I went to the forum in my website and got an alert from Avast that there is:
JS:Redirector-D [trj] on it. What is the code for that? How do I find it?
I emailed to my partner and he went in investigating then emailed me back and
his email had the virus - so I put it in the Avast chest then looked, and there
is no code listed. How do I find this thing and get it OFF of my website?
EDIT – found it. Now how do I deal with it? Is it safe to just delete it or do I need
to rename it or what? Please help - I need to do this real quick.
Since you don’t give any clues, like the URL it is hard to advise. When posting the url replace the http with hXXp so that the link isn’t active.
The idea of the resident scanners (web shield or network shield) is to detect and stop whatever it was before it gets on to your system, so there would be nothing in the chest. There would also be nothing in the chest unless the detection specifically gave that as an option and you chose it.
So the edit found it, found what and where, file name location, url, etc. ?
We thrive on information without it we are lost, so as quick as you can let is have the information.
Sorry - I don’t know the virus code, it’s java script. My partner found it on the database though and tried to mail the code to me, LOL. Yep, that worked.
He knows what the code is though and is consulting an expert he knows to find out how to get it off of the database.
Now I am just left to wonder exactly how it got onto a website database. This is a long time trusted host who now seems to have a security breech - I will contact them.
Sorry, I can’t help you help me any further than this. I am a rooky, as you might notice by this time.
The URL’s that trigger the avast, though, is www.rockhoundstation1.com – the forum and the photogallery pages are the ones (which are .net - php) that trigger the alert. There may be others in our .net but I haven’t checked more since my parther found the codes. The aps are phpbb and coppermine btw.
You don’t need to know the code, from the malware name (the JS: bit) it is obviously relating to a javascript.
It ps possible that the .php and .net pages have been exploited and a script tag inserted, which tried to redirect to a malware site.
If the detections cam from the web then there shouldn’t be anything on your system, unless the source pages are infected, but it is more likely that the pages on the site are hacked.
It looks like the same script tag has been inserted in both locations. The javascript is masquerading as a Yahoo counter which I strongly doubt and the javascript is also obfuscated, which is also suspicious and more so why would anyone want to hide a counter script. I have broken the single line of the script to make it easier to see in the attached image.
You need to change your passwords that are used to modify and or upload pages, .etc and inform your hosts as it could be that their php software is being exploited.
Thanks. I am trying to contact my tech now. Not sure how the heck to get a script off of a database, but that’s where my other partner copied the script that sent off Avast on the email.
I have contacted my host for further instruction. I appreciate this, thanks.
Well on less that code is imported from a database, which I would doubt, it would be inserted into the frame (loose term) of the source page, this is getting more common in the recent months with the PHP being exploited. Though if the database is at the same source it is possible I guess, but that isn’t my area of expertise.
This can be down to the PHP software not being fully up to date and a vulnerability in an old version being exploited.
My tech is back and he is on it now. My other partner was going to shoot it, but he found it was on the database - I’m not tech savvy yet - I’m still learning CSS for cripes sakes, LOL – but my other partner is much more advanced and said it was on the database. Not sure if that relates to I-frames or not, but
when my tech (who is severely advanced) gets to it, I’ll let you know what the situation was. Hopefully you are right and it is I-frames as this thing is accostomed to and not some new path.
I have no idea how they would hack us, my tech has the thing locked down like fort knox. If they can hack his work, we can all worry about this thing. He’s done work for Gov - security for their systems. This is just scary.
Let him also change the log-in passwords and all. Very vital to protect against re-entry.
How they came in is not a thing to ponder further on, because there are a myriad of ways, have you thought of this for instance: hxxp://www.edge-security.com/metagoofil.php
and how to protect against this information from all sort of MetaTags,
Thanks Polonus, but I’m sure my tech can handle this - and, yes, we will be changing the passwords - and looking to see if we left anything set on 777 permissions which allows it in.
In fact - this seems to be a php problem so we might just delete and put up originals - and switch from phpbb to smw. Hard core, but if this thing can’t be controlled, phpbb is going to become so dangerous no one will touch it anyway.