If you could help, it would be really appreciated;
nearly a fortnight ago, whenever I tried to access this forum hXXp://www.oncourse-software.co.uk/forums/
I received a JS:Redirector-H7 [trj] alert and an aborted connection. I informed the webmaster and he said that I was one of only two people who had had this warning message pop up. The forum software was duly re-installed but I’m now getting a JS:Redirector-H5 [trj] alert. The webmaster is suggesting that there’s a hiccup with the a/v package as no-one else has been having a problem. I’m not so sure - is there any way you could double-check please ?
My thanks in advance for any assistance you could give regarding this previously trusted site
This is no false positive the site appears to have been hacked, possibly due to out of date PHP, Forum or other content management software, which is vulnerable to exploit.
There are a couple of obfuscated javascript after the closing Head tag and before the opening Body tag, see image. I have broken up the script line in the first script, the second follows the same format to make it easier to see in the image.
Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.
The script starts with “(function(“
The function has no name. It is anonymous and self-invoking.
The script is obfuscated. I.e. some characters are replaced with their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…“
Near the end of the script there is a “.replace(” function
If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.
3 When the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.
4 This code is usually injected right before the tag. I saw a web page with eight(!) tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them,
Strewth - that was quick :o Thank you so much for your quick replies and observations, I really appreciate it and will pass on this information to the webmaster.