system
September 7, 2011, 9:32am
1
www.--------.com is a Joomla based CMS site, Avast is alerting that some pages are infected with js:Redirector-JK [Trj] Trojan for last 10 days.
how ever i could not find any infected files in the server so far. if it is false alert how can i request remove this from avast?
for example avast alert me when i visit this page - hxxp://news.------.com
Infection Details
please help me on this guys thank you.
Asyn
September 7, 2011, 9:43am
2
system
September 7, 2011, 10:02am
3
is it possible to remove it manually?
Asyn
September 7, 2011, 10:04am
4
Click on the link in my prior post.
Pondus
September 7, 2011, 10:18am
5
as you see on there web…you can get help from Sucuri doing it
polonus
September 7, 2011, 12:25pm
6
Hi kandsgroup,
Detected: Blackhole Exploit Kit HTTP request
http://urlquery.net/report.php?id=2560
polonus
system
September 7, 2011, 3:25pm
7
so its mean whole the server is effected or just the website files only? because i do not have any script files in this location - news.---------.com
i even cant found out the script files.
any solution guys please
DavidR
September 7, 2011, 3:49pm
8
If you have content management software (CMS), then there is a possibility that it could be exploited (inserting the code during page creation) or the template files could have been hacked. So it is important to ensure any CMS software is up to date.
If you check the news.4tamilmedia.com/favicon.ico mentioned in your original post, as that is what is being flagged and is perhaps one of the most commonly hacked files as it is loaded every time you load a page. Other common files to be hacked any custom 404 file.
The favicon.ico is loading a compressed {gzip} obfuscated script file, see image1 of alert and image2 of an extract of that file.
Avast isn’t alone in considering this loaded life infected, http://www.virustotal.com/file-scan/report.html?id=3432469b0c91ee49356d9fde4db9a3b779a79d18ec022d2240083c4e219f7d58-1315410031
Please ‘modify’ your posts change the URLs from http to hXXp or www to wXw , to break the link and avoid accidental exposure to suspect sites, thanks.
system
September 22, 2011, 11:28am
9
hi,
i removed everything from the server and updated to the newer version. now the site is 100% clean.
thanks for the help guys…
polonus
September 23, 2011, 4:05pm
12
Status clean - no alerts detected - see: http://urlquery.net/report.php?id=3446
Thanks for reporting, stay safe and secure online,
polonus