Avast WEBforum
Other => Viruses and worms => Topic started by: kamivh1 on June 06, 2011, 03:07:16 PM
-
hi
i use avast! internet security 6.0.1091
in below pictures u see that network shield and webshield block a site.but im sure that it's safe! and i want to use this site. i excluded this url: hxtp://asrema1.co.cc but not work! ???
pls tell me how can i fix this problem.
also when i stopped webshield, still network shield blocked site!
-
Sorry but Sucuri scanner say very infected :-[
http://sucuri.net/malware/malware-entry-mwjs488
see screenshot
-
Sorry but Sucuri scanner say very infected :-[
http://sucuri.net/malware/malware-entry-mwjs488
it's odd! but
anyway, can't i exclude this site?
-
Hi kamivh1,
Make that site non-click-through like with hxtp://etc.
See the sucuri scan report, site is full of various javascript malware.
Do not exclude site, but inform the admin of that site it has been fallen to malcode,
it has to be cleansed, may have been hacked via: -index.php
(now empty)
polonus
-
Hi kamivh1,
Make that site non-click-through like with hxtp://etc.
See the sucuri scan report, site is full of various javascript malware.
Do not exclude site, but inform the admin of that site it has been fallen to malcode,
it has to be cleansed, may have been hacked via: -index.php
(now empty)
polonus
thanx for help!
-
moderators, but i checked this url with link-scanner & virus-total & more they said it's clean!
also other members of this site said their antiviruses don't report it! pls help me.
-
moderators, but i checked this url with link-scanner & virus-total & more they said it's clean!
also other members of this site said their antiviruses don't report it! pls help me.
No other AV report it...yet. Someone has to be the first one....
avast is very often the fist one on these web infections, this is a avast speciality and very often correct
I have uploaded it to some other AV for analysis, i will post the result here when i recive it
Every 3.6 seconds a website is infected
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414/
-
With all due respect to many of these other scanners, they aren't in the same league at detecting hacked/infected sites as avast's Web Shield. When their are multiple detections by the web shield, then the communityIQ feature of avast transmits this information and then the Network Shield would block the site.
The Sucuri scanner does a much more in depth and detailed scan than these other tools also.
If I bypass the network shield, then I get an alert by the Web Shield, image1. Analysing the file that the web shield shows it is an obfuscated zip, image2 extract of the content.
Why this file is loaded by the index.php (and more importantly what it does, I don't know) is strange, but since there are other areas mentioned by the sucuri scan it certainly looks like the site has been hacked. So the most likely area are the PHP templates as it is possibly the PHP content management software that has been exploited (if it is out of date).
-
If the OP continues to try and connect to that website, I'll look forward to his "I'm Infected, Now What?" thread. ::)
-
With all due respect to many of these other scanners, they aren't in the same league at detecting hacked/infected sites as avast's Web Shield. When their are multiple detections by the web shield, then the communityIQ feature of avast transmits this information and then the Network Shield would block the site.
The Sucuri scanner does a much more in depth and detailed scan than these other tools also.
If I bypass the network shield, then I get an alert by the Web Shield, image1. Analysing the file that the web shield shows it is an obfuscated zip, image2 extract of the content.
Why this file is loaded by the index.php (and more importantly what it does, I don't know) is strange, but since there are other areas mentioned by the sucuri scan it certainly looks like the site has been hacked. So the most likely area are the PHP templates as it is possibly the PHP content management software that has been exploited (if it is out of date).
thanx i just contacted with admin of this site.
-
You're welcome.
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
hxxp://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hXXp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
The problem is we can't check anything on the hxtp://asrema1.co.cc site as it is blocked and that is based around the information already given.
Please 'modify' your post change the URL from http to hXXp or www to wXw (as I have in the quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.
I have visited your first link and I get no alert on that topic, so what exactly is the problem with the vBulletin link ?
You can post an image of the avast alert.
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hXXp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
The problem is we can't check anything on the hxtp://asrema1.co.cc site as it is blocked and that is based around the information already given.
Please 'modify' your post change the URL from http to hXXp or www to wXw (as I have in the quoted text), to break the link and avoid accidental exposure to suspect sites, thanks.
