting account. Some of those sites had not been updated in more than three years. So I have no idea how the script may have been injected into my web sites. But they appear to be gone now. Thanks again for your assistance.

Hi Kingtosser :slight_smile:

You’re welcome

I am glad that you have managed to sort it out, and it seems to have worked. I can now browse the site without alerts.

That is what is done when sites are hacked…more often than not, many people only notice the one page, and miss the others…so they inject the code into all pages they can…

I would be questioning someone at GoDaddy as to why this so called ‘Tech Support’ person who was 100% sure that your site wasn’t infeted when in fact he was 100% wrong.

Hopefully events like this will prove to some people that even legitimate sites, with no malicous intentions at all can be hacked and be made malicous…overnight…

Kudos to you and the developer for investigating and your persistance :slight_smile:

-Scott-

You only need to do a forum search on the viruses and worms sub forum for godaddy to see just how many infected/hacked sites were hosted at godaddy.

Whilst godaddy must have a huge number of hosted sites, what seems common in all such incidents, when reported is their support staff primary denial of a problem at all on their part at all. Even now they have admitted after you gave proof that there was an outbreak/incident, yet they still say they don’t believe it effected your site.

If that were my host that I was paying good money for I would be looking for another host that provided better support.

Hi Kingtosser,

The site seems to be clean now: http://www.urlvoid.com/scan/kingtoss.com
The mentioned malscript has not been found there,

polonus