Avast WEBforum
Other => General Topics => Topic started by: PamJ on May 13, 2010, 02:24:58 AM
-
Hello everyone!
I was trying to go to a site today that I've been to several times before and was blocked by avast saying that this threat existed: Downloader-LP. Is this a true threat? I'd like to let the site owner know (we are both members of a virtual assistant forum), but wanted to make sure before I scared her to death!! (I realize all VP programs may sometimes pick things up as threats when they aren't.)
In case it makes a difference...the first time I went to her site I hadn't upgraded to the latest version of avast. I updated, then tried again, and the same thing happen.
Here's what avast report shows:
5/12/2010 8:11:47 PM hXXp://www.avirtualblessing.com/|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:11:49 PM hXXp://www.avirtualblessing.com/wp-content/themes/eBusiness/images/bullet.gif|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:11:50 PM hXXp://www.avirtualblessing.com/favicon.ico|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:11:53 PM hXXp://www.avirtualblessing.com/favicon.ico|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:12:41 PM hXXp://www.avirtualblessing.com/|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:12:42 PM hXXp://www.avirtualblessing.com/wp-content/themes/eBusiness/images/bullet.gif|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:13:43 PM hXXp://www.avirtualblessing.com/|>{gzip} [L] JS:Downloader-LP [Trj] (0)
5/12/2010 8:13:44 PM hXXp://www.avirtualblessing.com/wp-content/themes/eBusiness/images/bullet.gif|>{gzip} [L] JS:Downloader-LP [Trj] (0)
Thanks, all!
Pam
-
Sorry to say PamJ but I checked hXXp://www.avirtualblessing.com/
at http://linkscanner.explabs.com/linkscanner/default.aspx
and it came back with (http://i246.photobucket.com/albums/gg85/PickieBits/13-05-2010.jpg)
-
So, as far as I'm concerned, I should be okay because avast blocked it, right? The site started to load but stopped, and the warning came up that said avast blocked loading of the site.
Linkscanner, that's a great site.
I will forward the information to her; thank you!
Pam
-
Hi Pam...
For some reason, Dr. Web states the link is clean... ???
-
This is what avast see
VirusTotal - unp261089352.tmp - 3/41
http://www.virustotal.com/analisis/e8ab74d0c31018f59d74816854417849e76456c095f22580c462cdc672ed68b4-1273729210
VirusTotal - unp245532723.tmp - 4/41
http://www.virustotal.com/analisis/599aa964c90bd96abb3dbbcedff6dde2a5352e7d2f327ffd252857ac8dc806a6-1273729234
-
Avast 5 doesn't complain about that site for me. Was it a false positive that's been fixed already or has the web site been fixed?
Avast 5.0.545
100512-0
Edit: I didn't have the Web Shield enabled. Enabling it blocks the site for me too.
-
I'm still getting the "Trojan Horse Blocked" warning for that site and it's blocked completely. I do have the latest version of avast. Any ideas? I would try it on my husband's computer (think he uses Norton), but if it is a problem and Norton doesn't block it for him...
That is odd that one place shows there's a problem with that site and avast continues to block it, yet Dr. Webb shows it's okay and one other place I found to check it says it's okay. ???
I don't remember if the previous times I've been to her site without a problem were before I updated to avast 5 or after.
Pondus, please excuse my lack of knowledge, but I am not sure if I'm reading the information correctly at the links you provided. Is it saying that it checked the site against all those AV programs and only three of them came back with there being a problem?
-
when avast detect this from the website it creates a temp file, i crab that file and upload it to VirusTotal to see if it is more than avast that detect the infection avast found
So since it is only avast detecting this, it may be a False Positive...... But avast is very good at detecting infected websites and usually correct......
so....maybe somone at avast team will comment.....or DavidR, he is good at finding out what is wrong at these websites
-
when avast detect this from the website it creates a temp file, i crab that file and upload it to VirusTotal to see if it is more than avast that detect the infection avast found
So since it is only avast detecting this, it may be a False Positive...... But avast is very good at detecting infected websites and usually correct......
so....maybe somone at avast team will comment.....or DavidR, he is good at finding out what is wrong at these websites
I tried the site, got the alert, but I didn't find the unp file. Looked in:
C:\Users\xxxxx\AppData\Local\Temp
C:\ProgramData\TEMP
C:\Windows\Temp\_avast5_
C:\ProgramData\Alwil Software\Avast5 (and subfolders)
>>> found nothing ??? The only times I found unp files like this in a temp folder was after a crash of avast >>> where did you get the temp file from? may be it gets deleted very quickly ???
edit: the behavior of that site is different in IE and in Chrome. In IE I get an immediate aborted connection and one alert. In Chrome (with js off) the site gets displayed but I get 3 alerts of misc stuff blocked.
-
may be it gets deleted very quickly
it does, a little trick i learned from David.....see your mail
-
the behavior of that site is different in IE and in Chrome. In IE I get an immediate aborted connection and one alert. In Chrome (with js off) the site gets displayed but I get 3 alerts of misc stuff blocked.
Is it due to the differences in Chrome and IE rendering mechanisms or does avast! protect different browsers differently?
-
may be it gets deleted very quickly
it does, a little trick i learned from David.....see your mail
got it ;)
the behavior of that site is different in IE and in Chrome. In IE I get an immediate aborted connection and one alert. In Chrome (with js off) the site gets displayed but I get 3 alerts of misc stuff blocked.
Is it due to the differences in Chrome and IE rendering mechanisms or does avast! protect different browsers differently?
no I guess it's due to internal protection mechanisms although I can't elaborate, I don't know really...I tried in Firefox and there the behavior is again not the same, the page is displayed, with three alerts like in Chrome, but in the end the connection to the site is completely aborted.
