Page 1 of 2

JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 10:08
by ths377
Hello

I'm getting a virus warning from eTrust:

"The JS/Redirector!generic was detected in C:\DOCUMENTS AND SETTINGS\USERNAME\LOKALE EINSTELLUNGEN\TEMPORARY INTERNET FILES\CONTENT.IE5\SHUCVSPM\INDEX[1].HTM [...]"

when opening my phpWCMS home site (index.htm) in the browser.

Anyone having an idea on it ?

Greets
Thorsten

Re: JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 10:13
by Oliver Georgi
some older encoded JavaScripts might result in such warnings.

Re: JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 11:35
by ths377
Thanks Oliver.

But I'm not aware of using any Java Script.
The site is just simple HTML in the main part of the template.

Any idea how to get this under control ?

Re: JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 13:26
by Oliver Georgi
then show what's inside the file.

Re: JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 14:34
by ths377

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="de" lang="de">
<head>
<!--
	phpwcms | free open source content management system
	created by Oliver Georgi (oliver at phpwcms dot de) and licensed under GNU/GPL.
	phpwcms is copyright 2003-2010 of Oliver Georgi. Extensions are copyright of
	their respective owners. Visit project page for details: http://www.phpwcms.org/
//-->
<title>title</title>
  <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="content-style-type" content="text/css" />
  <style type="text/css">
  /* <![CDATA[ */
	body {
		margin: 0;
		padding-top: 0;
		padding-bottom: 0;
		padding-left: 0;
		padding-right: 0;

	}
  /* ]]> */
  </style>
  <link rel="stylesheet" type="text/css" href="template/inc_css/frontend.css" />
<meta http-equiv="Content-Type" content="text/html;charset=iso-8859-1"/>
<meta name="robots" content="INDEX,FOLLOW"/>

<meta name="keywords" content="[...keywords...]"/>
<meta name="description" content="[...description...]"/>
</head>
<body>
<table class="main" cellspacing="0" cellpadding="0">

<tr>
<td class="left"><div class="logo">
<a href="http://www.site.ch/index.php"><img src="template/img/logo.png" alt=""/></a>
</div></td>
<td class="right"><div class="menu">  <div class="normal"><a href="index.php?leistungen">LEISTUNGEN</a></div><div class="space"> | </div><div class="normal"><a href="index.php?referenzen">REFERENZEN</a></div><div class="space"> | </div><div class="normal"><a href="index.php?portrait">PORTRAIT</a></div><div class="space"> | </div><div class="normal"><a href="index.php?kontakt">KONTAKT</a></div>  </div></td>

</tr>

<tr>
<td class="left">&nbsp;</td>
<td class="right"><div class="menu">&nbsp;</div></td>
</tr>

<tr><td colspan="2" class="spacer_top">&nbsp;</td></tr>

<tr>
<td class="leftcont"><div class="picture">
<img src="template/img/home.png" alt=""/></div>
</td>
<td class="rightcont"><div class="content"><div class="contenttext">
<a name="jump1" id="jump1"></a><!-- Livedate: 10.06.2009 21:06:43 / Killdate: 06.06.2020 15:48:42 -->
<p><strong>header</strong></p>
<p>text</p>
<p>&nbsp;</p>
<p><strong>header</strong></p>

<p>text<br /><br /><br />&nbsp;</p>

<!-- 
	Livedate: 10.06.2009 21:06:43 / Killdate: 06.06.2020 15:48:42 
//--></div></div></td>
</tr>

</table>
</body>
</html>






<script>this.OP='';function Q(){ /* many other things come here - cutted */};</script>
<!--54a80b1acef2594de6e91f8a074c1bee-->

Re: JS/Redirector!generic when opening index.htm

Posted: Wed 16. Jun 2010, 14:38
by ths377
Just figured out, that this is obviously a problem in internet explorer only.
I does'nt understand why the virus alert is not coming up when opening the site in other browsers :?

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 07:00
by Oliver Georgi
Your index.htm is injected – see the JavaScript after the closing </html>

This is encoded JavaScript and while loading the page it tries to load additional code from a remote host. Your luck: that it's not getting something back because of 404 error.

Conclusion: your hosting account got hacked. Check all files for additional injections. How this can occur – I cannot tell you.

See what happens:
Bildschirmfoto 2010-06-17 um 07.01.34.png
Bildschirmfoto 2010-06-17 um 06.57.09.png

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 08:44
by update
DAMN IT!!!
Every time when opening this very thread I'll get a pop up saying
Virus: JS:Illredir-AQ [Trj] (Engine B)
Datei: _h.fdt
Verzeichnis: C:\Users\user\AppData\Local\Apple Computer\Safari\History
Prozess: Safari.exe
What is happening here? Is this thread trying to infect us?

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 09:42
by top
The thread opener has posted the output code of his website. At the end of his source you see the infected javascript. (Or you don`t see it, because your anti virus software block this. :wink: )

I think inside the code box in this forum it is not executable and harmless.

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 09:58
by update
thanks for the explanation! :)
But the thread opener should deactivate this to prevent irritations, I think

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 10:08
by top
... or the site admin. :D

(Mal ganz nebenbei gefragt: Spricht in diesem Thread eigentlich irgend jemand besser englisch als deutsch? :roll: )

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 12:43
by Oliver Georgi
fixed, problem is known now :) – I have cutted the <script> section

Re: JS/Redirector!generic when opening index.htm

Posted: Thu 17. Jun 2010, 13:38
by update
:!:
Thanks! ;)

Re: JS/Redirector!generic when opening index.htm

Posted: Fri 18. Jun 2010, 10:43
by ths377
Thank you Oliver ! I will try to find the hack....

Re: JS/Redirector!generic when opening index.htm

Posted: Fri 18. Jun 2010, 10:51
by ths377
The index.php file was hacked. I put the original file over it again and it works. htaccess was deactivated,.

Thanks again!