Hi,
When I visited my friends blog hxxp://www.baba3od.com Avast blocked me and showing the site is infected with the “JS:Redirector-MR [Trj]” Trojan:
http://localhostr.com/files/zIcHoVw/avast.png
http://localhostr.com/files/0JskgCz/123.png
So is the site really infected or a false positive? Any help would be greatly appreciated 
Thanks
Sucuri says clean. I didn’t find anything significant in the source code, but then again, I skimmed over it.
Domain [b]clean [/b]by Google Safe Browsing Domain [b]clean [/b]by Norton Safe Web Domain [b]clean [/b]on Phish tank Domain [b]clean [/b]on the Opera browser Domain [b]clean [/b]on Sucuri IP/URL malware blacklist
Possible false positive. Sirmer found the malicious coding. Tell your friend to get it removed.
Hello,
this detection is a correct
I am sure the OP would be interested in more details
Malicious part of code
Isn’t this a detection for the Dean Edwards embedded counter code javascript?
What does it do unobfuscated? See:
http://dean.edwards.name/packer/
pol
Yes, this is detection for the Dean Edwards embedded counter code javascript.
@Sirmer,
Thank you for the feedback for all of us, and the heads-up for webmasters/developers out there.
Hack alert (Armorize) had the warning out for this since 09-2011.
Very good it is being detected. It is a mass WordPress infection going on,
read from Dean Edwards here: http://www.stopthehacker.com/tag/dean-edwards/
polonus
To think that was a counter (apps that count how many visits for a site). :-[
At least I can now identify some more malicious JavaScript coding!
Ty Sirmer & Polonus.
Hi Donovansrb10,
Sometimes malware is made up from two parts of innocent obfuscated script code and together with another piece of innocent code elsewhere on the website. It then becomes malicious code, when the two script code parts act together as malware.
As you may have read from the link I gave by Dean Edwards:
The injected PHP code causes your WordPress installation to load the malware located inside a file named “wp_inc/upd.php” (usually in your “/tmp” folder). The malware then builds an Iframe element pointing to one of many different websites.This was/is being used as a mass infection hack. Good avast detects it and the shield blocks it,
polonus
This thing always has p,a,c,k,e,r in the coding, so it’s easier to detect?
Well this could help towards detecting, but there are good Dean Edwards packed and malicious Dean Edwards packed javascripts. With JS malware the main line of analysis is still being done manually - that is looking at the individual piece of malcode or recognizing a general attack sequence,
jsunpack and other tools can help towards de-obfuscation, but this deobfuscation is not needed if features are carefully extracted then obfuscated malicious code is found as easily (OCRF project - Eric Ching-Hao Ph.D),
polonus
Norman lab confirms infected
baba3od.com.htm Processed - HTML/Agent.QS
Ah okay, I’ve notified my friend and linked him to this thread. Thank you so much guys for the help, really appreciate it!!!
hey
im the admin for this site
its only blog i dont know where the trojan come from i cheak all files also talk with support for the host company they also dont know
when i join my site from firefox i dont get any error only when i join it from exporler avast alret
also i cheak many online scan every thing is clean
can anyone help me how i remvoe this trojan and where can i find it
Check your website:
right-click on your site:
click on inspect element.
check for the piece of malicious code highlighted below in the pic:
http://forum.avast.com/index.php?action=dlattach;topic=90145.0;attach=72935;image
The code is located at the very end of the homepage source.
So, check the site home page html, and remove the code.
Going by the image in your first post, it may be located elsewhere on the site (as in the reference to the themes directory)
ok i remvoed the code now
can i anyone cheak if its gone
I am sorrry but i dont stick my nose in every hole to see i am bitten or not may be somebody else will check it.
When switching to Avast site does not give warning of danger, that the site is infected.
At the moment everything is fine.