Website Injected

Dear All,

I just access our customer website and found that their website is injected by javascript. But the word things that some web scanner doesn’t found any issues on this website : hxxp://www.pgascom.co.id/en/

Summary review :
https://www.virustotal.com/en/url/0fed74e1bf61a07db156ea37796945e6aba3dba6263900414714dc32cdc88a18/analysis/
http://anubis.iseclab.org/?action=result&task_id=1fba2f124a5364ce4f1619ba593e6b80f&format=html
http://www.urlvoid.com/scan/pgascom.co.id/

javascript check alerts: Suspicious

e=“javascript”> function dnnviewstate() { var a=0,m,v,t,z,x=new array(‘9091968376’,‘8887918192818786347374918784939277359287883421333333338896’,‘778787’,'949990
Spam SEO malware found: http://sitecheck.sucuri.net/results/www.pgascom.co.id/en/
Issue is with Joomla → http://vel.joomla.org/articles/844-spotting-spam-code-in-malicious-extensions.html

Not flagged here: http://urlquery.net/report.php?id=8274560 nor here: http://maldb.com/www.pgascom.co.id/en/

Code hick-up found with jsunpack:
wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js benign
[nothing detected] (script) wXw.pgascom.co.id/modules/AutsonSlideShow/js/jquery.animate-colors-min.js
status: (referer=wXw.pgascom.co.id/en/)saved 1745 bytes d638ada8452da2ecd026da4bf64460719b4b0c0f
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined function d
suspicious:

pol

Hi Polonus,

Many thanks for your help to check this suspicious site. May i know what happened with this website which’s detected as suspicious site?
Is that because of this website infected by javascript on Joomla?

Cheers,

Hi Yanto.Chiang,

This is known javascript blackhat spam:seo malware: often means that it was hacked and the attackers inserted links to their own sites to increase their page rank on search engines. avast detects as JSL:HideMe-I[Trj]
Read:
htxps://www.google.nl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&ved=0CEIQFjAB&url=http%3A%2F%2Fvel.joomla.org%2Farticles%2F844-spotting-spam-code-in-malicious-extensions.html&ei=wvqpUtrTE4qI7AaL-oHQDw&usg=AFQjCNHkK310uKc4Wp4C_Hly4Qv4rVun7Q&bvm=bv.57967247,d.ZGU (avast! Web Shield detects this url as there is enough of that code in the description revealed as JS:HideMe-I[Trj]

polonus

P.S. Sometimes this malware can come within the social-media-widget plugin

D