VBS:Obfuscated-gen[Tri]

When I go to hxxp://www.matthewlye.com I get a message

Sign of “VBS:Obfuscated-gen [trj]” has been found in “hxxp://www.matthewlye.com/” file.

VPS Version: 090508-0, 5/08/2009

could it be that the variable is

var siteurl =‘’;
instead of
var siteurl = ‘xxx.matthewlye.com’;

Any help would be nice.

edit
it is joomla.

when in maintenance mode and not in maintenance mode it gives the error.

Thank to replace for hxxp or xxx instead of http and www for people that can accidently click on it :slight_smile:

A person will respond to you maybe in a min so be patient please.

Mr.Agent

Hi mbrown,

Yep, 1 suspicious inline script found:

A47D83DF0CCFAD="parse";A47D83DF0CCFAD+="In";A47D83DF0CCFAD+="t";A6017BB0="Strin";A6017BB0+="g.fr";A...

Finjan gives it as Potentially malicious behavior was detected on this page -Code Obfuscation (Home-Encoding)

polonus

what page is that on specifically (sp)?

Well I don’t use joomla, so it makes no difference to me maintenance mode or not, but avast alerts. It isn’t what you suggested in the first post but a large block of obfuscated javascriprt just before the closing table tag, this is for the most part all on a single line and differes greatly from other formatted script tags. See image, I have broken the long line down to make it easier to see.

So it looks like the site has been hacked. This is the default/home page that comes up when you click any of the links you gave

Please modify your links change http to hXXp and or www to wXw so links aren’t active exposing people to accidental exposure.

not my site but i will let the admin know. the admin is a friend of mine from the ubuntu beginner team. is there a way to see how it was done? permissions error, etc?

thanks

The most common issue when using any form of content management software (php, sql, wordpress, etc.) is an old version of the software which is vulnerable to exploit.

I know nothing about joomla but if that is similar you need to ensure you have the latest version and also change your passwords to stronger ones.

Hi mbrown,

As DavidR says, but let him rebuild the site, and change the access data, let him check his cron jobs. Let him update and patch joomla, but the hacker could have abused for instance some old component, like extcalendar component, that he has never been deleted, let him clean out all the malicious scripts and files. An important tool can be apache logs for him. Let him look for any weird POST requests. Look for anyone trying to insert external URLs into your URLs, just some possibilities, ccould have been work of Durzosploit is a javascript exploits generator framework that works through the console. This goal of that project is to quickly and easily generate working exploits for cross-site scripting vulnerabilities in popular web applications or web sites,

polonus

thank you guys you have been most helpful. i will let the admin know and proivde him with this in case he has any questions directed to you guys.

once again thnaks

You’re welcome, good luck.

could this be a cross site scripting attack?

I don’t believe so (could easily be wrong though) because all the code is on the same page and I think it makes an iframe or some form of redirect.

You haven’t modified your first post yet to kill the active links to prevent accidental exposure.

the site should be fixed to my knowledge. i just replaced www with xxx. it that is correct

Yes, no alerts on the URL now.

Yes, replacing it with xxx works too, links no longer clickable.