Avast WEBforum
Other => Viruses and worms => Topic started by: jeff.cain on March 25, 2009, 05:50:03 PM
-
Hi,
I run an online door business at www.doorclassics.com . I went to my website today and Avast gave me the warning not to access the site because of virus / worm "HTML: lframe-inf . Please any advice would help, I do not want to lose our reputation we have worked so hard to build up.
Thank you all in advance.
Jeff Cain
-
Actually, I can't really see anything wrong with the code on that page.
I'm no expert developer or coder though, so hopefully someone else can take a look at it and find out what's setting avast off. Good luck!
-
nevermind, I figured it out. At the end of that page, you have code that runs outside of the </html> tag.
Here's a snapshot:
</body>
</html>
<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code --><script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/smb/js/hosting/cp/js_source/whv2_001.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1238001167" alt="setstats" border="0" width="1" height="1"></noscript>
Get rid of that, and you should be ok.
-
Your site has been hacked there is a hidden iFrame tag inserted just after the opening Body tag
See image of the code, I have broken it down to make it easier to view (it was on a single line).
Note: there is a couple of <script> tags inserted after the closing html tag and a <noscript> tag, a standards, no, no. These however aren't what avast is alerting on but the hidden iframe.
-
Note for scythe944.
When looking for some suspect script, you can use the avast detection as a bit of a helping hand. Where this detected an iframe, I just do a search for <iframe in the source code and that found the only iframe on the page. So it does make it a bit easier to find. If it related to a script issue JS, etc. then I look for <script tags.
If the script tags were the issue, posting them on this site would result in the same detection on this page. So even if they were wrapped in the Code tag would still be detected, which is why I generally use images to display any suspect code.
-
Thanks man. I thought I had it! ;D
Oh, and I guess I'll start making pics of the code too... Sorry 'bout that, and thanks again.
-
You're welcome.
-
Thanks guys for your quick response. I built the whole site using frontpage and Yahoo's store, and I know almost nothing about HTML code itself. We hired getupdated.com for SEO and they have been working on the code. Can I fix this just by simply removing the html you pointed out?
Thanks again
-
It looks like it. The bigger problem is how the code got entered in the first place.
Either someone has hacked into your site, (so change your passwords for the web server) or the people that you hired has put that malicious code on your site, and you should be asking them why.
-
I would like to get the HTML to accepted standards, could you explain exactly which code DavidR was referencing being after the HTML closing tag. My html editor isn't showing anything after the closing tag.
You guys are a life saver!
-
Well, DavidR was pointing out the actual code that was causing the IFrame message that Avast was complaining about.
You can find that code by searching for "iframe" in your html editor.
As for the code that I found, which is html code that was placed outside of the closing html tag (</html), that's located all the way at the bottom of the page.
There shouldn't be ANYTHING after </html>. That tag basically means, this is the end of the page. So, if there's more code after that, it should be above the </html> tag, not after it.
Hopefully you understand what I'm saying!
EDIT
I'll re-post my quote and add some color on the subject...
</body>
</html>
<!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code --><script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/smb/js/hosting/cp/js_source/whv2_001.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1238001167" alt="setstats" border="0" width="1" height="1"></noscript>
Alright, the blue code "</html>" should be the end of your page, but as you can see, the code in red is past that. You either need to delete the red code, or move it above the blue code in order for it to be within spec.
-
I figured out why I can't see it. Yahoo (my web hosting provider) is adding it to my code upon publishing. Even when I use Yahoo's html editor, it doesn't show up. It appears the server is alerting me to remove something in my code but I can't find what it is talking about. Any ideas!
-
Contact the guy that builded your web will be my solution but if another ppl got some feel free to post :D
-
LOL. Sorry to laugh, but it's kind of comical.
I can only tell you to call Yahoo's tech support (if that even exists) to see if they could help you out. I run several websites myself, but I use my own servers to host them, so I'm sorry, but I don't know how to help.
Hopefully someone else can guide you further, or Yahoo can help personally...
-
@ jeff.cain
It should also be before the closing Body tag also if it is legit and you want it displayed on the page.
I couldn't recall if is a footer tag, having done a bit of a google there is a new footer tag in the HTML5 standards. All my web design was done in HTML4 standard. http://www.w3schools.com/tags/html5_footer.asp (http://www.w3schools.com/tags/html5_footer.asp), this w3schools site also seems a very good source of information, http://www.w3schools.com/default.asp (http://www.w3schools.com/default.asp).
Frontpage, depending on what version may or may not be standards compliant, given that it is an M$ tool it used to have proprietary html tags that only worked with IE. So if you are serious about this you should ensure you have an html application that is wc3 compliant.
Yahoo may be getting its return in the price of free hosting, if you are paying for hosting I would be very p***ed off about it editing 'my' site. So I would be talking to Yahoo about the code being tagged to your page as shown in this topic.
I would also be complaining about my site being hacked and what were they going to do about this, their hosting software should really offer protection against this type of thing. You should also change your password you use to log on to edit the site to something much stronger.
-
waiting on Yahoo's tech phone call... I'll let you know if they shed any light on it.
-
Good deal. I hope they can help!
-
They said it is on every Yahoo hosting account and store account. It is their data collection code and they said they have never had any problems from it. I don't really have an option to remove it, so I guess it stays. Sorry to waste you guys time, but again thanks so much for fixing the hack on my store.
-
You're welcome.
If they are going to insert code than tell them they should be complying with wc3 HTML standards.
What stats are they gathering (more importantly did they tell you about this and did you agree to it) ?
What did they say about your site being hacked ?
Of course you have a say in it, vote with your feet/wallet and seek out another hosting company and one that remembers their position as a service provider and you being the customer.