-
no I guess it's due to internal protection mechanisms although I can't elaborate, I don't know really...I tried in Firefox and there the behavior is again not the same, the page is displayed, with three alerts like in Chrome, but in the end the connection to the site is completely aborted.
Hmm... this requires some elaboration from official resources. Anybody game?
-
I will forward the information to her; thank you!
Pam, your virtual assistant forum associate's site is still hacked. Did you let the site owner know yet? Leaving it hacked like that could give virtual assistant sites a bad name.
-
Yes, I told her and this was her response:
"I truly appreciate your concern. Let's just say that I have had a few technological challenges in recent weeks. lol This was a problem I noticed a few weeks ago. I had 2 people look at it and they both said that very could not find a virus on my site. I'm still bothered that you and other potential guests are still getting an error message. I had not contacted AVG, do you think they can resolve the issue? Any advice is appreciated."
I'm getting ready to PM her again through the VA forum.
How does someone hack a website anyway, is it through the host? Couldn't she just go in and delete the offending code or is it not that easy.
Pam
Edit: Call me uneducated in this area--because I am!--but how did you get the offending code from her site? Was it not blocking you at that point?
-
Hi PamJ,
It is the script that is causing the alert on the pages... (the first thing that Alan has in the code box) The links to taybac...are not causing the alert but should still be removed.
The Home page contains this script and the links, but also the favicon (normally the little logo in the address bar) and also bullet.gif in the theme section of the site.
The owner needs to remove the scripts, links and replace the favicon, and bullet.gif with their originals.
How does someone hack a website anyway, is it through the host? Couldn't she just go in and delete the offending code or is it not that easy.
Usually through a vulnerability in the software used (e.g outdated wordpress...)
Deleting is not often just enough, you have to remove the possibilty of it happening again...if it is just deleted, it can happen again. The vulnerabilities need to be closed.
@ Alan,
Can you remove the code and make it an image. I am surprised that it has caused an alert for me yet, but it is actually exactly what is causing the alert and could end up triggering the web shield...
-Scott-
-
Thanks, Pam. Apparently the two people who looked at it and say they "could not find a virus on my site" are technologically challenged. All they (or she) had to do was look at the source code for the home page, unless she intends to have all those hidden links to taybac there. In any event, I wouldn't advise anyone to use that site anymore, even if it's eventually fixed. The site has either poor principles or poor security and incompetent maintainers. IMHO.
spg SCOTT seems to have given a good explanation of what needs to be done to correct the problem.
Edit: Call me uneducated in this area--because I am!--but how did you get the offending code from her site? Was it not blocking you at that point?
I accessed the site from a sandboxed browser after stopping the Web Shield. I was able to immediately see the problem by looking at the source code for the site. View > Page Source in Firefox or View > Source in Internet Explorer.
I also scanned the sandbox with Avast. It found the offending files and moved them into the virus chest.
@Scott
Thank you for giving Pam such a good explanation of the problem and what to do about it. I see it still hasn't been fixed. Perhaps the site is like that on purpose. Looks like most other AVs don't catch the problematic code.
@ Alan,
Can you remove the code and make it an image. I am surprised that it has caused an alert for me yet, but it is actually exactly what is causing the alert and could end up triggering the web shield...
Since it doesn't trigger the Web Shield, I'd rather leave it there as plain text so Pam or the site's maintainers can copy it if necessary.
-
Hi, all,
Although I know about a page's source code, I couldn't figure out how to do it with avast blocking the site. ;)
She responded again and said someone else created the site. She seemed genuinely thankful for the info I provided and said she was going to look at it over the weekend. To be honest, she seems to be a caring person, so I'm assuming it's just lack of knowledge regarding how much damage it could do to someone visiting the site rather than her not caring.
I don't personally know her, just someone I "know" on the VA forum. When I had the problem when visiting her site, I wanted to try to help her out, but I was also concerned about others who might visit her site. Hopefully she'll start taking this a little more seriously and fix it.
-
Thank you for your reply, Pam, and your efforts to help someone clean up her web site. It can be discouraging at times, so I especially appreciate you helping her straighten things out. Good luck!
By the way, kudos to Avast 5 for catching this!
-
...
Since it doesn't trigger the Web Shield, I'd rather leave it there as plain text so Pam or the site's maintainers can copy it if necessary.
To be honest, I am slightly surprised that it doesn't cause an alert...if I copy it and try to save it myself, it causes an alert...normally this would cause an alert...
-
I just went to her site. Did not receive any type warning and wasn't blocked, so, seems her problem has been fixed. Thanks everyone!
Pam
-
You're welcome.
I just verified that the offending code has been removed from the site's home page. Thank you for letting us know it's fixed.
-
I let the site owner know the site was fine when I went to visit it this afternoon. I thought I would share her response below:
Thank you so much Pam! I found 223 pages (not an exaggeration) of unwanted script, a virus, located in my footer. I appreciate you asking your techie friends. They were right on point. Thanks for taking the time to help me out. Please let me know if I can ever return the favor. God bless you.
Thanks again for helping me help her!
Pam
-
Now that it is clean (wow 233 pages), they need to consider how this happened, since the word, footer is mentioned I would guess that they are suing some sort of content management software or template software to create pages.
####
-- HACKED SITES - This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.
2. Remove any "rogue" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
3. Check all .htaccess files, as hackers like to load re-directs into them.
4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security (http://www.stopbadware.org/home/security).
-
Hi all...
Nice job to everyone involved! :)
Regards...