yes or no ?

If you could help, it would be really appreciated;

nearly a fortnight ago, whenever I tried to access this forum hXXp://www.oncourse-software.co.uk/forums/
I received a JS:Redirector-H7 [trj] alert and an aborted connection. I informed the webmaster and he said that I was one of only two people who had had this warning message pop up. The forum software was duly re-installed but I’m now getting a JS:Redirector-H5 [trj] alert. The webmaster is suggesting that there’s a hiccup with the a/v package as no-one else has been having a problem. I’m not so sure - is there any way you could double-check please ?

My thanks in advance for any assistance you could give regarding this previously trusted site :wink:

Kind regards
Kevin H.

The page is clearly infected - there’s a block of obfuscated javascript between the page header and body.

This is no false positive the site appears to have been hacked, possibly due to out of date PHP, Forum or other content management software, which is vulnerable to exploit.

There are a couple of obfuscated javascript after the closing Head tag and before the opening Body tag, see image. I have broken up the script line in the first script, the second follows the same format to make it easier to see in the image.

Hi

Confirm this. 2 suspicious inline scripts found.
Long suspicious scripts:

^(f*nction(tMZK){var uUx5c=unescape(('.76ar.20a.3d.22Sc.72iptEngi.6ee.22.2cb.3d.22Version().2b.22.2c...
(f*nction(tMZK){var uUx5c=unescape(('.76ar.20a.3d.22Sc.72iptEngi.6ee.22.2cb.3d.22Version().2b.22.2c...

Every infected site has it’s own modification of the script. However every modification has common parts and can be easily identified as the gumblar .cn script.

  1. The script starts with “(function(“
  2. The function has no name. It is anonymous and self-invoking.
  3. The script is obfuscated. I.e. some characters are replaced with their numeric codes, and then the “%” character replaced with some orbitrary character. Here are some sample excerpts of the encrypted data: “…20a.3d.22Sc.72iptEngin.65…“, “…~76ar~20a~3d~22Scr~69~70~74En~67~69ne…“, “…v_61_72_20_61_3d_22_53_63rip_74E_6e…“
  4. Near the end of the script there is a “.replace(” function
  5. If the function accepts parameters, at the very end you’ll find a simple regular expression like /”/g or /~/g, etc. that will decrypt the mangled “%” character.

3 When the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.

4 This code is usually injected right before the tag. I saw a web page with eight(!) tags (yeah, invalid HTML) and the gumblar scripts were injected before each of them,

polonus

Strewth - that was quick :o Thank you so much for your quick replies and observations, I really appreciate it and will pass on this information to the webmaster.

Many, many thanks.
Very best wishes
Kevin H.

No problem, glad I could help.

Quick is the norm on the avast forums ;D

Welcome to the forums.