-
I started building the site with them in 2004 so I'm sure I agreed to their terms somewhere. It does state in their privacy policy that I display on my page that they collect data regarding your shopping experience. As far as voting with my feet, I wish it were that easy. I built almost the whole store on their yahoo store proprietary software. I know I could rebuild, but that is all I have been using since 2004 and I already have a non webrelated full time job taking up my time (plus a wife and 3 kids!) For now it will have to stay with yahoo. Overall I have been satisified with their service.
-
I didn't even ask about being hacked. I have used the same password for waaaaaaaay too long. So I'm sure some of that fault rests with me.
Last question- what would that virus have done if any of my customers picked it up?
-
The hosting software is also an area which might be exploited, though more common in php sites.
It is a total unknown as to what might have happened as the iframe went to a Chinese domain and there could be absoultely anything at that end as it is executing a cgi script could be benign in that they are trying to display something to tempt customers to part with money or it could be malicious.
There is just no way to find out without leaving yourself open to the exploit and there is no way I would even consider that.
-
Guys, it looks like you're mixing two things together:
The yahoo counters at the end are BENIGN, and Yahoo is right it's used for their stats.
The chinese iframe at the beginning is DETECTED. You should only remove it and think how it got to your code.
-
I bought hosting from yahoo, and i have the same problem at the moment. After reading everything here i couldn't understand what will i do to fix it.
I am near to crying lol..
Can you say me what to add or what to delete from my pages? " :'(
-
First please provide us the link to your pages. We are good, but not that good to guess it ;D 8)
-
Oki :) you are right. Here is my links,
www.cemredesigns.com/index.html
www.cemredesigns.com/shop.html
etc.
-
And, what exactly is your problem? I don't see anything strange there, and avast! does not find anything there.
-
Hi kubecj,
You have turned this into one of your specialism, haven't you? Chapeau! Seen to the 200% increase recently in malicious vectors launched from infected websites, what avast is doing here is really very impressive.
I from my end started some discussion an initiative here to get more interest for the implementation of CSP, also known as Content Security Policy, a security policy for both browsers (IE, Fx, etc.) and web application(s) to set the framework wherein both browser and service can communicate secure, so third parties have no chance of breaking in.
Re: http://forums.mozillazine.org/viewtopic.php?f=48&t=1073125
Just have to see who will jump on the bandwagon with CSP, but until the time the initiative is adhered to on a larger scale we will depend on what avast is doing here and also use script/request/preference blockers like NoScript, RequestPolicy and PrefSwitch,
polonus
-
oki, it says
!-- text below generated by server. PLEASE REMOVE --><!-- Counter/Statistics data collection code
<script language="JavaScript" src="http://us.js2.yimg.com/us.js.yimg.com/lib/smb/js/hosting/cp/js_source/whv2_001.js"></script><script language="javascript">geovisit();</script><noscript><img src="http://visit.webhosting.yahoo.com/visit.gif?us1238794000" alt="setstats" border="0" width="1" height="1"></noscript>
My page is not that short actually, and only i can see a blank page with a little graphic in left side when i enter my website
-
This is perfectly legal code from yahoo. Nothing malicious.
-
I still don't know why they saw fit to put their code outside of the html closing tags. I don't know if jebje's page has the code in the same place as the OP, but why would they do that?
Oh well.
-
We are having the same problem. we run a website called WWW.THEWIREGRASSNEWS.COM and all other virus program users has no problems. We have no virus on our site and only AVAST users contacts us and sais they can not view our site cause avast sais there is a virus and tells them avast sais that there is an infected page html:lframe-in on our site.
this is weird only avast users has this problem what can be done?
-
@thewiregrassnews
if you need help it is best to start your own topic and not post inside someone elses
so to your problem
VirusTotal URL scan
http://www.virustotal.com/url-scan/report.html?id=5e16c0664068924bd5c4cc960d867b66-1310680761
VirusTotal HTML scan
http://www.virustotal.com/file-scan/report.html?id=b27fbaea5a1f3e5b54af06e71d6554d44e9542c46de3fc1b22d90341b13f2275-1310688463
This page seems to be <suspicious> 3 hidden external links found.
http://www.UnmaskParasites.com/security-report/?page=www.thewiregrassnews.com
-
avast is alerting on the iframe that is hinted at by UnmaskParasites.
-
You can use Sucuri Sitecheck. It shows all problem pieces of code for this site
http://sitecheck.sucuri.net/scanner/
Sucuri
Site: http://www.thewiregrassnews.com
Status: Site infected with malware
Trust: Not Blacklisted
-
I, Like the first poster am a business owner. I run a small on line hobby shop or at least try to.
I have been getting mixed feedback from clients.
Some say they can access my site while others say they cannot.
I downloaded trial version of avast and have come up with this same error on my site on many pages inc ones I had done by a professional webmaster. I did the search for the words lframe and inf and came up empty.
Can someone please tell me what may be going on? Main site is www.ladygouldianfinch-ca.com
Any help appreciated :D
Thank You for your time : )
-
Well see the issues here with hidden i-frames: http://sitecheck.sucuri.net/results/www.ladygouldianfinch-ca.com/
Loads malware from multiple sources:
There are a couple of security issues also, see: http://com.saferpage.de/ladygouldianfinch-ca
Gives away via X-Powerded by http header that content is dynamically being generated, should be avoided;
sends out full version numer of webserver software to the world (and malcreants), this can be remedied,
http://www.cyberciti.biz/faq/rhel-centos-hide-httpd-version/ (link article author vivek gite:
Use of Flash and the use of LSO cookies
polonus