Hello folks !
I’ve got a real annoying issue since a few hours, when I try to access my website I get this message :
Objet : [Embedded:DeanEdwards]
Infection : JS:Redirector-MR [Trj]
My website : ht-p://www.un-voyage-en-chine.com/
This already happened to me a few months ago and I had to edit some files, but right now I can’t find any malicious code… I tried a Scan on VirusTotal and everything is fine, no errors and it tells me the site is clean.
Any help would be much appreciated !
Cheers
Hi syckness,
When scanning your site, I see sucuri reports an issue with Wordpress software here: Wordpress internal path: -/homez.424/unvoyages/www/wp-content/themes/Aggregate/index.php
Check your Wordpress version for updates and patches, else your site software may still be vulnerable to certain exploits, and you run the risk of being re-infected.
Here I find the site given as clean: https://www.virustotal.com/url/d9a2b1635659f26bbd6850ff5fb72568dd2709c39a7b154c0172d62c2cd3cca5/analysis/
and benign: http://wepawet.iseclab.org/view.php?hash=aa3ad7adb9b1d33761a0a1a371ba33b5&t=1328215793&type=js
Still given suspicious here: http://urlquery.net/report.php?id=18942
This is found as suspicious in the code: -www.un-voyage-en-chine.com/wp-content/plugins/slick-social-share-buttons/js/jquery.easing.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:213.186.33.19)
Nothing found here: http://vscan.urlvoid.com/analysis/299263fb825eef4d8495fc207df2ac1b/aW5kZXg=/
I for one do not see any Dean Edwards packed obfuscation malcode there, so you could
report this to avast as a FP: Do sent ticket with web-form here: http://www.avast.com/contact-form.php?loadStyles. Whenever found cleansed the website may be unblocked with an upcoming update.
Additionally some general security tips for that particular website:
You use cookies on your start-site, you use cookies without Platform for Privacy Preferences Project (www.w3.org/P3P/). Your website gives away through the “X-Powered-By” HTTP Header, that
content is being dynamically generated. Remove that header.
The server transmits the full server software version number. This should be avoided. Attackers could get information what exploits to run against the server. Your site uses graphical tracking, like a banner for instance. The IP your website is on is notorious because of a Zeus Koobface there, one malciious site still active and up via that IP, see: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fresistances.org%2Flink.2012.php%3FynyGIS%3D64ko6
and see the bizimbal report here: http://www.bizimbal.com/odb/details.html?id=619980
That’s it,
polonus
Great work D. 
Hi polonus,
Thanks for replying so fast ! I could find and remove the malicious code so I have no more alerts from avast 
It was located in functions.php file, a simple script… I also made the update to the last version of Wordpress, hope it will be ok…
Also, thanks for all your security tips for my website. I however have a few questions :
1/ I didn’t understand what you said about the cookies issue, what should I do to fix it ?
2/ Which header should I remove ? I have this in my header.php :
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" <?php language_attributes(); ?>>
<head profile="http://gmpg.org/xfn/11">
3/ How can I avoid the server from transmiting the full server software version number ?
4/ You said the IP my website is on is notorious because of a malicious site, is there anything I can (or should) do ?
Anyway thanks again for your reply, you’re awesome !
Regards,
syckness
@syckness
Did the avast alert look something like this? http://forum.avast.com/index.php?action=dlattach;topic=90198.0;attach=72937;image
Read on the subject: http://www.red-root.com/code/decompressing-packed-javascript-files/
ink author = Luke Williams aka redroot. This obfuscated script can also be used for malicious purposes, for that read: http://www.stopthehacker.com/tag/dean-edwards/ link source: Jaal, LLC from the stop the hacker archives,
Stay safe and secure online and offline,
polonus
Hey again !
Well, as I told you last week I could find and remove the malicious Javascript code in functions.php and thought it was solved. But today I got a new Avast alert when I visited my website (with Chrome and IE, but no alert with Firefox… weird)
I checked my functions.php file once again and found the malicious JS code that I deleted last week ! How can it be possible ? I changed my password and updated to Wordpress 3.3.1 but the malicious code was put nevertheless…
I’ve just read this article that you guys had posted on another topic : http://www.thewriterzmind.com/2011/12/dealing-with-js-redirector-mrtrj.html
I downloaded his file on rapidshare to see which part of the code he had removed, and noticed that he removed all the php code + JS script whereas I just removed the JS script as below :
http://www.toopix.eu/userfiles/9221c8568411fe6038534867a3914f36.jpg
Is it ok or should I also remove all this php code like he has done (I couldn’t snapshot all the code…) ?
http://www.tooPix.eu/userfiles/mini/ad56b0cfa2b7c48803a8cfdc8859cba3.jpg
Are these functions important for my blog ? Or did it just make the malicious code reappear ?
Thanks again for your help, this hacker is driving me crazy !
Up for security sake !
There is a reason for this re-occuring infection and it is with php.
Check there, these are particular campaigns that make use of a vulnerability likethe thi. thumb one,
polonus
I’m sorry, what do you mean with thi.thumb ?
Thanks
Hi, syckness.
See: http://sitecheck.sucuri.net/results/un-voyage-en-chine.com
There is a potential error in line 580 of your homepage. See my attachment for details.
Aussi, est-ce que tu parlez francais?
Hi Donovansrb10,
Thanks for your reply.
Oui je parle français
It seems line 580 is my Google + widget, I don’t understand why there is an error since I took this code in Google website 
I’m learning French.
Maybe there is one too many ""s? I don’t use Google code.