Avast WEBforum
Other => Viruses and worms => Topic started by: MarkJohnson on May 28, 2016, 02:42:48 AM
-
Yesterday, I was going to jonnyguru to check some power supply reviews and accidentally typed johnnyguru.com and was greeted with malware ads.
I quickly exited Chrome and then tried the Avast Safezone browser with the same results.
All seemed fine, but today Chrome won't open at all. I then tun Avast with no reports of anything bad. I decided to download Malwarebytes Anti-Malware and it found over 300 PUPs. I then wondered about Avast not finding them and quickly found it wasn't enabled in setting. After enabling and reboot and rescan it found no issues.
So, I'm reporting johnnyguru.com is a bad site and seems to install malware automatically.. I'm not sure what you guys can do about it. But I thought I'd bring up my experience.
-
I've reported the site to avast.
Someone from them will soon have a look at it.
I suggest you follow these instructions to have a good system check :
https://forum.avast.com/index.php?topic=53253.0
-
I couldn't find anything malicious...
If the ads are installing anything without user's content, I will be happy to block them :)
Do you have scanning for PUPs enabled in Avast?
-
We see conditional redirect: GoogleBot returned code 302 to -http://ww38.johnnyguru.com/
Google Chrome returned code 302 to -http://ww38.johnnyguru.com/
Consider: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fww38.johnnyguru.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1
The iFrame in the code has been blocked as hxxp://quickdomainfwd.com/?dn=johnnyguru.com&pid=9PO755G95
an ad- and tracking service that we like to block with any adblocker: hxtp://quickdomainfwd.com
Detected jQuery code: -http://ww38.johnnyguru.com
Detected libraries:
jquery - 2.1.4 : -http://d32ffatx74qnju.cloudfront.net/scripts/jquery-2.1.4.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
1 vulnerable library detected -> http://www.domxssscanner.com/scan?url=http%3A%2F%2Fd32ffatx74qnju.cloudfront.net%2Fscripts%2Fjquery-2.1.4.min.js
And what do we detect there: script
info: [decodingLevel=0] found JavaScript
error: line:3: SyntaxError: missing ) in parenthetical: *
error: line:3: t?(n=g,o=g.documentElement,e=g.defaultView,e&&e!==e.top&&(e.addEventListener?e.addEventListener("unload",ea,!1):e.attachEvent&&e.attachEvent("onunload",ea)),p=!f(g),c.attributes=ja(function(a){return a.className="i",!a.getAttribute("className")}),c.ge
error: line:3: ...........................................................^
* Output of the server is invalid, caused by a typo in string concatenation, often this is a missing + (info credits StackOverflow's przemo_li).
May reveal innerHTML ....localhost:/js, or the odd one out: localhost/js will kick up errors.
This is adding to the insecurity: https://sritest.io/#report/93efec09-14ed-4638-bc7d-5bddbc9f3ed3 : <script src="http://d32ffatx74qnju.cloudfront.net/scripts/jquery-2.1.4.min.js"></script> Missing SRI hash
polonus (volunteer website security analyst and website error-hunter)