JS/Redirector!generic when opening index.htm

[ths377]

Hello

I'm getting a virus warning from eTrust:

"The JS/Redirector!generic was detected in C:\DOCUMENTS AND SETTINGS\USERNAME\LOKALE EINSTELLUNGEN\TEMPORARY INTERNET FILES\CONTENT.IE5\SHUCVSPM\INDEX[1].HTM [...]"

when opening my phpWCMS home site (index.htm) in the browser.

Anyone having an idea on it ?

Greets
Thorsten

[Oliver Georgi]

some older encoded JavaScripts might result in such warnings.

[ths377]

Thanks Oliver.

But I'm not aware of using any Java Script.
The site is just simple HTML in the main part of the template.

Any idea how to get this under control ?

[Oliver Georgi]

then show what's inside the file.

[ths377]

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head>
<!--
	phpwcms | free open source content management system
	created by Oliver Georgi (oliver at phpwcms dot de) and licensed under GNU/GPL.
	phpwcms is copyright 2003-2010 of Oliver Georgi. Extensions are copyright of
	their respective owners. Visit project page for details: http://www.phpwcms.org/
//-->
<title>title</title>
  <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="content-style-type" content="text/css" />
  <style type="text/css">
  /* <![CDATA[ */
	body {
		margin: 0;
		padding-top: 0;
		padding-bottom: 0;
		padding-left: 0;
		padding-right: 0;

	}
  /* ]]> */
  </style>
  <link rel="stylesheet" type="text/css" href="template/inc_css/frontend.css" />
<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"/>
<meta name="robots" content="INDEX,FOLLOW"/>

<meta name="keywords" content="[...keywords...]"/>
<meta name="description" content="[...description...]"/>
</head>
<body>
<table class="main" cellspacing="0" cellpadding="0">

<tr>
<td class="left"><div class="logo">
<a href="http://www.site.ch/index.php"><img src="template/img/logo.png" alt=""/></a>
</div></td>
<td class="right"><div class="menu">  <div class="normal"><a href="index.php?leistungen">LEISTUNGEN</a></div><div class="space"> | </div><div class="normal"><a href="index.php?referenzen">REFERENZEN</a></div><div class="space"> | </div><div class="normal"><a href="index.php?portrait">PORTRAIT</a></div><div class="space"> | </div><div class="normal"><a href="index.php?kontakt">KONTAKT</a></div>  </div></td>

</tr>

<tr>
<td class="left">&nbsp;</td>
<td class="right"><div class="menu">&nbsp;</div></td>
</tr>

<tr><td colspan="2" class="spacer_top">&nbsp;</td></tr>

<tr>
<td class="leftcont"><div class="picture">
<img src="template/img/home.png" alt=""/></div>
</td>
<td class="rightcont"><div class="content"><div class="contenttext">
<a name="jump1" id="jump1"></a><!-- Livedate: 10.06.2009 21:06:43 / Killdate: 06.06.2020 15:48:42 -->
<p><strong>header</strong></p>
<p>text</p>
<p>&nbsp;</p>
<p><strong>header</strong></p>

<p>text<br /><br /><br />&nbsp;</p>

<!-- 
	Livedate: 10.06.2009 21:06:43 / Killdate: 06.06.2020 15:48:42 
//--></div></div></td>
</tr>

</table>
</body>
</html>






<script>this.OP='';function Q(){ /* many other things come here - cutted */};</script>
<!--54a80b1acef2594de6e91f8a074c1bee-->

[ths377]

Just figured out, that this is obviously a problem in internet explorer only.
I does'nt understand why the virus alert is not coming up when opening the site in other browsers

[Oliver Georgi]

Your index.htm is injected – see the JavaScript after the closing </html>

This is encoded JavaScript and while loading the page it tries to load additional code from a remote host. Your luck: that it's not getting something back because of 404 error.

Conclusion: your hosting account got hacked. Check all files for additional injections. How this can occur – I cannot tell you.

See what happens:

[update]

DAMN IT!!!
Every time when opening this very thread I'll get a pop up saying

Virus: JS:Illredir-AQ [Trj] (Engine B)
Datei: _h.fdt
Verzeichnis: C:\Users\user\AppData\Local\Apple Computer\Safari\History
Prozess: Safari.exe

What is happening here? Is this thread trying to infect us?

[top]

The thread opener has posted the output code of his website. At the end of his source you see the infected javascript. (Or you don`t see it, because your anti virus software block this. )

I think inside the code box in this forum it is not executable and harmless.

[update]

thanks for the explanation!
But the thread opener should deactivate this to prevent irritations, I think

[top]

... or the site admin.

(Mal ganz nebenbei gefragt: Spricht in diesem Thread eigentlich irgend jemand besser englisch als deutsch? )

[Oliver Georgi]

fixed, problem is known now – I have cutted the <script> section

[update]

Thanks!

[ths377]

Thank you Oliver ! I will try to find the hack....

[ths377]

The index.php file was hacked. I put the original file over it again and it works. htaccess was deactivated,.

Thanks again!