JS:Redirector-H [Trj] at website

Avast gives me this Trojan warning @ hxxtp://www.gmdny.com which is a viable New York State contract website.
It appears only Avast picks this up…legitimacy please???

Hello and Welcome to the forum.

when you want to send link to infected websites, please use this format: hXXp://www.infected-site.com/

Good Luck.

OK… is hxxp://www.gmdny.com legitimately infected??

I think what Omid meant was that you should modify your first post - make the link there unclickable… :wink:

well, I did not find anything wrong about this site, look like clean.

Why am I getting the warning of JS:Redirector-H [trj] from Avast for the site then?

The site has been hacked, there is a large chunk of obfuscated javascript just before the opening Body tag of that page, see image. I modified the code to make it easier to see in the image as it is on a single line.

avast is all over these injection infections like a rash.

David, do you know a tool to make this script able to read a little easier than what it is now? ???

Hi stevecobb,

Here is information about this malware: http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.H
In general about these SQL-injecting threats read: http://blogs.technet.com/antimalware/
A list of compromised sites you can find here:
http://www.shadowserver.org/wiki/

Sites that were infected with JS-redirector-H:
Domain

nihaorr1.com
free.hostpinoy.info
xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com
11910.net
bbs.jueduizuan.com
bluell.cn
2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net
yl18.net
kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
a.ka47.us
a188.ws
qiqi111.cn

Approximate # of
Pages Injected between ranking between 440,000 and 230

What to do?
Empty the temporary java cache. [Located in the java console].
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:

From the Start button, click Settings > Control Panel
In the Control Panel, open the “Java Plug-in Control Panel”
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
pictures: http://www.dslreports.com/forum/remark,13803204

To verify current version of Java installed use this tool: »www.java.com/en/download/installed.jsp

polonus

Thanks for the info :slight_smile:

I don’t have a definitive script to check it, ther is a site I use on occasion, http://www.felgall.com/javamet6.htm when trying to look at unescape script like that above. However, there are frequent times when even that doesn’t reveal the true intent. Alwil software have their own script checking tool so they are able to decode what the intent is (redirection, probably to a malicious site/script).

So suffice to say that javascript is a plain language scripting language, so when people go to these length to hide the purpose that makes me very suspicious.

Thanks David for the link, I appreciate it :slight_smile:
I know about Alwil and their program to read those kind of script.

Another website where my avast alerts detecting such a JS:Redirector-H [trj]:

  • hXXp://www.4allclients.de/?action=4&id=1894777&utm_source=GB_DE [+ blocked bad network (hXXp://gumblar.cn/rss/?id=5818702)]

Yes this is a fast growing exploit hacking legit sites and injecting either iframe or script tags into the page/s to redirect to a malicious site where the payload resides. The script responsible for the redirect is at the bottom of the page, see image1

There is also another alert on that site as the favicon.ico file has been replaced with an html page purporting to be a 404 error page redirecting also to a malicious site, image2 & 3.

So you should report it to the site owner/webmaster, etc.

Hello, this is my first post here.
I am the owner of a small website with a phpbb forum called hxxt://www.problemefiat.ro . Problem is I’ve been hit by this JS:Redirector-H [trj] 3 days ago . So far I tried cleaning the php code…no result. Today I have deleted my files from the hosting and copied a back-up I have made a while back. The site stayed clean for about 16 hours and now is infected again. Does anyone know how to protect your website from these type of atacks? Or do I need to restore my back-up every day ? :frowning:
Thanks!

Try the simplest first.

  1. Change the passwords
  2. Don’t store passwords in upload programs (definitely not in older versions of Total Commander)
  3. Be sure your computer is not infected.

You need to change your passwords for stronger ones for uploading or modifying pages. Speak to your Host and ensure that the PHP software is fully up to date as older versions are vulnerable to exploit. Also tell them about the hack and what they and you can do to ensure it doesn’t happen again.

Allex how did you originally go about editing you PHP? I too am having troubles and unfortunately do not have a backup to throw back up.

Hello lackof voice. In my opinion the files modified are only the index.php ones (all that you have) . You can edit them with wordpad or if you have Dreamweaver which is much better. I examined the fileand saw a big chunk of garbage(crypted stuff) at the begining of the file and an iframe line at the end which was directing me to another website in China. I deleted those thow parts and all seemed to be ok, for about 2 days ::slight_smile: I hope this helps.
At this time after 4 days I restored the back-up all seems fine. I also talke dto the HOSTS folks and I hope it will be just fine.
Thanks!

Allex, i’m attempting to edit in Dreamweaver… but i do not want to screw anything up! the actual site html shows me the injected script, but the php file’s a bit more cryptic. based on the pictures, what is the code i should target to delete? thanks.
SOURCE VIEWED:

http://i479.photobucket.com/albums/rr154/gillettesinterstaterv/JAY/INJECTED.jpg

PHP:

http://i479.photobucket.com/albums/rr154/gillettesinterstaterv/JAY/CODETOKILL.jpg