Avast WEBforum
Other => Viruses and worms => Topic started by: myvbiz on September 06, 2010, 05:58:06 PM
-
What to do when Avast reports a Malware on my website www.myfaxtomail.co.za. My webmaster checked the site and reports that there is no problem. My webhost checked and reported that there is no problem. I'm using Avast on my computer and when I do a test registration on my website, Avast reports the following:
File name: http://www.myfaxtomail.co.za/registerfaxnumber.php\{gzip}
Malware name: HTML:Script-inf
How do I repair or remove this?
Please help?
-
VirusTotal - registerfaxnumber.php - 4/43
http://www.virustotal.com/file-scan/report.html?id=274696f3757bcdb0c2177118f0ec67e7fe5eb28af23bdef622dc0a213a659212-1283789078
NoVirusThanks - 2/16 - INFECTED
http://scanner2.novirusthanks.org/analysis/f0bcd9f0f911d5436b016d252560a08c/cmVnaXN0ZXJmYXhudW1iZXItcGhw/
-
Hi myvbiz, welcome to the forum :)
As Pondus has already shown, it is not only detected by avast! (although GData uses the avast! engine also...)
http://www.UnmaskParasites.com/security-report/?page=www.myfaxtomail.co.za/registerfaxnumber.php
As you can see on unmask parasites there is a link that is suspect...
This script is what is causing avast! to alert and needs removing.
Scott
EDIT: Oops, wrong image... ::)
-
Thanks Podus & Scott!!
Scott, what script needs to be removed? The registerfaxnumber.php script?
-
The script that is highlighted in my image, it is within the registerfaxnumber.php
-
Thanks Scott
I have emailed my webmaster and I'm waiting reply. Will let you know shortly.
How did this script get there in the first place?
-
Hi Scott. We have searched the website and the script you are referring to is no longer there.
-
It might not be there any more, but what they have to do is ensure the vulnerability that allowed the site to be exploited/hacked is closed. This is commonly caused by out of date content management software, like PHP, Joomla, SQL, Wordpress, etc.
-
Thanks for the reply David.
How do I get avast to check the site and update their database so that my website don't show up as infected?
-
Well avast isn't alerting on 'all' of you domain is it ?
I have just visited the site and no blocking of the domain so it isn't on any database as such, the alert you got was a real-time scan of content and when that is cleaned up there should be no alert.
However that page is still loading a compresses script file, that's what the {gzip} bit is about and what the alert is on. There is still a script tab and link to absolutephase.com (see below) as mentioned by Scott, it is directly after the Closing Head tag abd befor the opening Body tag, which in itself is a bit suspect.
So it doesn't look like that has been cleaned
http://www.mywot.com/en/scorecard/absolutephase.com (http://www.mywot.com/en/scorecard/absolutephase.com)
Domain Registered:
BANGALORE IN
-
Thanks David
I'll get them to check it out. Really appreciate the help.
-
You're welcome, good luck.
-
H myvbiz
I give you some Passive Recon info here for your site:
Check the Joomla version and update and patch....
Web server details
Scan for: http://www.myfaxtomail.co.za/
Hostname: www.myfaxtomail.co.za
IP Address: 196.220.57.41 (plesk2.wadns.net)
Date: 06-09-2010 16:54
Running on: Apache
Powered by: PHP/5.2.9
The server indicates that the page was last modified: 09/06/2010 22:52:11 (as I scanned last)
Web Application details:
Application: Joomla! 1.5 - Open Source Content Management
Google Analytics installed: UA-7924608-2
Javacript included
Local or adserver Javascript included: validations.js
Local or adserver Javascript included: http://www.myfaxtomail.co.za/registrationform.js
Local or adserver Javascript included: http://www.myfaxtomail.co.za/tellafriend.js
Javacript dump
<script type="text/javascript" src="validations.js" language="javascript"></script>
<script language="JavaScript" type="Text/Javascript">
function addToFavorites() {
title = "MyFax2Mail";
url = "http://www.myfaxtomail.co.za";
if (window.sidebar) { // Mozilla Firefox Bookmark
window.sidebar.addPanel(title, url,"");
} else if( window.external ) { // IE Favorite
window.external.AddFavorite( url, title); }
else if(window.opera && window.print) { // Opera Hotlist
return true; }
}
</script>
<script language="javascript" src="http://www.myfaxtomail.co.za/registrationform.js">
</script>
<script language="javascript">
CreateRegistrationForm("545","PR7772");
</script>
<script language="javascript" src="http://www.myfaxtomail.co.za/tellafriend.js">
</script>
<script language="javascript">
CreateFindAFriend("545");
</script>
<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("UA-7924608-2");
pageTracker._trackPageview();
} catch(err) {}</script>
List of links found
style.css
http://www.myoverseascall.co.za
/faq.php
http://www.facebook.com/pages/Free-Fax-to-Email-Number/15028516478
/pc2fax.php
/tac.php
http://www.mysanumber.co.za
Blacklisting status
Domain clean by Google Safe Browsing: www.myfaxtomail.co.za
Domain clean by Norton Safe web: www.myfaxtomail.co.za
Domain clean by Sucuri Web Blacklist: www.myfaxtomail.co.za
Domain clean by the Phish Tank: www.myfaxtomail.co.za
Domain clean by the Malware Domain List: www.myfaxtomail.co.za
Related hosts
www.myfaxtomail.co.za - 196.220.57.41
mail.myfaxtomail.co.za - 196.220.62.110
smtp.myfaxtomail.co.za - 196.220.62.110
pop.myfaxtomail.co.za - 196.220.62.110
imap.myfaxtomail.co.za - 196.220.62.110
webmail.myfaxtomail.co.za - 196.220.62.110
ftp.myfaxtomail.co.za - 196.220.57.41
DNS Lookup
myfaxtomail.co.za name server cdns2.wadns.net.
