My Blog throws up Trojan alert - what to do?

BlogBother

Hello all, I have a blog on blogger, I went and downloaded a template I found online and applied it to the blog by uploading the xml file, I then edited the layout a bit and added some sharebuttons and widgets on blogger.

Basically whats happened is that a user emailed me to tell me that when he tried to view the site (on firefox) it opened for a second but then his eset pops up saying it blocked a trojan virus

I've tried accessing the site on a couple of machines, on different browsers which have different anti virus programs and it has worked fine every time.

The only thing I could think of doing was to scan the site with virus total, it shows one detection out of 50, SCUMWARE.org. That seems to be a site you submit URLs to rather than a site that scans.

I ran it through Sucuri too which said it was clean:




Could the problem be on his end? Is there anything else I can do to be sure that my site is free from malwere, could the template I got have infected it? (but if it was it would show up on the scan?)

Any help or suggestions would be much appreciated, at my wits end over this and would like to know what the problem is I dont want to be infecting peoples computers

Thank you

yoyo

BlogBother wrote: »

Hello all, I have a blog on blogger, I went and downloaded a template I found online and applied it to the blog by uploading the xml file, I then edited the layout a bit and added some sharebuttons and widgets on blogger.

Basically whats happened is that a user emailed me to tell me that when he tried to view the site (on firefox) it opened for a second but then his eset pops up saying it blocked a trojan virus

I've tried accessing the site on a couple of machines, on different browsers which have different anti virus programs and it has worked fine every time.

The only thing I could think of doing was to scan the site with virus total, it shows one detection out of 50, SCUMWARE.org. That seems to be a site you submit URLs to rather than a site that scans.

I ran it through Sucuri too which said it was clean:




Could the problem be on his end? Is there anything else I can do to be sure that my site is free from malwere, could the template I got have infected it? (but if it was it would show up on the scan?)

Any help or suggestions would be much appreciated, at my wits end over this and would like to know what the problem is I dont want to be infecting peoples computers

Thank you

Isn't blogger a hosted platform? If so contact them for advice. Sounds as though a dodgy script is being injected into the page for whatever reason. It's possibly template related, particularly if it did not come from a reputable source

Nick

BlogBother

yoyo wrote: »

Isn't blogger a hosted platform? If so contact them for advice. Sounds as though a dodgy script is being injected into the page for whatever reason. It's possibly template related, particularly if it did not come from a reputable source

Nick

Not entirely sure what you mean by a hosted platform but it's just a blog site like wordpress... its under the google umbrella and you sign in with your google id... Its not my own website I built from scratch if thats what you mean.

The template source looked reputable enough (I'm not great at these things) its these guys here http://www.templateify.com/ I'm using one of their demo ones... and they have been very helpful with and queries I've had.

The thing is though is that eset have not blacklisted it, wouldn't they if their program detected a problem, and why did nothing get detected by the websites I tried?

It would be a massive pain to change the template, took me ages to get right. Would it be possible to eliminate the dodgy script? There is a script in it which, if you delete their "made by" footer by editing the html, it just redirects visitors to the template makers website. Could it be that that's getting detected?

Thanks for your prompt answer btw I appreciate it:)

yoyo

BlogBother wrote: »

Not entirely sure what you mean by a hosted platform but it's just a blog site like wordpress... its under the google umbrella and you sign in with your google id... Its not my own website I built from scratch if thats what you mean.

The template source looked reputable enough (I'm not great at these things) its these guys here http://www.templateify.com/ I'm using one of their demo ones... and they have been very helpful with and queries I've had.

The thing is though is that eset have not blacklisted it, wouldn't they if their program detected a problem, and why did nothing get detected by the websites I tried?

It would be a massive pain to change the template, took me ages to get right. Would it be possible to eliminate the dodgy script? There is a script in it which, if you delete their "made by" footer by editing the html, it just redirects visitors to the template makers website. Could it be that that's getting detected?

Thanks for your prompt answer btw I appreciate it:)

What I mean is you are not hosting the blog files yourself, its like wordpress.com where you sign up to a hosted service (compared to wordpress.org where you install the site yourself).
I would contact blogger and ask them for advice, it could be a glitch with the stopbadware site (I think Firefox and Chrome use) but it could also indicate there is something amiss on the blog, that Blogger may be able to assist with resolving

Nick

BlogBother

I think I have figured out what the problem is (I'm no good at this its just trial and error)

I've used notepad++ to eliminate some scripts from the xml sheet (the file I get when I back my blog up) including the one I mentioned earlier. It seems the trojan that was blocked on my friend was this one:

SCUMWARE.org URL description
This URL is or was distributing a malware variant of JS/Kryptik.ALB trojan
Short description
JS/Kryptik.ALB is a trojan that redirects the browser to a specific URL location with malicious software.

I might have got it with those scripts, or at least I thought so until I fed the xml file itself, not the URL, through viras total, it got two hits:

ESET-NOD32 JS/Kryptik.ALB 20131112

Norman Kryptik.CCJB 20131112

So then, I started deleting sections of the xml file and scanning it until I narrowed it down to the section in question. I know which lines are causing the hit. What can I do now? I've tried deleting some of the line but it breaks the template, it goes arseways when I upload the xml file.

I think I've made some progress in that I know know where the problem is, but what next, how can I sort it?

Blogger were no help, basically they said that if the sucuri sitecheck says I'm ok then I am, and if in doubt just change the template which I don't want to do, I want to fix it.

yoyo

BlogBother wrote: »

I think I have figured out what the problem is (I'm no good at this its just trial and error)

I've used notepad++ to eliminate some scripts from the xml sheet (the file I get when I back my blog up) including the one I mentioned earlier. It seems the trojan that was blocked on my friend was this one:



I might have got it with those scripts, or at least I thought so until I fed the xml file itself, not the URL, through viras total, it got two hits:



So then, I started deleting sections of the xml file and scanning it until I narrowed it down to the section in question. I know which lines are causing the hit. What can I do now? I've tried deleting some of the line but it breaks the template, it goes arseways when I upload the xml file.

I think I've made some progress in that I know know where the problem is, but what next, how can I sort it?

Blogger were no help, basically they said that if the sucuri sitecheck says I'm ok then I am, and if in doubt just change the template which I don't want to do, I want to fix it.

PM me a link to your blog and I'll check it out. It could be a false positive

Nick

BlogBother

Thanks very much Nick, I sent you a PM there