How to filter JS:ScriptIP-INF (TRJ) in BBClone Webstatistic

Question

I`m using the webstatistic bbclone on my server. In the last month my virus scanner sometimes blocks the details page.

it displays the detection of

JS:ScriptIP-INF (TRJ)

on my bblone. But I compared all files bitwise with the original install files from the main page, they are identical.

I figured out, the the virus message disappaers if some more visits are listed in the statistic.

So I think somebody visits my website and sends a user-agent String with something virus like (e.g. javascript code).

I would to modify my bbclone to filter out these virus user-agent.

but I need to know how I can detect a visitor with this JS:ScriptIP-INF (TRJ) - user-agent.

I was searching in google and several forums for a answer, but I find no usefull information how to avoid this virus.

e.g. this: My website is infected with JS:ScriptIP-inf [Trj]

Answer 1

I had the same issue. It's not the User Agent, it's the HTTP Referer.

I thought malware bots were visiting my website with a HTTP Referer with some malicious JS code injected in it. So I changed BBClone's configuration not to display the HTTP Referer in the detailed stats, and it worked.

Edit your conf/config.php and make sure $BBC_DETAILED_STAT_FIELDS does not contain the variable referer, e.g.

$BBC_DETAILED_STAT_FIELDS = "id, time, ext, dns, ip, visits, os, browser, page, search";

I still don't know what is the offending referer string, though. I'll dig into the raw logs and when I find something interesting I'll edit this answer. Then we can filter out the string and have the referer data shown back in the detailed stats.