Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: JohnnyBob on November 02, 2012, 07:35:54 AM
-
avast blocking piriform forum
http://forum.piriform.com/
Sometimes I get an avast popup saying it is blocking a virus, sometimes not, but I always get:
Fatal error: require_once() [function.require]: Failed opening required './initdata.php' (include_path='.:/usr/local/php53/pear') in /home/ccleaner/public_html/index.php on line 23
anybody else?
-
-> http://sitecheck.sucuri.net/results/forum.piriform.com/
-> http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v22
-> http://zulu.zscaler.com/submission/show/e1820da766e49e123ab35c26999edc76-1351838538
-
Thanks for the links. The first time I tried the zscaler.com link, it said forum.piriform.com is OK. The second time is said it is malicious. The securi.net link reports it as malicious.
forum.piriform.com is an old established forum. I don't go there frequently so don't know how long this problem has existed. Of course they could be infected but I doubt it. I suspect it's just a bug in their code. I tried to email their webmaster but it was returned as undeliverable.
-
1. Thanks for the links.
2. I've emailed their webmaster.
1. You're welcome.
2. Good.
-
Of course they could be infected but I doubt it.
of cours not....avast must be wrong ;)
http://urlquery.net/report.php?id=77737
and the site seems to be down now
we have a article somwhere in here (cant find the link now) about infected websites hacked/found every 3,5sek
-
Of course they could be infected but I doubt it.
of cours not....avast must be wrong ;)
They always say that... ::)
-
According to the following 2 testers, forum.piriform.com is up
http://www.isup.me/forum.piriform.com
http://host-tracker.com/check_res_ajx/11494891-0/
-
found it
Every 3.6 seconds a website is infected
http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/
noting is 100% secure......
and the more people that visit a site, the more interesting it is for thew bad guys to infect as they fish in the pond that have most fish.....bigger chanse that somone take the bait
-
According to the following 2 testers, forum.piriform.com is up
http://www.isup.me/forum.piriform.com
http://host-tracker.com/check_res_ajx/11494891-0/
see the urlQuery link i posted above.....click the picture in top right corner
-
Any site can get infected... Geeks to Go was hit about a year back, only Avast spotted it. The site was down for a day whilst they cleared the redirect malware
EDIT: A hack has been confirmed, cleaning it now
-
I'm not getting the avast block anymore (are you?), just
Fatal error: require_once() [function.require]: Failed opening required './initdata.php' (include_path='.:/usr/local/php53/pear') in /home/ccleaner/public_html/index.php on line 41
So I think this is a case of a buggy website, not a virus. They've cut themselves off from the outer world by making their registration private and not providing a working email address to contact them. So they may still be unaware.
-
there is infection there...better not go there ::)
-
there is infection there...better not go there ::)
I can't. Apparently nobody can because of the website coding bug. It's not working. I doubt that it is a virus.
-
Neither Eset nor MBAM will allow you to go there , so methinks an infection is the best bet
-
Lets put it this way, why would piriform.com, a UK Company, be connecting to a Russian IP address (rather than a plain language domain name), at best that is obfuscation, at worst highly suspect.
http://en.wikipedia.org/wiki/Piriform_%28company%29 (http://en.wikipedia.org/wiki/Piriform_%28company%29).
"Piriform is a privately owned software house based in the West End of London, UK"
Though server appears to be in Texas.
When this is in relation to an iframe, I get even more suspicious as it reeks of iframe injection. Look further and you will find that the 46.166.147.133 IP address is on the avast malicious sites list and WOT doesn't like it either. I'm sure if you do any further analysis on the 46.166.147.133 IP you will no doubt find more, so it looks like an iframe injection attack on piriform.
-
The forum.piriform.com website is back up now. I've been able to go there and login as usual, with no more avast blocks/warnings. It is still producing some errors but I believe that's faulty coding or a server error. I believe the former virus block was probably a false positive from avast, but that's just my impression. Possibly it was infected and they've fixed it already. I don't know of any way to find out except - I've finally managed to send them the info via a support ticket.
-
yep! infected..
I sent a copy of infected HTML to Avira labs and even they confirmed it:
The file 'Piriformforum_infection.html' has been determined to be 'MALWARE'. Our analysts named the threat JS/Redir.BF. The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.
-
Why the insistence that it was a coding error... Three antimalware programmes call it infected along with several URL checkers ?
-
Oops not fully cleaned
-
Me neither...Spoke too soon..went there once got nothing from avast...second attempt and got a hit ;D
scanned my chrome folder and temp files and didnt find anything...it looks like it comes clean once and a hit at next atttempt!
-
Piriform's various programs, including CCleaner, check for program updates when run by default. Could this somehow be leveraged to spread infections to the machines using their programs, short of the actual installer programs on Piriform's site being infected? Right now, the discussion is only about their forum.
-
OK it looks like this:
HTML Redirector>>Redirects to Blackhole exploit!>>Infected!!
-
Looks like it was cleaned...then re-infected again and again cleaned now...Infected HTML was removed and clean one looks to be restored back again.
