Today I signed up for Commission Junction to add an affiliate program on my website, and the next thing I know (BEFORE adding any code to the site) I am getting an Avast warning about ‘JS:Small-C [Trj]’ being found and blocked.
The website is www.europerides.com and the index file points to a folder containing a Wordpress blog.
I have been looking at the html of the blog pages and can’t find anything. Nothing was wrong before today, I did not change anything except for the last post which entered on Jan 31st.
I am wondering if it is a false positive, caused by my relationship with Commission Junction ??? If not, how can I find the offending code… and how could it have entered my blog???
I am a 30+ year computer freak and neverclick on silly things or visit strange shops, porn sites, torrents etc.
Thanks for the reply Pondus. yes, I saw that too. But I still get the warning when accessing it normally.
However, I have narrowed it down to the Wordpress Theme I was using (and have been using for many years).
I now changed the theme and the warning is gone ! So I suspect it is a false positive triggered by something specific to that WP theme!
What to do?
Empty the temporary java cache. [Located in the java console].
Here are the instructions on how to manually remove these malicious applets from the JRE cache directory:
From the Start button, click Settings > Control Panel
In the Control Panel, open the “Java Plug-in Control Panel”
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory
pictures: http://www.dslreports.com/forum/remark,13803204
I had a friend phone me today, the same was happening with their own site running an outdated version of WordPress. My PC kept blocking the site, so I checked on the MAC and within seconds I was redirected to a chinese site for a sex musuem. To do an initial clear of the problem, I went to edit the WordPress templates and within the file header.php there was additional coding that had been obscured. I found the code after the tags =
My blog got hacked today (or in recent 2 days since I’ve been up there) with this. I found this forum by googling the Malware name - JS:Small-C [Trj]
I tried what mentalist3d suggested and sure enough, I quit getting the Avast alert, so that fixed that.
I am curious… you said this was a temporary fix? What needs to be done for a permanent fix? I am going to upgrade Wordpress to 2.9.1, as I am still at 2.8.4. And I’m going to change my admin password. However, none of this happened behind the scenes in Dashboard etc. Just on the main site. How on earth did “they” manage to change/add coding in the header.php? Obviously this WAS a hack of the Admin area, to write to the header.php.
Thanks!
Leanne
a P.S. added: Also wanted to note that taking the coding out ALSO “hit” all of my Adsense!!! I’m getting the generic search box ONLY, at the top. And the sidebar Adsense is back to community service ads.
I don’t know enough about WordPress to know how it was done, but but I reckon there must be a bug in older versions that can be exploited. Keeping WordPress upgraded to the latest versions usually keep your site secure as all the latest bugs and weaknesses are fixed.
Could you post the rest of that JavaScript on pastebin, then post the pastebin link here?
I just tried de-obfuscating the JavaScript, but you only included part of it - most, including the payload, is missing.
I just came here to update my post, and found yours! YES! Now… there have been reasons I’ve not updated since 2.8.4! But it’s been on my ToDo list now for about a week. And this trojan just sped things up!
I just upgraded to 2.9.1, and it was flawless, per usual (I worry too much I guess… so I just backed up, held my breath, and dove in! Silly me, it took about 7 seconds to update and so far, so good)
And other than the trojan STILL not being back… the upgrade also brought my Adsense back to normal!
I went to the Editor in my blog and chose header.php, as that’s where he said it would be found. I scrolled down to look for the coding, as yes, I noticed it was only partially given (good move though! without the whole thing posted here, nobody could take it and begin to try and play nasty games with somebody else’s site!)
YOU CAN’T MISS IT. It was about 1/3 of the way down the file, and the coding is SO blatantly apparent from all normal coding. Take it from the < script> to the </ script> and just zap it out. FIRST, I did a select-all, and copied the entire header.php to Notepad, just in case. But delete that coding, hit save.
You may find that it screws with AdSense (and perhaps other things, but frankly I didn’t look… AdSense is just so apparent, it was the first thing I noticed, being ‘altered’ - but upgrading to WP 2.9.1 fixed it all)
Make your backup copy, and zap that coding. You sure don’t want to leave it there. PC, WP, just parts and pieces; they don’t bite!
I have the same problem and can’t found a code on my site, the blog uses wordpress. After updated, the same issue, avast still found a “JS:Small-C” and can’t found it.