Avast WEBforum
Other => Viruses and worms => Topic started by: zenzor on December 15, 2013, 11:25:33 AM
-
Avast is reporting this site as having a trojan:
hxxp://poserworld.com/
Seems to be this link:
<script type="text/javascript" language="javascript" src="xxxx://www.anrdoezrs.net/l177cA6wy-296z-CLTPSNVNO?target=_top&mouseover=Y"></script>
I've tested it at virustotal.com however and it reports it as clean (a few scanners reports "unrated").
-
I've tested it at virustotal.com however and it reports it as clean (a few scanners reports "unrated").
virustotal does not scan the website for infections.....it is just a reputation list check
nothing here http://urlquery.net/report.php?id=8395042
and nothing here http://sitecheck.sucuri.net/results/poserworld.com/
-
I tried Zulu, nothing there either:
http://zulu.zscaler.com/submission/show/3532da4460e9637209aeb5a393913784-1387104777
-
Eh, yes. There is something on urlquery.
Malicious site hosted on the same IP address.
-
Eh, yes. There is something on urlquery.
Malicious site hosted on the same IP address.
what site do you see?
i see the same URL ... and no detection reported
2013-12-15 11:40:15 0 / 0 hxxp://poserworld.com 74.43.133.91
and that i Guess would only be a issue if it was a URL/IP Block ...... and not when infection is detected on a specific website
-
You can upload files and report issues to avast lab here : http://www.avast.com/contact-form.php (select subject according to Your case)
-
You can upload files and report issues to avast lab here : http://www.avast.com/contact-form.php (select subject according to Your case)
OK, done. Thanks!
-
I also get a suspicious on a iFrame check:
Suspicious htxp://poserworld.com/newsletter.htm' - when I checked that avast! Web Shield blocked and alerted JS:Agent-CQF[Trj] (hidden input)
Also consider the results of this scan: https://asafaweb.com/Scan?Url=poserworld.com
Requested URL: htxp://poserworld.com/Home.aspx?foo=<script> | Response URL: htxp://poserworld.com/Home.aspx?foo=<script> * | Page title: Poser 3D | Poser Models | Poser Clothes | Poser Downloads | Poser Scenes | DAZ Studio Models | Poser 5, 6, 7, 8 , 9, 2010, 2014 | HTTP status code: 200 (OK) | Response size: 71,687 bytes (gzip'd) | Duration: 465 ms
Overview
In a web forms site, request validation ensures all requests to the website do not contain a potentially malicious payload. This protects against the likelihood of cross site scripting (XSS) vulnerabilities being exploited on the site.
Result
It looks like request validation has been turned off. Making a request to the site with the malicious URL above is returning the same response body as a legitimate request so the app appears to be accepting the XSS payload in the query string. Request validation is easy to enable, just configure the web.config to ensure "validateRequest" is set to "true" (this is also the default if no setting exists):
<pages validateRequest="true" />
Also make sure the individual Page declarations have ValidateRequest set to "true" (this is also the default if no setting exists):
<%@ Page ValidateRequest="true" %>
Warning: There are legitimate use cases for turning request validation off in some places so be certain you're not going to break anything before disabling it.
foo=<script> html injection attack read: http://deadliestwebattacks.com/html-injection-quick-reference/
polonus
-
This is the HTML Injection technique performed:
State and Injection example:
State = ]]><FOO>
Injection example = <![CDATA[]]><script>☣</script>]]>
pol