Avast detects the Trojan js:Redirector-HS on my Wordpress website. Here’s the page: hxxp://prog-inna-babylon.fr/audio/. As far as I can see, all the Javascripts called in the header correspond to legitimate plugins (NextGen Gallery and Shadowbox), and the Javascript in the footer is to scramble an email address in the code.
Am I missing something? Kaspersky doesn’t see anything on that page, and the Sucuri SiteCheck WP plugin doesn’t turn up anything either. Only Avast does on my friend’s pc, and every page but the home one is inaccessible to him - on the same network with another antivirus the site works fine though. To add to my confusion, all the online web scanners I’ve tried, whose credibility I’m admittedly not sure about, say the page is safe. ???
Detection is added for the malicious redirect pages
audio.htm : Processed - HTML/Agent.RA
prog-inna-babylon.fr.htm : Processed - HTML/Agent.QZ
The detection is added for the redirect prog-inna-babylon.fr that transacts medicmagic.net which is related to ads . Hence these detctions are added in PUA category
The written data feteched here is Contact
wherein the registar details are -http://www.myiptest.com/staticpages/index.php/whois/joel-liron.net
It is to alert the user that he is aware of a redirect
Thank you for your quick replies - what a great community this is.
Here is the screenshot (in French): hxxp://prog-inna-babylon.fr/wp-content/uploads/2011/12/ProgJS.jpg
I can’t see any suspicious code in my WP theme, which is custom-made, and I’m not proficient enough to go looking through the Wordpress files themselves. I upgraded to the latest version of WP last week I think, from a fresh install oof 3.2. I’ve just changed the permissions on files and folders such as htaccess, wp-config.php, wp-content, in accordance to recommendations by BulletProof Security, a WP plugin, so maybe there was a security hole there.
I have deactivated and deleted the NextGen Gallery plugin, which was calling the ngg.slideshow.min.js file in the site’s header - thanks Polonus. Avast still shows the error when I navigate to the site - does that mean there’s some more evil code somewhere, or that this .js file wasn’t to blame?
I can restore the site to about two weeks ago, not sure if that’s the best thing to do right now…?
Thanks a lot Pondus, you da man! I took out the js code obfuscating the email address in the Html source code, and both Avast and Wepawet report the site clean now - so I assume I’m good?
I’d gotten the Js code from some online site where you enter the email address and out pops some scrambled code… with some extra baggage apparently.
What a relief, it’s like a second Christmas. Thanks again!