Website has been hacked by a HTTP Malicious Javascript Encoder, Website redirection

Discussion in 'Networking & Security' started by SAStarling, Aug 24, 2009.

  1. SAStarling

    SAStarling n00b

    Messages:
    4
    Joined:
    Aug 23, 2009
    Hi,

    I'm a complete novice at technical stuff, so I need some hand-holding and patience. A reader of my website has recently informed me that my "website contains an "HTTP Malicious Javascript Encoder" from brasilianstoree.info. It was blocked by our systems, but it is very nasty and could harm others."

    I also discovered today that when my website loaded, it was redirected to AskLots.com, and I think this may be part of the problem. I also think my ftp server was compromised due to an error with WordPress. I was getting a WordPress admin error that my wp-content/backup-db file might be visible to the public, and so it took me a while, but I found the solution to fix that. Having said all this, I'm still getting the site re-direction to AskLots.com. I've run AVG full scan, SpyBot, MalwareBytes, etc., etc., etc., but nothing is found. I've even searched my ftp files for "aff.php" after reading another forum's discussion about the same thing, but it found nothing. I just now downloaded and run Hijack This, and here is my log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:29:43 PM, on 8/23/2009
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v8.00 (8.00.6001.18813)
    Boot mode: Normal

    Running processes:
    C:\Windows\MHotKey.exe
    C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Users\Ruthie\AppData\Roaming\Google\Google Talk\googletalk.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe
    C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
    C:\Program Files (x86)\AVG\AVG8\avgtray.exe
    C:\Program Files\WinPatrol\WinPatrol.exe
    C:\Windows\ChiFuncExt.exe
    C:\Program Files (x86)\Mozilla Firefox\firefox.exe
    C:\Users\Ruthie\Downloads\Internet Video Converter 2.10 en\Internet Video Converter_2.10_en_ansi_std.exe
    C:\Users\Ruthie\AppData\Roaming\Juniper Networks\Setup Client\JuniperSetupClient.exe
    C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...mp;m=lx4710-01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx...mp;m=lx4710-01
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.gateway.com/rdr.aspx...mp;m=lx4710-01
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.gateway.com/rdr.aspx...mp;m=lx4710-01
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\3.1.415.1646\swg.dll
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar1.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
    O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG8\Toolbar\IEToolbar.dll
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [Smart Copy] "C:\Program Files (x86)\IOI\Smart Copy\ButtonMonitor.exe" -A
    O4 - HKLM\..\Run: [P2Go_Menu] "C:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe -expressboot
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [googletalk] C:\Users\Ruthie\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: wkcalrem.LNK = C:\Program Files (x86)\Microsoft Works\WkCalRem.exe
    O4 - Global Startup: Logitech SetPoint.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O13 - Gopher Prefix:
    O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://juniper.net/dana-cached/sc/J...etupClient.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Unknown owner - C:\Windows\system32\agr64svc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files (x86)\AskBarDis\bar\bin\ASKUpgrade.exe
    O23 - Service: Ati External Event Utility - Unknown owner - C:\Windows\system32\Ati2evxx.exe (file missing)
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
    O23 - Service: AVG8 Firewall (avgfws8) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgfws8.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
    O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
    O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\GATEWAY\Gateway Recovery Management\Service\ETService.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Gateway Games\Gateway Game Console\GameConsoleService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~2\WinTV\HCWTVS~1.EXE
    O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
    O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
    O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
    O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
    O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
    O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
    O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
    O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
    O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

    --
    End of file - 10267 bytes

    I'm also still getting the AVG warning when my browser opens about the "brasilianstoree.info" file/site (exact text:)

    *******************
    Threat Detected!

    File Name: brasilianstoree.info/k.php?btn
    Threat Name: Exploit Javascript Obfuscation (type 682)

    Process Name: C:\Program Files(x86)\Mozilla Firefox\firefox.exe
    Process ID: 4804

    ******************

    Internet searches for that term "brasilianstoree.info" only brings me to one website that warns against any non-technical person even viewing that site - it's a list, supposedly, of very very bad IP addresses and/or domains.

    Any help is greatly appreciated. I'm afraid to continue to post on my website because I don't want to lose readership.

    Thank you!
    Starling
     
  2. REDYOUCH

    REDYOUCH [H]ardness Supreme

    Messages:
    4,523
    Joined:
    Mar 17, 2001
    The HIJACKTHIS output from your machine most likely has nothing to do with this problem. There is no virus, your site has been hacked. The "infection" is on the webserver.

    WordPress has exploits discovered every couple months, and if I assume correctly, you have not been updating it when a new version comes out. The hackers have used one of the exploits to upload a .asp script or something similar which then edited your page, causing the redirects. Obviously, I (nor anyone else here) can be 100% sure what the problem is without further information.

    Your best bet is to install the newest version of wordpress, use some "wordpress-hardening" guides that are out there to make it less susceptible to hackers, and then convert and migrate your existing database to the newest version if it can be salvaged.
     
  3. SAStarling

    SAStarling n00b

    Messages:
    4
    Joined:
    Aug 23, 2009
    Thanks for the response, Redyouch. I found another thread here at HardForums where Arctic Fire did fix this particular problem:

    http://www.hardforum.com/showthread.php?t=1443503

    I did update my WordPress versions, but not immediately as soon as they came out. And with one of the latest versions, there was a known problem where it was giving me the error "Warning: Your backup folder MIGHT be visible to the public!" It took me about a month to figure out how to fix it, although I finally did.

    I am stymied and don't know what to do. I'm afraid I'm going to lose readership because of this.

    I think I may send Arctic Fire a private message and ask if he can help me out.

    Do you have any other ideas?

    Thanks,
    Starling
     
  4. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,372
    Joined:
    Oct 4, 2007
    Reading through the thread you posted with Arctic Fire, it appears the threat was coming from a compromised FTP where the website files were being placed.

    Are you the owner and able to make changes to the FTP? Maybe lock it down with new passwords?
     
  5. SAStarling

    SAStarling n00b

    Messages:
    4
    Joined:
    Aug 23, 2009
    Yes, I am the owner, and two days ago I changed the FTP password. Using your suggestions for hardening WordPress, I found some interesting posts this morning. This "tip" seems like it might be the most useful:

    ****************************
    Your WP-Config.php contains your database name, database username and database password. It's something to protect.

    Just add the following code to your .htaccess file:

    # protect wpconfig.php

    order allow,deny from all

    *************************************

    I will try that when I get home tonight; I don't dare log on to my site at work because I don't want the HTTP JavaScript to mess up my machine here. In the AVG warning above about the "brasilianstoree.info" warning, it showed the process name to be the Firefox.exe file, so I found a FF plugin last night called Proscript (I think) and it at least protects my machine by forcing me to select what scripts will run on any particular website.

    What's weird is, by the AVG warning, it sounds like Firefox might be the problem, but my Website is definitely re-directing to AskLots.com, and throwing out that brasilianstoree error to my readers (on both FF & IE). I'm just so very frustrated right now, because I've already been blocked by one of my FAVORITE and most fruitful link-promoting sites due to complaints from their readers about encountering the JavaScript on my site.

    *sigh*

    I really appreciate your help - you have no idea how much I appreciate any bit of information I can get.
     
  6. ragingted

    ragingted n00b

    Messages:
    2
    Joined:
    Aug 23, 2010
    i see many others have had problems. this company has cost me a lg sum of $$$$$$$$$$
    i have the help to hunt them down and i will find them. check back for updates, i do need some post help, some of the re/dir go to other sites. please post url,site that this company re/dir u to.
    thanks
    ragingted