|Eset NOD32 blocks my website from supposed trojan detected|
I can't find any malicious JS or other content on our site
| 5:29 pm on Apr 19, 2011 (gmt 0)|
Our website, door.cc, gets blocked by Eset NOD32 antivirus software.
A customer brought this to my attention, so I downloaded NOD32 trial software, typed my domain into a browser, and sure enough NOD32 blocked it.
The message NOD32 displays says it found a threat on the website and labeled it as "JS/Kryptik.P trojan".
I have perused the html of our homepage and found no malicious scripts or content. I also checked Google's safe-browsing diagnostic and www.avgthreatlabs.com but neither one showed any detection of malicious content.
I am thinking NOD32 is detecting something that's not really there.
Does anyone have any tips on making sure my site is not hacked?
Any solutions to keep NOD32 or other anti-virus programs from falsely labeling our site as insecure?
| 5:51 pm on Apr 19, 2011 (gmt 0)|
| 6:22 pm on Apr 19, 2011 (gmt 0)|
I can view my website on any other machine and browser that does not have Eset NOD32 installed.
I have examined my homepage I do not see anything that looks suspicious. All scripts on the page are accounted for and I checked all the included JS files and they look clean.
I can't figure out why NOD32 is flagging my website?
Nothing else has indicated that my site has been compromised.
| 12:54 am on Apr 20, 2011 (gmt 0)|
Is this a shared hosting website where someone else on the same IP has that trojan?
| 2:48 am on Apr 20, 2011 (gmt 0)|
|The message NOD32 displays says it found a threat on the website and labeled it as "JS/Kryptik.P trojan". |
I can confirm the above, I use ESET also.
|The connection to the server was reset while the page was loading. |
Unfortunately I cannot go any further due to the above.
Note: It is the network you're on...
Even though a "Network" has reported malicious sites, it may not affect your site. For example, WebmasterWorld is on a network that has reported malicious sites.
I think you may have a hidden <iframe> hack that is taking place, that is the most common method for serving Trojans like this.
|Is this a shared hosting website where someone else on the same IP has that trojan? |
You could be sharing an IP with more than one site that is also infected.
| 12:54 pm on Apr 20, 2011 (gmt 0)|
Yes, this is a shared hosting website. So if another site on the network is infected I guess there's nothing I can do.
My main concern, though, is detecting whether my site is infected.
If I have a hidden <iframe>, should I be able to see that in my html with Firebug? Is there any particular way to detect an infection other than reading through my html?
| 11:03 pm on Apr 25, 2011 (gmt 0)|
OK, I figured out why NOD32 falsely tagged my website with a trojan alert. (Meaning my website was <em>not</em> compromised!)
I had the following JS in my html as a desperate attempt to evade spambots from tracking our email address that is published on all the pages:
for (var i=0; i<word.length; i++)
for (var i=0; i<riddleinfo.length; i++)
for (var i=0; i<riddleat.length; i++)
for (var i=0; i<riddledomain.length; i++)
I discovered that this line of code was triggering the NOD32 trojan alert:
So I replaced it with this line:
And added this into my html just before the script:
Now Eset does not alert me!