Hi,
I have a big problem. We just placed a new website on the internet. Everithing is fine… exept usres of avast cant go on the site. Avast blocks the site ans tell the visitors that there is a trojan horse and mailware on the site. We sorted out the problem, but we cant solve this. Its just on this code it gives a problem.

<script>function vytbVVtYYVd(vytYdttxxYb){  return(parseInt(vytYdttxxYb,16));}function vYadat
[snip]
343524950543E'));</script>

Is there annyone here who can help us?
This is the site hxxp://www.hardtech.be

Thx!

What’s the purpose of the script, then?

I don’t know what the purpose of the script is. It don’t change a thing when we delete it.
Only avast report this script as a Trojan. If i’d only know what put’s the script into the index pages.

Hello,

Yes, your website contains malicious script as you are writing. I dont think everything is fine as you can see from virustotal report → http://www.virustotal.com/cs/analisis/8c9b280f081fa5197a02f45fdb3cd185 not only avast users are blocked from your site.

This script contains encrypted iframe that redirects to malicious site with address:

http://{removed}.ru/traffic/sploit1/?'+Math.round(Math.random()*14328)+'xtbVxttydV

Are you sure this script is made by you? Please remove it and everything will be fine, your webpage was probably hacked.

Regards

Our website is based on Joomla. We only installed a few modules. How come the virus keep coming back? Even when the files are chmodded to 440…

it is possible, because joomla had some security problems… try, i’m sorry I dont know much about it.

http://secunia.com/advisories/20874

and try google, support or forum on joomla. Search for “sql injection”.

Regards

We are updating the site right now as we speak to the latest version. I’ve googled all week long and we get 100 answers and nothing helps.

Hi Hardtech,

Dit is niet het eerste incident dat U had op Uw website: http://forum.dutchjoomla.org/member.php?u=13338

ook ik krijg een foutmelding als ik naar je nieuwe site surf, ik gebruik Google Chrome als browser en krijg deze waarschuwing "De website op www. hardtech.be bevat elementen van de site reddii.ru, die malware lijkt te hosten. Dat is software die uw computer kan beschadigen of zonder uw medeweten acties kan uitvoeren. Als u een site die malware bevat alleen al bezoekt, kan uw computer worden geïnfecteerd."

Ik heb dit zelf ook een keer gehad, er zat toen een infectie in een module die ik geinstalleerd had, even puzzelen of een goede scanner over de geinstalleerde bestanden laten gaan.

I translate here for the non-Dutch forum users: This is not the first incident you had on your website. The quote mentions a warning in GoogleChrome where a warning is shown as “The website on www. hardtech.be has elements of the site reddii.ru, that seems to host malware (trojan). That is software that can damage your computer or can execute actions without you knowing. Only the visiting of a site that contains malware, may infect your computer”. And then a good anti-malware program reacts, so clean up your act there first, make your website does not longer redirect to malicious site(s), and then start complaining about an eventual false positive, as others also flag this at virustotal it means there is something not completely as it should be, That was January 4th 2009, so that incident might not have been cleared yet completely,

polonus

broke the link to the site for obvious erasons

hi… am also have this problem…i didn’t get any active swolution for this from my hosting team…this will always effected on index files at bottom only…so am inserted following code to end of my all php files.

exit;

?>

Now the malware script will insert below of this code…but doesn’t efect to view my site. weekly once i will delete the inserted code manually…this only a temporery swolution. if any one got full swolution informe me.

My URL is hxxp://www.medicinestudent.net

thanks

Are your passwords changed & secure? Do you store passwords on your system? Is your system up2date & secure? etc.

nice one alwil find that trojan they tryed to get you but avast blocked it hahaha