Virus alert on my website! Prevents access to avast-users, but no-one else.

Hi,

I have a website (www.nodus.no) that seemingly has virus. Only avast antivirus seems to find it, and calls it: JS:Clickjack-A [Trj].
I contacted the firm responsible for the webservers (proisp), but they have not indicated that they found anything. I’ve tried on three different computers (all using avast and on three different networks), and all are denied access. I’m not very experienced as far as websites go, and would be greatful if any of you could help. It’s a site used in a firm, so it’s important for us that customers can access it regardless of their antivirus programs. I don’t know how to collect logs from the server either, so I’m rather lost.

I’m using joomla 2.5, if it matters.

I remain hopeful,

Talwyn

Whilst I check the site have a look at this thread http://forum.avast.com/index.php?topic=132255.0

Norton hasnt checked that Url yet.
Sucuri is detecting Javascript malware: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.nodus.no%2F
Zulu: http://zulu.zscaler.com/submission/show/ac876de642550580a4e4643f9d510a5d-1377451269 (Benign)
URLQuery: http://urlquery.net/report.php?id=4740850
Quettra: http://www.quttera.com/detailed_report/www.nodus.no (Clean)

When i am looking through the Source Code this is what is causing the alerts. :wink:

This is found on multiple sites.

How would I go about fixing it, though? Like I said, I’m no expert on websites. Should I contact Proisp? (The server owners)

I think so.
They know how the server was built and they can remove this. :wink:

Maybe you should show them exactly what this Script is. ;D

When you are the creator of the site you should look over your files, if possible maybe this is in your files.

Thank you! :smiley: I’ll spend some time tomorrow working on it. If I have trouble, I hope you won’t mind further questions. :stuck_out_tongue: I recognize the files found in the sucuri scan, and hopefully I won’t have trouble opening, deleting the script, etc. I suppose I can link Proisp to this discussion if I’m incapable (or simply too ignorant) removing it myself…

Anyway, I’m grateful for your help! :slight_smile: You were quick and helpful.

My regards

Thanks. Youre welcome. :smiley:

Website vulnerable, probably via Joomla software.
wXw.nodus.no/media/system/js/caption.js benign
[nothing detected] (script) wXw.nodus.no/media/system/js/caption.js
status: (referer=wXw.nodus.no/)saved 729 bytes 42c45161c94773d3d73d8b0c55ac7ddae5137502
info: [decodingLevel=0] found JavaScript
suspicious: see Sucuri scan triggered rule clickjack issue that came in a plug-in
=== Triggered rule ===
alert(url_content:“%3C”; url_content:“%2F”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %2F. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel={flock:context}&q=t%3D''%3B}}x[l-a]%3Dz%3B}document.write('<'%2Bx[0]%2B'+'%2Bx[4]%2B'>.'%2Bx[2]%2B'{'%2Bx[1]%2B'}<%2F'%2Bx[0]%2B'>')%3B}dnnViewState()%3B&ie=utf-8&oe=utf-8&aq=t

polonus

Proisp was unable to find the code, or otherwise help me, but I finally found a solution to the problem. I found my exact problem here:

http://joomlaboy.com/tutorials/joomla/88-solved-autson-slideshow-clickjack-issue

I did what it said to do, and securi no longer finds any viruses. The reason it showed on several joomla articles, was because it’s a slideshow which shows on the whole website. :slight_smile: Removing the code did not destroy the usability of the slideshow either. :slight_smile:

I’ll ask a few of my friends who are using avast-antivirus to check out the site and confirm that they’re no longer prevented access. Unless something changes, I consider this case closed.

Many thanks for the help!