Scan of the new HTML: https://www.virustotal.com/file/6258da3cd6fb37ad51dab41fc576bf1ab14a66947b987b1c257a728bbf0a2726/analysis/1351871681/
-
The forum.piriform.com website is back up now. I've been able to go there and login as usual, with no more avast blocks/warnings. It is still producing some errors but I believe that's faulty coding or a server error. I believe the former virus block was probably a false positive from avast, but that's just my impression. Possibly it was infected and they've fixed it already. I don't know of any way to find out except - I've finally managed to send them the info via a support ticket.
If you have read my post above yours do you really think this is a coding problem or a false positive, I don't. Revisit the urlquery link given by Pondus in reply #4 and that shows what is going on quite clearly. Look at the Intrusion Detection Systems entries, expand the two GET entries. At the very least it looks very strange.
-
Hi GopherJohn,
I do not think it is malcious intent on their side, but they "blundered" by not defining absolute path - file does not exist, and they have to go over their file logs.
"Virtual server path" from "filesystem path" is not distinguised, and then we get a PHP error: Fatal error</b>: require_once() [<a href='function.require'>functi...
but that is neither Apache nor PHP related. See whether this is just a programming error or malware related as described here: http://labs.sucuri.net/db/malware/php-error-fatal-error.
They have to "run php -f /common/configs/config_templates.inc.php"there as a validity check for the PGP syntax.
People (webmasters, hoster admins, etc.) keep websites up, not very savvy at serversecurity (hardening) or securing PHP etc.
@true indian, and then they were infected...
Not actually with Blackhole because that was when the site had another IP 46.166.147.133 and is now at 50.28.75.78
Check the ip against the IDS alert IP...
@DavidR -> check this further down on the urlquery result page....
The PHP hick-up error could be due to the former iFrame injection, but I do not have their logs, so that is an assumption...
At least I think the site is still vulnerable...but they are not alone there ;D
polonus
-
I don't know. It's working OK for me now which is all I care about. I posted in their forum and referenced this thread, so at least they're notified now.
In general I assume all avast blocks are false positives, which is usually the case in my experience. It's only a warning of a possible infection. I don't let my panties get tied up in a knot about it. :)
-
@ polonus
Yes, the Russian IP to a site considered malicious by avast is basically the point I'm trying to make this really had to have started out as a genuine infection (injected iframe). So a case of avast making a good detection on a site which would otherwise have been considered safe/good.
It just proves the rule that there is no such thing as a safe site (any more) as the volume of hacked sites marches on.
Not to mention the power of the web and network shields to protect avast users and a function that many antivirus tests are incapable of testing. True life scenarios, where avast isn't reliant on the actual payload being detected by conventional on-demand scanning.
-
In general I assume all avast blocks are false positives
It is correct detection...every scanner confirms it..its not a FP... avast just saved your ass!! ;D
-
In general I assume all avast blocks are false positives
It is correct detection...every scanner confirms it..its not a FP... avast just saved your ass!! ;D
You can believe that, but I am not convinced.
-
Hi GopherJohn,
I do not think it is malcious intent on their side, but they "blundered" by not defining absolute path - file does not exist, and they have to go over their file logs.
"Virtual server path" from "filesystem path" is not distinguised, and then we get a PHP error: Fatal error</b>: require_once() [<a href='function.require'>functi...
but that is neither Apache nor PHP related. See whether this is just a programming error or malware related as described here: http://labs.sucuri.net/db/malware/php-error-fatal-error.
They have to "run php -f /common/configs/config_templates.inc.php"there as a validity check for the PGP syntax.
People (webmasters, hoster admins, etc.) keep websites up, not very savvy at serversecurity (hardening) or securing PHP etc.
polonus
I trust Piriform (I use several of their free programs), and my question was more about these programs phoning home to check for updates and triggering a payload from Piriform's servers somehow. I would guess that the server that hosts the install programs is much better protected and may not be compromised. The programs use port 80 during their update checks.
-
pirirform http://forum.piriform.com/index.php?showtopic=37118&hl=avast&fromsearch=1
Wilders http://www.wilderssecurity.com/showthread.php?t=335211
-
In general I assume all avast blocks are false positives
It is correct detection...every scanner confirms it..its not a FP... avast just saved your ass!! ;D
You can believe that, but I am not convinced.
:o ::)
-
yeah.....most likely a Halloween trick ;D
-
@JohnnyBob,
Why can posters here not belief that there are loads and loads of websites of which those that have to concern themselves with website security or server security of that particular website, have zero knowledge or too little of these issues. If they knew what they were doing we did not have issues with sites that are being attacked, hacked, injected, malvertised, misconfigured, laden with malcious iFrames, Java and javascript malcode etc. every minute of the day. Sites are open to vulnerabilities because website software has not been updated, servers are given away full version numbers, hackable php and perl as low hanging fruit for malcreants on automation and what more.
Seen from the range of infested or suspicious or vulnerable websites I have seen and analyzed through scanning over some couple of years at the virus and worms section, I feel oblidged to look good and hard before I declare a website all clean and secure, and I am not fearmongering here or spreading fud, this is the sorry state of overall website security, alas these are the facts and a threatening situation for visitors of many websites....
polonus
-
In general I assume all avast blocks are false positives
It is correct detection...every scanner confirms it..its not a FP... avast just saved your ass!! ;D
You can believe that, but I am not convinced.
If you think every avast! block is a false positive then you should not be using it. I do not tolerate those who do not take for granted what they have. Some people do not have avast! and they would've got infected. You should be lucky that you've this antivirus.
~!Donovan