JS:Decode-AVX[Trj]

this is what I see when I try to log in on the site of wxw.circleofthemoon.net

is this a worm/trojan/virus and what does it do? Please iniform me so I can warn other people who are trying to log in

as the suffix say [trj] a java script trojan

sucuri. http://sitecheck.sucuri.net/results/www.circleofthemoon.net/

Security report http://www.UnmaskParasites.com/security-report/?page=www.circleofthemoon.net

quttera. http://quttera.com/detailed_report/www.circleofthemoon.net

urlquery… see the snort report. http://urlquery.net/report.php?id=3980634

Site is enganged in sending spam, untrusty webreputation status →
http://www.mywot.com/en/scorecard/urlm.co?utm_source=addon&utm_content=popup-donuts
See: http://zulu.zscaler.com/submission/show/b4f2c15ecf896be946921d8abbbdfd94-1374674337
avast! Web Sshield also flags this trojan, JS;Iframe-CSU[Trj] here: http://urlquery.net/report.php?id=3979670
Site has insecure Joomla software: Joomla Version 1.6.x for: htxp://www.circleofthemoon.net//language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required, therefore site was also been hacked back in 2010: http://www.zone-h.org/mirror/id/10506661
So something wrong with this site’s security management, alas,

polonus

thank you!! I will pass it.

edit: the quttera was blocked with the same warning.

edit: the quttera was blocked with the same warning.
probably because the code avast detect on that site is also on display in the quttera report.

ah thanks… ;D

The snort IDS alert 120 boils down to:

Alerts ======

HTTP Inspect used generator ID 119 and 120. HTTP Inspect can generate the
following alerts under generator ID 119:

SID Description


1 ASCII encoding
2 Double decoding attack
3 U encoding
4 Bare byte Unicode encoding
5 Base36 encoding # Deprecated in Snort 2.9.1
6 UTF-8 encoding
7 IIS Unicode codepoint encoding
8 multi-slash encoding
9 IIS backslash evasion
10 self-directory traversal
11 directory traversal
12 Apache whitespace (tab)
13 Non-RFC HTTP delimiter
14 Non-RFC defined char
15 Oversize request-URI directory
16 Oversize chunk encoding
17 Unauthorized proxy use detected
18 Webroot directory traversal
19 Long header
20 Max headers
21 Multiple Content-Length headers
22 Chunk size mismatch
23 Invalid True-IP/XFF Orginal Client IP
24 Multiple Host headers
25 Hostname exceeds 255 characters
27 Chunked encoding - excessive consecutive small chunks
28 Unbounded POST (without Content-Length or Transfer-Encoding: chunked)
29 multiple true IPs in a session
30 both true_client_ip and XFF hdrs present
31 unknown method
32 simple request (HTTP/0.9)

The following alert is generated with generator ID 120:

SID Description


1 Anomalous HTTP server on undefined HTTP port
2 Invalid HTTP response status code
3 No Content-Length or Transfer-Encoding in HTTP response
4 UTF Normalization failure
5 HTTP response has UTF-7 charset
6 HTTP response gzip decompression failed
7 Chunked encoding - excessive consecutive small chunks
8 Invalid Content-Length or chunk size in request or response
9 Javascript obfuscation levels exceeds 1
10 Javascript consecutive whitespaces exceeds max allowed That is the one we can pinpoint here!
11 Multiple encodings within Javascript obfuscated data

info credits go to PioneerAxon on http_inspect rules by Daniel Roelker from Snort-ML.

polonus