Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Richard42 on January 11, 2011, 04:43:49 PM
-
Hello everyone, I have been using the free edition of Avast for a few years now and I'm very happy with the product. Ok to the problem at hand, last weekend and to present every time I visit a forum which I am a member of my Avast alerts me about a Malware threat which it blocked.
Could this be a false positive?
I'm running WinXP on IE8 with Avast5 free edition, I also have free editions of Malwarebytes Anti Malware and Super Anti Spyware, and both have come up clean. I ran a deep scan only last week on all of them and all came back clean, so I a bit confused to what is going on and hope someone out there can help.
Info...
Object: http:/clientscript/vbulletin_md5. (Parts of this line I removed)
Infection: HTML:Iframe-inf
Action: Connection aborted
Process: C:\Program File\Internet Explorer\iexplore.exe
-
Whilst avast's web shield is both very hot and accurate on these types of detection, we need the URL to even hope to investigate.
Change the http to hXXP in the full URL of the alert, this is enough to break the link so it isn't active and allow it to be investigated.
Sites getting hacked are one of the greatest threats now.
-
Full line.
hxxp:www.ww2f.com/clientscript/vbulletin_md5.js?v=410
-
How did you access that URL as I see nothing in the direct link ?
Using some other tools to analyse that javascript file URL doesn't reveal anything. Of course there is always the possibility that what was there may have been cleaned up.
So are you still getting an avast alert ?
-
Avast is still alerting me, I access the forum via a created app on my IE8 Browser. I have six others and there has been no issue with them.
-
Obviously we can't access it that way, so we can't check out why you are having the problem and we aren't.
So I would suggest that you try accessing the page, etc manually and see if you still get the alert, probably not. In which case it is likely to be something in or what the app does that triggers the avast alert.
-
Richard has apparently started a thread on that forum, and someone else got a warning from Norton or something. http://www.ww2f.com/counter-battery-fire/49709-malware-warning.html
-
Just tried the link from my bookmarks and was clear, what I will do is to keep an eye on the situation by opening the forum via the browser button and bookmark and see what the results are. If it as suggested could be the browser button then I shall remove it and just use my bookmark link.
I will post here over the weekend with the results.
-
It's back again -
-
Still getting it but it looks like the forum there has the problem, good see Avast doing its job.
-
I found this thread during my remediation efforts on this forum. I'm the admin at trying to deal with this outbreak.
First of all, thanks to all in this thread. I was better able to track the activity because of this. Thanks you Richard42 specifically. I always appreciate a members who actually gives a sh!t and looks for solutions rather than browsing along when they see a problem.
As well, props to avast itself. It is he only AV product that specifically identified the source of the attack on the website itself. All other products alerted me to the final IP source of the attack, but not the intermediate step on my own site. This is obviously what I need to know to remediate the malware.
Among other attacks, it turns out that hackers had used a vulnerability in the forums SEO to overwrite a file and inserted a redirect:
hxxp:www.ww2f.com/clientscript/vbulletin_md5.js
This file has now been repaired and the software upgraded.
I've removed two other instances of infections, and I'm hoping a few of you might be able assist me in ensuring that I've stamped this out. All I need is for a few of you to visit the site, and if you get any alerts, please post the "Object" portion of the warning here. This way I can identify and remove the problem. The attacks were targeting specific browsers, so if you can visit with more than one browsing tool, that would be even better.
Thanks all and keep up the good work avast!
-
Hi,
as i'm now at work, and here i'm stuck with KAV(admin's choice ;D ) i tried to access the site with IE, FF, and Chrome, and it seems clean, well from KAV's "point of view" :)
-
Thanks Sparxx, I truly appreciate the feedback.
I put a lot of time into remediation, and I'm glad to see it's done at least some good.
-
Report 2011-03-11 11:23:17 (GMT 1)
Website ww2f.com
Domain Hash de276e97f9c94027062c4c023d7beb83
IP Address 75.127.98.38 [SCAN]
IP Hostname server.ww2f.com
IP Country US (United States)
AS Number 3595
AS Name GNAXNET-AS - Global Net Access, LLC
Detections 1 / 18 (6 %)
Status SUSPICIOUS
http://www.google.com/safebrowsing/diagnostic?site=ww2f.com
Report 2011-03-11 11:07:13 (GMT 1)
IP Address 75.127.98.38
IP Hostname server.ww2f.com
IP Country US
AS Number N/A
AS Name N/A
Detections 0 / 26 (0 %)
Status CLEAN
-
Report 2011-03-11 11:23:17 (GMT 1)
Website ww2f.com
Domain Hash de276e97f9c94027062c4c023d7beb83
IP Address 75.127.98.38 [SCAN]
IP Hostname server.ww2f.com
IP Country US (United States)
AS Number 3595
AS Name GNAXNET-AS - Global Net Access, LLC
Detections 1 / 18 (6 %)
Status SUSPICIOUS
http://www.google.com/safebrowsing/diagnostic?site=ww2f.com
Report 2011-03-11 11:07:13 (GMT 1)
IP Address 75.127.98.38
IP Hostname server.ww2f.com
IP Country US
AS Number N/A
AS Name N/A
Detections 0 / 26 (0 %)
Status CLEAN
I appreciate this feedback Asyn, but what am I looking at? According to the timestamps it indicates that the site was CLEAN at 2011-03-11 11:07:13 and then was rates SUSPICIOUS 14 minutes layer at 2011-03-11 11:23:17. Is this accurate or are the Avast times off?
-
I appreciate this feedback Asyn, but what am I looking at?
Forget the time stamps...!
What's important for you, is that your site seems to be clean. (at time of scanning)
So, do you still get a warning from avast..??
asyn
-
http://www.urlvoid.com/ has a bunch of scanner in one place. Anyway, I don't get any warning from avast! ATM so looks like you have fixed it.
On another note, AVs are not best way of reminding a webmaster that they are using a vulnerable webapp, the vendor should provide some mailing list to subscribe to.
-
@ Asyn,
Thanks for thee feedback. Still a bit confused about the timestamps, but as long as I am clear I'm happy. Thankfully, no more warnings from avast.
@ doktornotor
Nice multiple scanner nice, it also showed no infections. And for the record, I know about the AV not being good for determining a site's health. I always try to stay patched. The reason I posted here (see my first post in this thread), was that avast was the only product that identifies the specific script on my site that was performing the attack, which allowed me to better remediate the problem.
-
@ Asyn,
Thanks for thee feedback. Still a bit confused about the timestamps, but as long as I am clear I'm happy. Thankfully, no more warnings from avast.
You're welcome..!
About the timestamps: These were 2 different scans. (one for your site's name, the other for your site's IP address.)
asyn