I work for a porn website and for 2 days I have an avast warning when i connect to the main page and even in others and in my login page for administration.
Here is what claims my avast antivirus: “JS:Redirector-H7 [trj]” has been found in “hxxp://www.royalblogx.com/porn/index.php” file.
I looked about informations about that and I think some scripts of the website have been hacked, but I need confirmation from other users and if possible by an Avast Staffer and informations. More, I need a real confirmation about this “JS:Redirector-H7” existence on the website and so, about its level of threat.
I need confirmation from other people because I fear that my webmaster don’t believe me about this Avast Warn and its dangerous potentiality. Moreover, the web hoster didn’t find anything… Am I dreaming?
Thx for your help guys.
ps: I put “xx” instead “tt” in the “http” adress. I’ve heard you prefer that in that kind of forums.
Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.
I advised the webmaster to change his login and remove his scripts. You can keep on replying on this topic. Untill the problem is not solved I want this topic to be still open.
Whilst it isn’t detailed all that is needed to find it in in Reply #2
This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.
Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
Check all .htaccess files, as hackers like to load re-directs into them.
Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
And another thing… Porn websites are frequently targeted for hacking since a lot of the traffic. I don’t approve of them. I think no one should. But You picked to work there. I would choose seriously somewhere else though. Like I said it will probably be hacked and hacked and hacked again and again…
