Hello,
I need some advice on a Avast reported threat. One of the sites I manage for a client (wxw.orlandokayakfishingclub.com/, It’s recommend to put wxw from what I have read.) was getting redirect issues. After some checking and scanning I found a disgusting .htaccess files with tons of redirects. Out of my stupidity and me frantically trying to fix the problem I forgot to save the file!
With the threat neutralized it was time to hunt down the source, fist culprit was the slightly out of date Modx manager that was going to update eventually, however when I navigated to it I got Threat: JS:Iframe-FG [Trj], with a warning from FireFox “The connection was reset”
Probably WP plug-in issues that led to html malware, misused server issues in the past…
These scripts are said to be suspicious by zulu Zscaler: http://zulu.zscaler.com/submission/show/461599dc78f6f8d9a1ec21fcc2824d45-1339799729
htxp://orlandokayakfishingclub.com/assets/js/jquery-1.7.1.min.js script
htxp://orlandokayakfishingclub.com/assets/js/jquery.custom.js
See also: [iframe] static.ak.fbcdn dot net/rsrc.php/v2/yD/r/ (could be abused by a race condition in Facebook Graph API)
info: [iframe] static.ak.fbcdn dot net/rsrc.php/v2/yD/r/javascript:false
info: [decodingLevel=0] found JavaScript
error: undefined variable __d
error: undefined function __d
The heuristical malware detection for the site IP seems to be dead now: HEUR/HTML.Malware, avast detected that as JS:Obfuscated-T,
General site security status is given as secure here: http://com.saferpage.de/orlandokayakfishingclub
Also, eval is evil. It's best to avoid it whenever possible. This is because any attacker can input malicious code into eval and it will be ran on your server.
Do you know why the double extension is required here? It makes the file suspicious:
http://zulu.zscaler.com/submission/show/5f97426732acf9fa27f2a198716f2178-1339800290
Polonus,
Thanks for the data, those files seem to be clean.
!Donovan,
That is what the site should look like, after doing the research and reloading the page it’s working now. Was Avast! just temporarily blocking the page for m protection? It’s still reporting “Blocked” in the Web Shield Scan Logs
First off, I am not a code jockey. Most of this discussion means nothing to me.
However, I document inventions and have a background in electronics, so I can follow explicit directions.
Avast has started blocking my company website and reports the cause is they found the JS:Iframe-FG [Trj] virus.
Ok, so now what? If I had found this in a system scan, I would be given options of removing or moving, etc. There are no options. I did a system scan of the desktop which houses the files that make up my website, and nothing was found. Nor were any other virus’ found. So I looked in the log, and apparently this virus had been found, and it was successfully moved to the “chest”.
Obviously this wasn’t good enough because I can’t even view my own website right now.
You should start your own new thread here and mention that address, made non-click-through by giving in hxtp or wXw, then we can have a look what in the code is being alerted,
We are trying to help you. Flaming does not help us or you in any way. We do not have to help those who do not wish to be helped.
Polonus’ first language isn’t english and if you know so much as to tell that the sentence isn’t proper grammar then you should be able to assume what is being said. I have produced a “SPEAK ENGLISH!” version of what Polonus said for you.
Create a new topic by following this link: http://forum.avast.com/index.php?action=post;board=4.0
Be sure to mention your website address (using htXp or wXw to avoid accidental clicks).
OK, I will spell it out in small words since nobody seems to care to actually read what I said.
I am not a programmer. It says newbie for a reason.
I do not know what “hxtp or wXw” or any other arcane acronyms mean.
I am not a mind reader.
I had no idea that the person who started throwing incomprehensible geekspeek at me did not speak english.
I was not referring to his language, country of origin, race, creed, programming language or religion.
I simply meant that I DO NOT UNDERSTAND! (I apologize for being too subtle)
If that offends you or anyone else, because you or they cannot communicate at a level that I can understand, then this is not a help group.
This is not my fault. I asked a simple question. I am willing to provide whatever anyone needs to make that question more precise, as long as their requests are understandable.
Is there anyone out there who can speak to me in simple english sentences which do not include secret codewords that only programmers understand?
Hey guys, am sorry to bring-up my 6 day old topic but I seem to be getting the warning again. Re-checked the .htaccess file and again it was edited with the same looking code.
So I have updated the modx, smf forum, locked down the wiki, check some other scripts and still they are getting in. The wiki is also a tad out of date so am assuming it’s that. Just removed it.
This time however I manged to save the .htaccess file, so I have two questions.
Should I post the code in the forums, you guys don’t want links to infected sites so am guessing the same for code
Any idea where I can post this and get more info? If you guys can help that would be great but otherwise I would like to report it or learn more about it.
Since it’s the same issue am guessing avast it picking-up a false positive so just need to wait for it to stop blocking the site.
==Edit==
Almost forgot, the user that reported the issue said his browser crashed and a webcam recorder opened-up afterwards (which he never uses). This leads me to believe the site is redirected to is dropping off some kinda of malware. I instructed him to do a full Avast scan and a malware bits scan (Am doing the same). yet to find anything but will defiantly post any news about it.
Hope you have solved that issue. Just on a side note. If you wanna post code here, do it in the form of an image, that will render it harmless for viewers.
Give you a random example attached,
Well on the website side it is fixed however on my side Avast! is still throwing Threat: JS:Iframe-FG [Trj]…
Saying this is trojan:
C:\Users<My Username>\AppData\Roaming\Mozilla\Firefox\Profiles<profile id>\tidy\tidy_last_validated.html
However at first it did not exist… Now it exist and it’s this current post! When it got alerted on another site.
Looking into it I see it gets updated when I change pages however it is a plugin I installed called HTML Validator 0.9.5.1. It’s a plugin that sees if errors exist on the page and to see if they meet W3C Validator.
I have removed it, hopefully it fixes things.
==Edit==
It has solved the problem, now I wonder if it was hijacked as I have used it for ages (past 3 years and no problems) or if it was really a sleeping trojan.