I have visited your first link and I get no alert on that topic, so what exactly is the problem with the vBulletin link ?
You can post an image of the avast alert.
no he means this plugin javascript Image resizer has a false alarm!
this url hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1 has got (image resizer) ,so it's blocked!
pls fix this problem. im a member of this site,so if u dont fix this i have to change my av!
im a fan of avast! but....
-
yesterday u said other av's or sites will add this malicious to their database but they have didn't yet!
its odd that only avast! blocks it!
-
That image resizer isn't the problem on the hxxp://asrema1.co.cc site as that file doesn't feature in any of the alerts/suspicious files on the securi list, but there are some other vbuletin scripts that are considered suspect.
There really are too many other things too ignore.
-
That image resizer isn't the problem on the hxxp://asrema1.co.cc site as that file doesn't feature in any of the alerts/suspicious files on the securi list, but there are some other vbuletin scripts that are considered suspect.
There really are too many other things too ignore.
ok. i just checked.u were right. at this time kaspersky and f-secure blocked it!!!
-
Norman analysis
Though the sucuri site check found some mal contents, we couldn't find the same in it.
Thanks
vasanth
still waiting for Avira
-
Norman analysis
Though the sucuri site check found some mal contents, we couldn't find the same in it.
Thanks
vasanth
still waiting for Avira
i asked other members of this site(hxxp://asrema1.co.cc), and only who had avast! has got the problem! not other av's!
also another address of this site is blocked! (hxxp://sat4u.org)
my friends have avira,trustport,f-secure,nod32 and kaspersky but non of them have problem.
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
You still need to edit your quote I highlighted in red. See your post http://forum.avast.com/index.php?topic=79477.msg653725#msg653725 (http://forum.avast.com/index.php?topic=79477.msg653725#msg653725)
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
You still need to edit your quote I highlighted in red. See your post http://forum.avast.com/index.php?topic=79477.msg653725#msg653725 (http://forum.avast.com/index.php?topic=79477.msg653725#msg653725)
what is the problem/
i've edited that post in post #14.
DavidR told me that url it's not the problem! he said this site has alot of viruses, but i think it's about Misunderstanding! or Policy!!! pls review it!
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
http://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
You still need to edit your quote I highlighted in red. See your post http://forum.avast.com/index.php?topic=79477.msg653725#msg653725 (http://forum.avast.com/index.php?topic=79477.msg653725#msg653725)
what is the problem/
i've edited that post in post #14.
DavidR told me that url it's not the problem! he said this site has alot of viruses, but i think it's about Misunderstanding! or Policy!!! pls review it!
it's not about me, other members emailed to avast! about this problem.
see, i remember that some years ago, 2 or 3 av's reported this site malicious but found out had wrong!
-
what is the problem/
i've edited that post in post #14.
DavidR told me that url it's not the problem! he said this site has alot of viruses, but i think it's about Misunderstanding! or Policy!!! pls review it!
The problem is that the questionable link is still a live link in your quote in Reply #12 of this thread. That's what needs to be changed.
-
what is the problem/
i've edited that post in post #14.
DavidR told me that url it's not the problem! he said this site has alot of viruses, but i think it's about Misunderstanding! or Policy!!! pls review it!
The problem is that the questionable link is still a live link in your quote in Reply #12 of this thread. That's what needs to be changed.
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
-
Hi
I tried by www.urlvoid.com
asrema1.co.cc is clean ...
Please see attachment:
-
what is the problem/
i've edited that post in post #14.
DavidR told me that url it's not the problem! he said this site has alot of viruses, but i think it's about Misunderstanding! or Policy!!! pls review it!
You still don't get it. You must edit your reply in Post #12 and modify your quote there.
The problem is that the questionable link is still a live link in your quote in Reply #12 of this thread. That's what needs to be changed.
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
hxxp://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
-
Hi
I tried by www.urlvoid.com
asrema1.co.cc is clean ...
Please see attachment:
I suggest you read the full topic as this has been shown that not all scanners are even looking for this much less being able to detect it.
