homepage Welcome to WebmasterWorld Guest from 54.161.202.234
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
Eset NOD32 blocks my website from supposed trojan detected
I can't find any malicious JS or other content on our site
jghomestead




msg:4300544
 5:29 pm on Apr 19, 2011 (gmt 0)

Our website, door.cc, gets blocked by Eset NOD32 antivirus software.

A customer brought this to my attention, so I downloaded NOD32 trial software, typed my domain into a browser, and sure enough NOD32 blocked it.

The message NOD32 displays says it found a threat on the website and labeled it as "JS/Kryptik.P trojan".

I'm guessing some Javascript on the site is triggering this.

I have perused the html of our homepage and found no malicious scripts or content. I also checked Google's safe-browsing diagnostic and www.avgthreatlabs.com but neither one showed any detection of malicious content.

I am thinking NOD32 is detecting something that's not really there.

Does anyone have any tips on making sure my site is not hacked?

Any solutions to keep NOD32 or other anti-virus programs from falsely labeling our site as insecure?

 

Leosghost




msg:4300559
 5:51 pm on Apr 19, 2011 (gmt 0)

Look at your site with a browser running on a live linux disc ..or use lynx on windows..few trojans target linux ..plus a live disc running will not reap any harmful trojans as it runs in RAM..and lynx is a text only browser..it wont run javascripts..but it will let you see if they are there.

jghomestead




msg:4300576
 6:22 pm on Apr 19, 2011 (gmt 0)

I can view my website on any other machine and browser that does not have Eset NOD32 installed.

I have examined my homepage I do not see anything that looks suspicious. All scripts on the page are accounted for and I checked all the included JS files and they look clean.

I can't figure out why NOD32 is flagging my website?

Nothing else has indicated that my site has been compromised.

Hoople




msg:4300840
 12:54 am on Apr 20, 2011 (gmt 0)

Is this a shared hosting website where someone else on the same IP has that trojan?

pageoneresults




msg:4300979
 2:48 am on Apr 20, 2011 (gmt 0)

The message NOD32 displays says it found a threat on the website and labeled it as "JS/Kryptik.P trojan".


I can confirm the above, I use ESET also.

The connection to the server was reset while the page was loading.


Unfortunately I cannot go any further due to the above.

Note: It is the network you're on...

[google.com...]
[google.com...]

Even though a "Network" has reported malicious sites, it may not affect your site. For example, WebmasterWorld is on a network that has reported malicious sites.

I think you may have a hidden <iframe> hack that is taking place, that is the most common method for serving Trojans like this.

Or...

Is this a shared hosting website where someone else on the same IP has that trojan?


You could be sharing an IP with more than one site that is also infected.

jghomestead




msg:4301241
 12:54 pm on Apr 20, 2011 (gmt 0)

Yes, this is a shared hosting website. So if another site on the network is infected I guess there's nothing I can do.

My main concern, though, is detecting whether my site is infected.

If I have a hidden <iframe>, should I be able to see that in my html with Firebug? Is there any particular way to detect an infection other than reading through my html?

jghomestead




msg:4303870
 11:03 pm on Apr 25, 2011 (gmt 0)

OK, I figured out why NOD32 falsely tagged my website with a trojan alert. (Meaning my website was <em>not</em> compromised!)

I had the following JS in my html as a desperate attempt to evade spambots from tracking our email address that is published on all the pages:

<script type="text/javascript">
<!--

var word=[69,109,97,105,108];
var riddledomain=[100,111,111,114,46,99,99];
var riddleinfo=[105,110,102,111];
var riddleat=[64];
var eaddr='';
for (var i=0; i<word.length; i++)
eaddr+=String.fromCharCode(word[i]);
eaddr+=": ";
for (var i=0; i<riddleinfo.length; i++)
eaddr+=String.fromCharCode(riddleinfo[i]);
for (var i=0; i<riddleat.length; i++)
eaddr+=String.fromCharCode(riddleat[i]);
for (var i=0; i<riddledomain.length; i++)
eaddr+=String.fromCharCode(riddledomain[i]);

document.write(eaddr);
-->
</script>


I discovered that this line of code was triggering the NOD32 trojan alert:


document.write(eaddr);


So I replaced it with this line:


document.getElementById("eaddr").appendChild(document.createTextNode(eaddr));


And added this into my html just before the script:


<span id="eaddr"></span>


Now Eset does not alert me!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved