at {web site} get js/downloader.agent ..from avg ..what kind of scripting would allow this

Posted on 2008-06-17
Last Modified: 2013-11-19
I go to {link removed} and  avg pops up with detect of js/downloader.agent warning with "ignore, heal, ignore"...then page freezes...and cannot get rid of page.  In internet explorer 7 the yellow status line comes up and says "Microsoft office 2000 web component is attempting to install an addon from an unverified publisher"..What script would cause this..does not appear on a mac running firefox.

{ links removed by PenguinMod, EE Moderator - 2008-06-17 1640 ET }
Question by:greta13
  • 3
  • 3
LVL 70

Expert Comment

by:Jason C. Levine
ID: 21806607
Hi greta13,

It's a "drive-by download" script that is trying to exploit a vulnerability in IE/Active X.  Stay away from that site...

Author Comment

ID: 21806668
I have to get to the bottom of it for the owner of the site who has hired people to build these files..for him..that script is on site "right?"...what should i look for when i access his files...I don't have access to the site right now but after I talk to the owner

Author Comment

ID: 21806699
I know html and basic php and javascrip..but now advanced enough to know what this might look like..
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

LVL 70

Accepted Solution

Jason C. Levine earned 500 total points
ID: 21806779
The code is a javascript tag located directly inside the <body> tag.  When evaluated, it creates an iframe that visits the hacker site and attempts to load the malware.  This site has been compromised and you need to take a series of steps immediately.

1. Check all of your pages for the code.
2. Change all passwords immediately
3. Notify the hosting company that you've been hacked and see if their security people can check their end of things.
4. Examine or pay a security consultant to examine all scripts for vulnerabilities.

Author Comment

ID: 21806879
just one more clarification..the iframe that pushes you to the that local to the web server or could that be another address off the server..thanks for your help
LVL 70

Expert Comment

by:Jason C. Levine
ID: 21806897
It most likely is remote, but I would have to actually let it evaluate to see it and I'm not willing to do that.
LVL 12

Expert Comment

ID: 21807212
For the HTML, take a look here (clean):

As you can see, there is a script element immediately following the body tag.  That's the problem.

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Read about why website design really matters in today's demanding market.
This article demonstrates how to create a simple responsive confirmation dialog with Ok and Cancel buttons using HTML, CSS, jQuery and Promises
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now