myfaxtomail.co.za name server cdns1.wadns.net.
myfaxtomail.co.za mail is handled by 5 fw1a.myfaxtomail.co.za.
myfaxtomail.co.za mail is handled by 5 fw2a.myfaxtomail.co.za.
myfaxtomail.co.za has address 196.220.57.41
www.myfaxtomail.co.za is an alias for myfaxtomail.co.za.
myfaxtomail.co.za has address 196.220.57.41
Site-report: http://toolbar.netcraft.com/site_report?url=http://www.myfaxtomail.co.za
iFrame detection results: No zeroiframes detected!
Check took 4.48 seconds
(Level: 0) Url checked:
http://www.myfaxtomail.co.za/
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.myfaxtomail.co.za/validations.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.myfaxtomail.co.za/registrationform.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
http://www.myfaxtomail.co.za/tellafriend.js
Zeroiframes detected on this site: 0
No ad codes identified
Result of the presumably suspicious link: [not analyzed] www.myfaxtomail.co.za/registerfaxnumber.php\{gzip}
status: (referer=www.google.com/trends/hottrends)failure: HTTP Error 404: Not Found
The requested URL /registerfaxnumber.php\{gzip} was not found on this server
Only TrendMicro still has the site as malicious: This URL is currently listed as malicious.
M86 security: Error: The requested URL is currently unavailable,
polonus
-
Wow!! Thanks for that Polonus. Did you hack my site to get all that info? :)
From your scan or analysis, does it mean that the malware is no longer there?
My webmaster scanned the site and reports that he can't find the "script tab and link to absolutephase.com"
He suggests that we rebuild the site.
Is there an easier way to sort this out?
-
I would suggest you give your webmaster this topic link, so he can see what we are seeing.
Then he should look at it from the outside as a customer visiting the site (using adequate protection, browser sandboxed, etc.), then he can see if the PHP page code is the same as the original code.
If this is a content management exploit as previous mentioned the code may not be inserted until the page is created.
I'm sorry there is no magic bullet or easy way to do this that I'm aware of.
Rebuilding the site won't help if it is a content management vulnerability/exploit and the same old versions are being used it can happen again.
- This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.
I suggest the following clean up procedure for both your accounts:
1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.
2. Remove any "rogue" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.
3. Check all .htaccess files, as hackers like to load re-directs into them.
4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!
This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.
Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security (http://www.stopbadware.org/home/security).
-
Thanks David.
I have emailed the topic to my webmaster. Waiting for response.
-
You're welcome, happy hunting.
-
I'm also getting this error message from Avast when I visit my WordPress 3.2.1 Blog http://www.debbiemcneill.com/wordpress. (see message below).
Malware Name: HTML:Script-inf
Malware type: Virus/Worm
VPS version: 110816-0, 08/16/2011
I tested my blog site against the following Malware/Visus Testers:
Google - http://www.google.com/safebrowsing/diagnostic?site=www.debbiemcneill.com CLEAN
Unmask Parasites (Beta) - http://www.unmaskparasites.com/security-report/ CLEAN
VirusTotal - http://www.virustotal.com/url-scan 1 HIT - MalwareDomainList result Malware site
But it wasn't until I hit this test that I did have some more information. Unfortunately, there is not information on how to clean it.
Sucuri SiteCheck - http://sitecheck.sucuri.net/scanner/
Malware found in the URL:
http://debbiemcneill.com/wordpress/?page_id=3
It appears to be on most pages. YIKES!
I went into each PHP page via the WordPress editor and looked for the offending file, the http://superpuperdomain.com listed on the error report and any unusual script but didn't see it. Any recommendations would be very helpful.
Thanks so much in advance!
Debbie
-
It appears your site has been hacked too check your pages, after the closing HTML tag there is a script tag to superdomain.com.
- Please 'modify' your post change the URLs from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
http://www.virustotal.com/file-scan/report.html?id=70381e1edc03c6b4efab48596f98cae469d0d42ef7562d3097f4b2ce5dd915b2-1313519417 (http://www.virustotal.com/file-scan/report.html?id=70381e1edc03c6b4efab48596f98cae469d0d42ef7562d3097f4b2ce5dd915b2-1313519417)
You need to ensure that you are using the latest version of wordpress as it is likely that is being exploited.
Also see http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html (http://blog.sucuri.net/2011/08/update-to-the-superpuperdomain2-com-malware.html), although this is about superdomain2.com it is the same issue.