I visit a website of wxw.soulcysters.net and when loading every page of that site, I get the avast warning for the JS: Redirectr-G [tri] trojan.
Others on the site are getting the same error, only the Avast! users. I have read enough to know that Avast! is the only anti-virus that is detecting this trojan.
The problem is, the owner of the website, doesn’t believe that there is anything wrong in her coding.
When we get the error, it states that it is from
h++p://widgetserver.com/proxy/FeedProxy?target=http%3A%2F%2Fwww%2Etheweighwewere %2Ecom%2Fread%2Dweight%2Dloss%2Dstories%2Findex%2E 1%2Erss&token=5f65dcc75b13d0f41fef8f0be7dc84565ddbdc5a0000 0120da3c9550{gzip} (i hope that doesn’t cause problems posting that, if it does let me know and I’ll remove)
Which looks to ME as though its actually a problem on a “Widget” that advertises for another website wxw.theweighwewere.com , which is also owned by the same person.
How can we convince her that there IS a problem, and how to go about fixing it?
I just don’t know what to tell the owner. She’d indicated she’s looked at the coding and ‘everything looks fine’ to her and even suggested that it was just a problem with that ‘widget’ and Firefox users (since at first it was just Firefox users speaking up, then the IE8 users came after that comment)
I’m just frustrated, I mean, I’ve gotten the Alerts to stop using my Firefox with Adblock (just blocked the widget) but that doesn’t mean that there isn’t a thread anymore…
I’m just so frustated, its been 3 weeks that the site has been like this.
What are the potential things that thing Trojan can do? I understand redirecting, is is just redirecting to a malicious site? confused
This is spreading now all over the Internet, cybercrime has discovered how easy it is to inject malcode into regular trusted websites, while the web admins do not know enough about website security, the hosting firm is using vulnerable non-patched older versions of server software and webmasters and coders do not cleanse the code for malicious obfuscated code. People cannot read these malcodes easily but the browser knows what to do with them and if malcode it will for instance redirect your browser to a malicious site owned by cybercrime to serve your computer up with malware all sorts in a hidden and silent way. Avast is one of the few av solutions that is very alert to this general online threat and tries to protect you as a user by disconnecting from the infested site so you won’t go to the places where the real infection vectors lure somewhere on a hosting server in the Ukrain or China or the Netherlands or the Sates. Webadmins and site owners that go in denial over these things have various ways to scan their sites, but loads of these people aren’t aware yet of the new situation thousands and thousands of respectable trusted sites getting infected with inline hidden iFrames, through PHP holes, through SQL code injection, it is seen all over the place:
This is one: http://www.unmaskparasites.com/security-report/
This is one: http://linkscanner.explabs.com/linkscanner/default.aspx
Browser users can get protection for their Firefox or Flock browser by installing the NoScript add-on to block various malicious scripts from running inside the browser, but the avast webshield will flag these malcodes on suspisious sites anyway. NoScript: https://addons.mozilla.org/en-US/firefox/addon/722
LOL, my question didn’t come out the way intended… you were probably thinking ‘dumb blonde’ whn you typed that huh? lol
What I meant to ask by that ,is that, what sorts of things can happen when being redirected to a malicious site? different virusus? spyware? is there anything showing that this trojan has done that to other users?
Polonus - Thank you for your post. I am going to link to this thread for the owner of the wxw.soulcysters.net website to see/read and hopefully she does something about this threat!!
What can happen when you are being redirected to a malware downloading site. Well to go short, you get infected with malware, that can be a whole range of unwanted things, mostly it is adware or spyware or roque installers, password stealers, it can be your computer is being recruited for a botnet to spam the unaware without you knowing it. Malware nowadays goes under the radar mostly, the cybercriminals just want to use your computer for their devious ends or want to earn off of your misguided search clicks, they do not want to be found out if they can help it.
