JS:iframe-EPM [Trj]

Avast wyrzuca monit o JS:iframe-EPM [Trj], gdy wchodzą w różne panele Wordpress na jednym serwerze, niezależnie od przeglądarki i komputera. Trojan uniemożliwia edycję treści w panelu Wordpress - nie wyświetla konkretnej ramki iframe.

Co zrobić? Nie mogę znaleźć odpowiedzi nigdzie w sieci. Dzięki za pomoc.

This is a English forum.
Post in English here or use one of the non-English forums.

https://forum.avast.com/index.php?board=21

Sorry for Polish :wink:

Avast is giving me alert about JS:iframe-EPM [Trj], when I’m using Wordpress panels to edit some pages (multiple Wordpress instalation on one server, multiple browsers and computers). I’m unable to edit some content in the iframe. What should I do?

Thanks for your help.

Which page/site…? Post the link non clickable.

zkp.krakow.pl/27
messiaen.pl

https://sitecheck.sucuri.net/results/zkp.krakow.pl/27
https://sitecheck.sucuri.net/results/messiaen.pl

https://www.virustotal.com/en/file/c40b973f06a4faa8a23406dd8fcd2a896df5b1c664492cb3c60f3308c9d2193b/analysis/1454948229/

IP and/or domain are blacklisted :
http://zulu.zscaler.com/submission/show/3877777ac1803ed0aa9b2f7d95f09c68-1454947580
http://urlquery.net/report.php?id=1454947714363
http://urlquery.net/report.php?id=1454947743237
http://multirbl.valli.org/lookup/188.116.9.4.html

Hi all,

Newbie here; sorry if not clear how to seek guidance.

Am receiving JS:Iframe-EPM [Trj] “infection blocked” message from AVAST FREE when trying to open seemingly benign and reputable website. The particulars:

Target page: http://libertyprairie.org/
URL: http://libertyprairie.org/wp-content/themes/organic_natural/js/jquery.flexslider.js?ver=20130729|{gzip}
Infection: JS:Iframe-EPM [Trj]
Process: F:\Program Files\Google\Chrome\Application\chrome.exe

Your thoughts?
Thanks!

And there we have another site that is using WP and JQuery and got itself into problems because it is not up-to-date.

@Eddy:

Thanks, but your answer seems to be mostly for Pondus and Asyn.

From my own (user) perspective: I’m not sure what to do about “another site” that uses WP and JQuery and gets itself into trouble. Did my AVAST really detect a virus, or just an outdated script configuration that creates a vulnerability? Am I supposed to notify the host they’re infected? scold them for not keeping their scripts up-to-date? turn off AVAST and proceed at my own risk?

Maybe you’re saying that the host site is either (i) infected or (ii) configured in a way that it’s unsafe to load due to vulnerabilities … in which case, many thanks. But if not, blocking sites from loading because their scripts are outdated would seem to be as much an AVAST problem as it is a site problem.

Or am I missing something? Sorry in advance.

KIllmalware >> http://killmalware.com/libertyprairie.org/

libertyprairie.org/wp-content/themes/organic_natural/js/retina.js?ver=20130729

https://www.virustotal.com/en/file/34726a1f643337e98bbf3cd65e9f41f7b88a5da2ca2a40ed048315a6c9b56cfe/analysis/

avast and GData dont like that JS file

could be related to this? … http://imulus.github.io/retinajs/ possible false positive ?

Thanks for this question as it provides more insight to what I have suspected is going on than the answers so far. I also need assistance with this new problem from the last update. Avast won’t allow me to proceed on a website I’ve used easily in the past that I upload my invoices to. I’ve tried both Chrome & Firefox and Avast has taken away my auto-login to this page (http://intranet.manascisaac.com/) and I find this totally unacceptable. When did the software not allow the user the option to quarantine or permit?

Detection JS:Iframe-EPM [Trj] is correct. More info on https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html

F-secure lab confirms detection

==============================================================================
The file you sent was found to be malicious.

We will be detecting the sample you submitted as Trojan.Crypt.OA in the next database update.

So, what you’re telling me is that this website link is proof that avast should not allow this .js Wordpress file to be on my computer because Wordpress is permitting a known hacked file to be part of their software? Is my only solution to wait until Wordpress does something about it?

This past weekend we registered a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files.
if you have a infected js file, replace it with a clean
Thanks for this question as it provides more insight to what I have suspected is going on than the answers so far. I also need assistance with this new problem from the last update. Avast won't allow me to proceed on a website I've used easily in the past that I upload my invoices to. I've tried both Chrome & Firefox and Avast has taken away my auto-login to this page (http://intranet.manascisaac.com/) and I find this totally unacceptable. When did the software not allow the user the option to quarantine or permit?

@russ18:

This is my first foray into AV software forums, so I wasn’t sure what to expect. I think threads like this seem to be less about customer service and getting one’s own questions answered by experts, and more about info-gathering and -sharing between the AVAST team and other subject matter experts. Which is fine with me, now that I get it.

Also, I have to keep in mind that my product is AVAST FREE … that is, it’s free. So I guess I don’t have much of a right to complain if it doesn’t have all the features I’d like it to. It does make me wonder, tho, whether functions like the ones you mention – prompting for and permitting exceptions rather than auto-blocking, and quarantining rather than deleting – are features of the paid-for AVAST product. I’d hope they were. I’d also like to have more insight as to what is identified during scans; I configured mine to save the scan logs to a named file, but after scanning I wasn’t able to find it (and I searched very aggressively). Maybe this, too, is a feature of the upgrade product.

That said, it’s fascinating to follow the links provided by these guys in their back-and-forthing. Kind of like listening in on air traffic control channels.

My own, ignorant interpretation is that javascript seems to be a sort of embedded macro in web pages that calls for content in an active way (and not just as a static placeholder) and creates, if not managed carefully, a vulnerability; perhaps it can be made to call for the wrong content or divert user inputs or something like that. Could be that the “out-of-date” JS here complained of hasn’t been patched/protected, so these guys opt in favor of blocking web pages (or page components) that still contain the vulnerability. My take on the latest salvo is that there’s a major exploit of this vulnerability just now emerging on WordPress sites … which would seem to suggest that their concerns are well-founded. But that’s just me reading between the lines.

Also, it seems to me that Pondus – who actually did reply to your question (thumbs up) – never sleeps. Although I don’t think he/she’s actually a Bot. :slight_smile: