JS:Redirector-CV [Trj] on my website?

Hi there everyone, yesterday I got stuck with this one; AvastFree started warning me about my site with that Trojan popup.
I made a reverse DNS lookup and other sites of my webhosting provider also had that so I think it’s something in the hosting. But, is it real or just a false positive? I scanned my url ( XXX.fuajedrez.com ) with the sites some guys mentioned before, so here are the results and I look forward to hearing from you about this issue I’m having:

UrlVoid

URL analysis tool Result Avira Clean site BitDefender Clean site Firefox Clean site G-Data Clean site Google Safebrowsing Clean site Malc0de Database Clean site MalwareDomainList Clean site Opera Clean site ParetoLogic Clean site Phishtank Clean site TrendMicro Unrated site Websense ThreatSeeker Unrated site Wepawet Unrated site Additional informationShow all Normalized URL: http://www.fuajedrez.com/ URL MD5: 86b01c4eee9c223b7c2d27499eae704d Content-Type: text/html

UrlVoid - VirusScan

Report 2011-05-15 14:59:27 (GMT 1) File Name fuajedrez-com File Size 9123 bytes File Type Unknown file MD5 Hash 26f168ad2cb636b67759f5d95d975afe SHA1 Hash 472721bfd9db1730a828fbed4a9c6bbe35b2e375 Detections: 0 / 6 (0 %) Status CLEAN Antivirus Updated Engine Result AVG 15/05/2011 10.0.0.1190 - Avira AntiVir 15/05/2011 7.11.7.12 - ClamAV 15/05/2011 0.97 - Emsisoft 15/05/2011 5.1.0.2 - TrendMicro 15/05/2011 9.200.0.1012 - Zoner 15/05/2011 0.2

VirusTotal

0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware. File name: index.html Submission date: 2011-05-15 12:55:18 (UTC) Current status: finished Result: 3 /41 (7.3%)

Safety score: -
Print results
Antivirus Version Last Update Result
AhnLab-V3 2011.05.15.00 2011.05.14 -
AntiVir 7.11.8.21 2011.05.13 -
Antiy-AVL 2.0.3.7 2011.05.14 -
Avast 4.8.1351.0 2011.05.15 JS:Redirector-CV
Avast5 5.0.677.0 2011.05.15 JS:Redirector-CV
AVG 10.0.0.1190 2011.05.15 -
BitDefender 7.2 2011.05.15 -
CAT-QuickHeal 11.00 2011.05.14 -
ClamAV 0.97.0.0 2011.05.15 -
Commtouch 5.3.2.6 2011.05.14 -
Comodo 8709 2011.05.15 -
DrWeb 5.0.2.03300 2011.05.15 -
eSafe 7.0.17.0 2011.05.15 -
eTrust-Vet 36.1.8326 2011.05.13 -
F-Prot 4.6.2.117 2011.05.14 -
Fortinet 4.2.257.0 2011.05.14 -
GData 22 2011.05.15 JS:Redirector-CV
Ikarus T3.1.1.103.0 2011.05.15 -
Jiangmin 13.0.900 2011.05.14 -
K7AntiVirus 9.103.4648 2011.05.14 -
Kaspersky 9.0.0.837 2011.05.11 -
McAfee 5.400.0.1158 2011.05.15 -
McAfee-GW-Edition 2010.1D 2011.05.14 -
Microsoft 1.6802 2011.05.15 -
NOD32 6123 2011.05.15 -
Norman 6.07.07 2011.05.15 -
nProtect 2011-05-15.01 2011.05.15 -
Panda 10.0.3.5 2011.05.15 -
PCTools 7.0.3.5 2011.05.13 -
Prevx 3.0 2011.05.15 -
Rising 23.57.04.05 2011.05.14 -
Sophos 4.65.0 2011.05.15 -
SUPERAntiSpyware 4.40.0.1006 2011.05.15 -
Symantec 20101.3.2.89 2011.05.15 -
TheHacker 6.7.0.1.197 2011.05.15 -
TrendMicro 9.200.0.1012 2011.05.15 -
TrendMicro-HouseCall 9.200.0.1012 2011.05.15 -
VBA32 3.12.16.0 2011.05.12 -
VIPRE 9286 2011.05.15 -
ViRobot 2011.5.14.4459 2011.05.15 -
VirusBuster 13.6.354.2 2011.05.14 -
Additional informationShow all
MD5 : 26f168ad2cb636b67759f5d95d975afe
SHA1 : 472721bfd9db1730a828fbed4a9c6bbe35b2e375
SHA256: e75089b31e015567edc5cff16411ce45ceac305b78651b54dcb581eedc2f221e

