Where's the trojan?

system · January 14, 2010, 8:33am

3 weeks ago my website wxx.subzero.it was blacklisted by Google.
After 1 day it was removed from the blacklist, but Avast! give me an alarm:

Trojan found
malware name: JS: Redirector-AM

The infected files are various (dynamic pages, static pages, gifs and jpgs).

Same alert was reported from many user of my site.

I tryed to check all the code to find injected script but I can find nothing. But at random times Avast! give alerts and if I try with a system without Avast! installed, sometimes appear a white page wich contains hidden malware code (link to various warez or pornographic sites).

I deleted all files and database various times, changed the passwords of FTP, Plesk, SQL.

Sometimes is all OK, sometimes Avast! gives alarms also if the site is completely empty (included in the Apache Test page).

My 2 PCs are all clean (tested with 3 antyspyware: Spyware Doctor, Ad-Aware, Spy Emergency).
I tryed with other 2 systems with 2 different internet ISP, but i can’t solve the problem.

My hosting SP says there aren’t problems.

What can I do with this?

Thanks in adavance.

Yanto.Chiang · January 14, 2010, 8:52am

Hi
Please don’t use active domain link in this forum, but use Hxxp:// or Wxx. to avoid innocent user infected

After i analyze :

http://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

Based on Google analyzed :

Of the 91 pages we tested on the site over the past 90 days, 1 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-01-11, and the last time suspicious content was found on this site was on 2010-01-10.

Malicious software includes 2 scripting exploit(s).

Malicious software is hosted on 4 domain(s), including elspyra.pl/, axul13.com/, eleanornursing.co.uk/.

This site was hosted on 1 network(s) including AS31034 (ARUBA).

This site was infected with malware with 2 scripting exploit.

system · January 14, 2010, 12:08pm

Thank you, but I already know the content of Google’s security page.

What I need to understand is the location of the malware script and why it comes only at random times.

Yanto.Chiang · January 14, 2010, 12:31pm

Hi Spider,

Here’s referenced link : http://forum.avast.com/index.php?topic=52093.msg440808;topicseen#msg440808

YoKenny and SPGcoot has already explained in details.

system · January 14, 2010, 11:30pm

Hi Spider_sz, welcome to the forum

When I try to visit your site, I get these warnings:

1/14/2010	11:22:38 PM	1263511358	SYSTEM	1528	Sign of "JS:Redirector-AM [Trj]" has been found in "hXXp://subzero.it/logo_phpBB.gif" file.  
1/14/2010	11:22:46 PM	1263511366	SYSTEM	1528	Sign of "JS:Redirector-AM [Trj]" has been found in "hXXp://subzero.it/favicon.ico" file.

This means that the favicon.ico and the logo_phpbb.gif files on that page have been hacked. This is what is causing the alert.
I think that your best option would be to replace the relevant files with clean versions, and try to prevent this from happening again:

A post worth reading by DavidR

DavidR post:2:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn’t clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

– HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:

check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
“default.cfm” pages as those are popular targets too.

Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

Check all .htaccess files, as hackers like to load re-directs into them.

Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
“strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

-Scott-

polonus · January 15, 2010, 12:25am

Hi Spider_sz,

Also consider for this particular malware this cleansing info http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

http://smackdown.blogsblogsblogs.com/images/hacker-removal.png

polonus

Where's the trojan?

Announcements