Some users when their av scanner does not alert or if they haven’t one or whenever their browser is not being hardened against this by not running scripts, will notice not much, sometimes their browser is acting strangely going to sites they do not want to go, sometimes they see nothing but a busy flickering console light and hear an extra buzz of the fans as their computer is no longer owned by them but using cycles of memory on behalf of malcoders, so malware to-day mostly just makes your computer slow, but the old-fashioned malware that destroys data on your PC still also exists, so that is the general story and we malware fighters help you to get rid of malware might you have caught it by surprise, and we try to educate you so you can seek protection through one software firewall, one resident av solution and additional non-resident anti malware scanners, and in-browser protection extensions. We have an enormous crowd of online users we have not reached yet with this story, but we go on fighting the good struggle against the dark forces on the Internet that want to rob you of your money and information or just want to mislead you for devious reason only they could come up with. Come here more often, get informed, be secure and go protected,
The websites that you provided, those are sites that you can go to and ‘scan’ the address that you want to go to… like wxw.soulcysters.net which I tried, and both said it was clear.
So is there actually a trojan on the website, or is Avast! just giving me some crazy warning?
Sorry for taking so long to get back to ya, got busy over the canadian long weekend
Well avast is no longer alerting on the link you gave (just visited it), so presumably the site has been cleaned up since the 16th of May when you first reported this.
Just after the website finishes loading, the virus is exicuted.
When I visited it, Avast! alearted me of JS:Redirector-H4 [trj] and not JS:Rediretr-G [tri]
Yes, visiting the site is still alerting. So that means the infection must still be there.
It is a reported attack site. I get a “11004 [11004] Valid name, no data record (check DNS setup)”,
Lets be clear about the URL we are all looking at (well me), see quote:
That is the site I have been looking at, I have been back again and once more no detections. I have checked the home page source code and nothing suspicious, I have checked it at unmaskparasites again and no detections, I have checked it at blacklist doctor and no detections.
So I have no idea what is going on, I did do a fresh page load so I wsn’t using any chached web pages. I used firefox with NoScript enabled, but that shouldn’t make any difference as avast doesn’t wait for scripts to be executed. I have visited many pages in the forum and again no alerts.
Even allowing noscript for soulcysters.net and still no alerts, nothing in the avast warning log, weird.
The site is definitely redirecting. I checked this: Initiating server query …
Looking up IP address for domain: wXw.soulcysters.net
The IP address for the specified host could not be found. Please check the spelling and format of the URL above. In SRWare’s Iron I get a redirect and avast alerts and disconnects.
This was the second redirect this evening, I think they try to take the redirect off of the site, but it gets restored to redirect to the malware site. Something not kosher there,
I found out why I don’t get an alert as the malware isn’t on soulcysters.net, only when I allowed widgetserver.com in no script was it allowed to load from its site and the alert is on:
So the proxy.widetserver.com site is pulling in yet more data from yet another site, hXXp://www.theweighwewere.com and it is here that the alert is really pointing at, it just happens to be that it is being imported into soulcysters.net.
I tried to check out hXXp://www.theweighwewere.com and got further alerts in their compress.php file, I checked that out with both of the previous scanners and it looks like they can’t find anything in this compressed php format.
How this help I don’t know unless you break the import from widgetserver.com and consequently hXXp://www.theweighwewere.com and report it to them that it appears that their site has been hacked.
This is one of the scripts I found at hXXp://www.theweighwewere.com it appears to be in one of the RSS files, see image and the compress.php file.
And there you have it, gumblar.cn related code, the “function” at the start is giving that one away and even more characteristics of gumblar, 80% of script injection malware at the mo is gumblar, my friend, this malcode is very notorious and successful for the malcoders. These servers have PHP code on them that is vulnerable and that should be hardened, I think that is the crux of the matter on the server side here. If you query that server in question, I guess they have PHP software running that is vulnerable.
It is a shame really that website admins and webmasters are putting so many browser users at danger nowadays. They certainly should clean up their act but I think they still have to wake up to the actual situation, trusted websites are also vulnerable to cybercrime hackers and malware download redirects period,