-
Hi,
AVAST make a false report about a java script file that is a part of a most popular vBulletin plugin.
hxxp://www.vbulletin.org/forum/showthread.php?t=118048
Please see the source codes:
hxxp://asrema1.co.cc/clientscript/ncode_imageresizer.js?v=1.0.1
There are no any malicious codes.
Please take action to fix the problem in your next software update.
Regards
hi moderators pls notice this.
Kamivh1, thank you for modifying the link in the quoted section.
-
not all scanners are even looking for this much less being able to detect it.
Could you please point to the malicious code on asrema1 website that Avast able to detect and not the others?
-
That is exactly what we have been doing already in this topic.
-
That is exactly what we have been doing already in this topic.
We believe it's a "false alarm" unless someone could prove otherwise.
-
Sorry but Sucuri scanner say very infected :-[
http://sucuri.net/malware/malware-entry-mwjs488
see screenshot
can u take a picture larger than this??
i can see informations in this picture hardly.
-
not all scanners are even looking for this much less being able to detect it.
Could you please point to the malicious code on asrema1 website that Avast able to detect and not the others?
moderaters could u please point to that codes?
-
Larger image of the securi results.
The securi site also shows that your versions of PHP and vbulletin are out of date and vulnerable to exploit, as I mentioned earlier you have to ensure that your content management software (CMS) is fully up to date. This is frequently the reason how sites are hacked but exploiting vulnerabilities in out of date CMS.
-
Larger image of the securi results.
The securi site also shows that your versions of PHP and vbulletin are out of date and vulnerable to exploit, as I mentioned earlier you have to ensure that your content management software (CMS) is fully up to date. This is frequently the reason how sites are hacked but exploiting vulnerabilities in out of date CMS.
thanx for large pics and informations.
but just now i got an email from avast! employee.
he said "this domain will be unblocked."
-
Hi kamivh1,
Then also get rid of this abuse status, it has not been rejected nor removed since long:
http://rfc-ignorant.org/tools/lookup.php?domain=asrema1.co.cc
See full results:
http://www.rfc-ignorant.org/tools/lookup.php?domain=asrema1.co.cc&full=1
The plug-in was a heuristic detection.
Here it was also reported: HEUR:Trojan.Script.Iframer h**p://forums.electronicarts.co.uk/clientscript/ncode_imageresizer.js?v=1.0.1
source link: was reported by xDodox94 on that forum, issue now fixed
polonus
-
Larger image of the securi results.
The securi site also shows that your versions of PHP and vbulletin are out of date and vulnerable to exploit, as I mentioned earlier you have to ensure that your content management software (CMS) is fully up to date. This is frequently the reason how sites are hacked but exploiting vulnerabilities in out of date CMS.
thanx for large pics and informations.
but just now i got an email from avast! employee.
he said "this domain will be unblocked."
Whilst this is good news for you, is is just a first step as the web shield is likely to alert as it did for me when I bypassed the network shield (in one of my early posts). The web admin for the site needs to address the old versions of PHP and vbulletin to avoid possible further exploit.
But what has already been detected in my http://forum.avast.com/index.php?topic=79477.msg653639#msg653639 (http://forum.avast.com/index.php?topic=79477.msg653639#msg653639) certainly needs to be investigated and resolved, e.g. why is this obfuscated file being loaded in the index.php file. I don't know why that can only be investigated by the web admin.
-
Hi DavidR,
Even when I try to go to that site here: -http://wave.webaim.org/report?url=http%3A%2F%2Fasrema1.co.cc&js=1 I get avast Webshield blocking this as HTML:RedirBA-inf[Trj] and will get disconnected. And then it could eventually be unblocked later, see for a similar case: http://forum.avast.com/index.php?topic=45786.0
The posters in this site really have to inform the site admin of that site to solve the issues there, cleanse, update his web applications, etc. They should mail to supportATturnkeyinternet.net and refer to this thread,
polonus
-
Hello,
this was a false positive.
Sorry for your inconvenience:(
-
Hi
thanks to all of u for helping me.
DavidR,polonus,Gopher John
have a great time.
-
Hi kamivh1,
So the issue has been solved, all is well that ends well, welcome to the forums,
polonus