Hi all, i entered a local company’s site and avast! cautioned me of the trojan’s presence.
Repeated attempts at entering their website always trigger the avast alert and i have read that there are other people reporting this trojan as well.
Any guidance on what i should do next would be awesome.
This company wanted to interview me for some IT support vacancy they had.
Detail: Exploit: Javascript Obfuscation [This web site has JavaScript that has been used to obfuscate known exploit techniques]
Risk Category: Exploit
Description: XPL’s Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a
software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by
means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends not visiting this web
site regardless if your computer has been patched for the vulnerability.
-= The website administrator must be warned about this to fix the infection…
The alert is still there and the script doesn’t look good to me.
If you scroll way right of the closing HTML tag you will see the obfuscated javascript script tag (all on that single line) and this is what avast is alerting on. See image as that is the code, I have broken it down to make it easier to see.
Whilst this is a low hit count, there are very few scanners even looking at this and when the javascript is also obfuscated that makes it even more uncommon they will find it.
However, based on:
the location after the closing HTML tag, a standards no, no, which an IT services company would be complying with standards.
the fact that they have positioned this way to the right so it is effectively out of sight on a normal page view.
the fact that they have chosen to place it all on a single line rather than the conventional scripts layout to make it easy to interpret.
4 and finally the actual obfuscation to hide what the intent is.
Collectively these make me suspicious and with the detections, that just confirms my suspicions.
I just look at the scroll indicator and if it is a very small bar, there is much more to the right, I just grab that bar and drag it right to see what is out there.
They also play the same trick to but multiple blank lines after the closing html tag so it isn’t in view when looking at what is apparently the end of the page source
Oh my. i wonder if anyone ever nips these malicious codes in the bud, how do i ever find the source thats spamming it? or is that a wold goose chase and focus on self protection first and avoid going to that site ever.
Commonly these code injection hacks are a result of exploitation of vulnerable content management software, php, sql, wordpress, etc.
The only thing you can do is report it to the company that the site appears to have been hacked, it may help you later in your interview.
See this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
It was end of a long day for me . But will be alert to that from now on. A few of the posts above were quick to pick up the malcreant’s ruse so all cred to them.
I did manage to send off what my PC reported though. So something. And my routine for test of suspect sites is much improved. Thanking you.