Author Topic: Help request  (Read 2458 times)

0 Members and 1 Guest are viewing this topic.

counter

  • Guest
Help request
« on: September 22, 2009, 08:11:03 PM »
Hello,
I am writing for your help. Together with my collegues we have disagreement about Avast virus detection on the website: http://www.astrosurf.com/lunascan/arkhipov2.htm. Avast detects threat as a HTML:Iframe-gen virus. In my opinion, after checking source code of the page, there is no threat whatsoever, it is only false positive alert generated by Avast, which detects HTML code IFRAME in a web site source and marks it as a threat. IFRAME contains a link to some old stats file: http://www.astrosurf.com/stats.php3 Could you have a look at the website and see  if there is any reason to be worried and sort our argument for good?

Thank you very much :)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: Help request
« Reply #1 on: September 23, 2009, 12:22:40 AM »
Does not seem to be the html code (encrypted script), but it could be an iframe.
Sorry, I'm not an expert to test it.
Generally, avast detection is accurate in these cases.

Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33930
  • malware fighter
Re: Help request
« Reply #2 on: September 23, 2009, 10:21:43 AM »
Hi counter,

Web page security report says the page was suspicious at times.
This should be considered by the webadmin or hoster....
So what is the present status of wXw.astrosurf.com?
Counter make your links non-clickable by either htxp or wxw, so the curious does not get infected.
The link you gave could have been hacked through weak PHP used.
Code: [Select]
</body>
^IFRAME src='hxtp://www.astrosurf.com/stats.php3' scrolling=no width=0 height=0 align=center NAME='stats'^
^/IFRAME
</hXml>

Part of the site has been noted as being infected during the previous 90 days and this happened 4 times

What happened then?
Google tested 72 pages during the previous 90 days, and 4 pages have been found to download and install malicious software without user's consent. Last time Google visited the site was on 2009-09-20. Last time suspicious content was found to be on the site was on 2009-09-18.
Malicious software includes 28 scripting exploits, 4 trojans, 1 exploit.

Malicious software was hosted on 3 domains, e.g. martuz.cn/, x8e.ru/, 3cq.ru/.

This site was hosted on 1 network(s) including AS16276 (OVH),

Bad code detektor findings:No zeroiframes detected!
Check took 1.61 seconds

(Level: 0) Url checked:
hxtp://www.astrosurf.com
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.astrosurf.com/banners_texte.htm
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.astrosurf.com/banners.htm
Zeroiframes detected on this site: 0
No ad codes identified

But the link you gave:
Check took 0.86 seconds

(Level: 0) Url checked:
hxtp://www.astrosurf.com/lunascan/arkhipov2.htm
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://www.astrosurf.com/stats.php3
Zeroiframes detected on this site: 0
No ad codes identified

The stats are:

0: http:
1:??????????????

2: forum.avast.com

3: index.php?topic=48888.msg412933

X: forum.avast.com/index.php?topic=48888.msg412933


polonus




« Last Edit: September 23, 2009, 10:25:27 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!