Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 56079 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos detect Mal/JSRedir-AE with Internet Explorer 11 (11.63.10586.0 update 11.0.26) and no Malware with Google chrome

ERob

While browsing the web, Sophos web control bock some website if we use IE 11 with the information : Malicious Content Blocked Mal/JSRedir-AE.

Sophos didn't detect anything on the same website with Google Chrome.

Where is the real problem ? It is sophos and IE11 or the website ?

Our solution :

we had to restore an old backup...



This thread was automatically locked due to age.
  • 0 in reply to MarkHarris

    Hello MarkHarris,

    what tool
    a small local proxy, legacy software no longer available, have to find a current replacement yet. It lets me modify the request headers and view the response as source.

    Only if I identify the browser as IE (tested as IE8 and IE11) the following is returned (I'll show only some parts):

    <span id="byteDefault" style="display:none">a16 1z 19 19 a23 -ed15v 18 4 a38 ke15
    18 13 1s9 93 72a 75c e59 23 9e 14 4- c15k -2b3 j78 1b9 9 4 5 2 1 a18 a61 73 a7-5e
    72 75 5v9 23 9c 1gab4c c4e b15 23 78 3, 8a 1j8 15 13a k5 61a 7q3 91 42e 1 b22d m1
    35a 12l 1 1d9 19 38a 21- 1b4 3 t20 9 c1i5 14d 93- 5j9 a66 18 a22 90 bi-81 a8.m1 6d6
    jc76- 66b 4e5 m51 d41 dc37 j66 76d 61 o91 6 ag15 18 7-2a 3 15 p14 20 -9b 14 s21e
    [... more of this deleted ...} 91aa-ad-bnbnbaawbgagde-b-oclape-ieedbczbqe,a
    </span>
    <script>scrollAnchor="\x74\x6f";getClassSelect="\x63\x6f\x6e";taintPassword=getClassSelect; [... more of this deleted ...]
    </script>
    <noscript>Error displaying the error page: Application Instantiation Error: Failed to start
    the session because headers have already been sent by "/home1/onezerbu/public_html/harrisdi/includes/defines.php"
    at line 123.

    Thus when trying to view your site with IE Sophos blocks the content, with other browsers it works. The logic which delivers malicious content  for IE is not in/on the page but on the server (so you don't "see" it when accessing the site with other browsers). Problem is that a compromised CMS can do a lot of tricks. Might return malicious content only if the URL is referred from Google search results. Might always deliver clean pages for requests from the local network, a certain geographic area, or "known" webpage test sites. Last but not least the CMS' administration interface (and perhaps the database administration tool) will hide the malicious content from the website admin.  

    Depending on the nature of the compromise it could affect only one virtual server, some, or all. Naturally and unfortunately I can't tell you though how to clean it up and it likely involves actions from your provider at the OS level.

    Christian

Unfiltered HTML