I have tried to go to the website for a local concert venue and Avast has alerted me that it is infected with JS:HideMe-B [Trj]. I did some searching here and found that I should check a few sites to confirm infection. None of those other sites show it as infected, just Avast. Is this a false positive or are the other sites wrong?
hxxp://centennialterrace.org is the site in question.
When we are talking about ScriptShield, there is no database of URLs. If avast cannot see the signature, it does not raise popup message. Maybe you still have the infected version in browser cache?
<div id='hideMe'><p>The drugs also treat..........................Buy branded vi a gr a</a> .</p></div>
<script type='text/javascript'>
if(document.getElementById('hideMe') != null){
document.getElementById('hideMe').style.visibility = 'hidden';
document.getElementById('hideMe').style.display = 'none';
}
</script>
Keep in mind that this code does not have to be on the server in plain text, but if you use any server-side scripting, such as PHP, it can be inserted via some obfuscation (base64, gzinflate, rot13, …).
it is not a false positive. I found this script (JS:HideMe-B [Trj]) on this site:
<div id='hideMe'> <p>Erection failure or Casino en ligne gratuit <a href="http://cafel.fr/">En ligne casino</a> <p>Erectile dysfunction treatment method has come a Liquid cialis <a href="http://sotrueradio.org/">Cialis with atenolol</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script>
I have a website infected as well. I have looked through many files, but can’t find the malicious code. Can someone point me in the right direction on how to find the file that contains the code. I am running a Joomla website.