Anubis

http://anubis.iseclab.org/?action=result&task_id=141109c5b30c2aef469356857454b9390

The screenshot:

http://img839.imageshack.us/img839/5667/avastwarntr.jpg

EDIT: After a while with the window opened, VirusTotal showed up 3 infections. I’ll update the quote.

Hi leosc, welcome to the forum :slight_smile:

I get a 404 error on that js file.

Take a look at the file, and check that there is not any extra script added (generally they are added to the end, not definite though)

Scott

Thank you Scott.
I don’t get the warning only for this file; take a look on the report of the Web Shield, seems like every file is infected, when I know those weren’t (at least on my computer, before uploading them):

http://img196.imageshack.us/img196/5056/allwh.jpg

Just while looking at what is creating the alert, but can I ask what is supposed to be on the site? (i.e what is on the homepage?)

Just an index.html with css & images & legit js running , may I upload a screenshot of the main page or you mean what kind of site is it?

So all those Keygen links are supposed to be there? Thought so… ::slight_smile:

Seems the initial script is causing the alert…not exactly sure why…

No, they are not! Where is that code at? How do I clean the site? :slight_smile:

edit: Is it possible that all the sites of my hosting provider, were “injected” with this ?

Reverse Whois: "FUA" owns about 3 other domains Email Search: is associated with about 557 domains Registrar History: 1 registrar NS History: 7 changes on 5 unique name servers over 5 years. IP History: 8 changes on 6 unique name servers over 5 years. Whois History: 33 records have been archived since 2007-11-03 . [b]Reverse IP: 129 other sites hosted on this server.[/b] [b]Registration Service Provided By: INETSUR Network Solutions[/b]
Reverse IP Lookup Results—130 domains hosted on IP address 74.53.249.242 Web Site: acuarelistasuruguayos.com alejandrokeller.com talleressolidarios.org AND 127 other domains… You must Log In, Open an Account or Buy a Report to access all 130 results of your search

Try to open one of those, to check if you see the same suspicious code you mentioned above

That is the contents of the whole page…

Scripts and LOADS of links for torrents/keygens and the like…

I made a search on the index.html but I can’t find those codes and links you are showing me.
Where did you find them? Can I clean it somehow? Do you have a clue of how this could happen? Thank you.

That is the contents of the whole page... Scripts and LOADS of links for torrents/keygens and the like...

It is the contents of wXw.fuajedrez.com/

I see now what you meant about the index page, I imagine that this page wasn’t supposed to even exist?

The index.html should exist, and existed, but not with the keygens and all that stuff

wXw.fuajedrez.com/index.html exists and it appears clean, but wXw.fuajedrez.com/ shows the junk.

It is the other items that are on the page that have been compromised, I got 10 alerts (image1) basically on the stuff in the image on Reply #2.

They all have identical content, two very long (rows) strings of obfuscated script (image2) and loading various dubious keygen and software sales sites, etc. etc.

I have broken down the two lines to make it easier to see what that content is, image3.

So it looks very like the site has been hacked.

Where did you get all those *.tmp files? I don’t understand how to proceed to clean the stuff… I downloaded the infected images and css avast reported but when I open for eg. the css i dont find anything wrong inside, I also opened the *.js files and nothing’s wrong with them (I just downloaded the original ones, to replace the bad ones, but I get the same story) … Do I miss something? Thx

Avast creates these temp files of the content coming down on the http stream so it can scan them in its localhost proxy (it doesn’t use the original file names) if they are clean then they would be passed on to the browser cache and displayed on the browser page. I just harvest them to be able to look inside.

They are essentially what you showed in your image, just renamed in the avast localhost proxy.

I don’t know if you use any form of content management software as that if out of date could be vulnerable to exploit, injecting the code into pages/files.