Author Topic: False positive or real infection on popular site? (Read 3186 times)

philly12 · « **on:** July 04, 2012, 02:40:48 AM »

My gf was going to "people of walmart" and it came up with an infection alert (on the main page). Is this correct or a false positive because this is a very popular site? I have attached pics below.

The pics have to be small for the small size limit, but here is the info on the infection information page.

URL:<http://ibc.thuisserver.com/ba.js> (<do not go to that site people)
Process: C:\Program Files\Mozilla Firefox\firefox...
Infection: URL:Mal

Thanks for the help.

!Donovan · « **Reply #1 on:** July 04, 2012, 03:28:16 AM »

Avast! is not alerting on the site, but another site that the site is trying to connect to.
See: http://urlquery.net/report.php?id=81824

GET /ba.js HTTP/1.1
Host: ibc.thuisserver.com
Referer: hXtp://www.peopleofwalmart.com/

HTTP/1.1 200 OK
Content-Length: 685

Direct malware payload was on that link 2012-06-06.

Also See: http://urlquery.net/report.php?id=81829

Also Returns:
HTTP/1.1 200 OK
Content-Length: 685

So it appears that the site at hand gets a cookie from the suspect site at hand.

Another Domain With The Same Behavior On The Same IP: http://urlquery.net/report.php?id=29224

philly12 · « **Reply #2 on:** July 04, 2012, 03:33:03 AM »

so you are saying this site is fine, but has links to a malware site, or is it only a bad cookie?

And I typed in the url directly into the Url bar (did not use a link to get to the people of walmart site).

Excuse my stupidity...lol

!Donovan · « **Reply #3 on:** July 04, 2012, 03:46:06 AM »

The site has a link to a site that has hosted malware in the past. However, avast! blocks this IP. With it returning a cookie, which I assume would be used for another site called by the site so to check the referrer of the URL. In similar theory:
Main Site --> Cookie Payload --> Main Site --> Cookie Get --> Do Something When Returned True

In simple terms, while avast! is blocking the "thuisserver" site, you should be able to browse safely, considering the factor mentioned above.

philly12 · « **Reply #4 on:** July 04, 2012, 03:48:23 AM »

Thank you for explaining it to me Donovan. I appreciate the help

. Have a good 4th of July (if you celebrate it).

!Donovan · « **Reply #5 on:** July 04, 2012, 04:06:04 AM »

Your Welcome. Glad I could help.

polonus · « **Reply #6 on:** July 04, 2012, 05:52:09 PM »

Hi !Donovan,

The malware of that Russian domain: htxp://ibc.thuisserver.com/ba.js is now dead. Closed since: 2012-06-06 20:11:38

Suricata/ w Emerging Threats - alert severity 3
2012-07-04 03:24:21 92.241.177.162 urlQuery Client 3 ET RBN Known Russian Business Network IP (430)

polonus

Author Topic: False positive or real infection on popular site? (Read 3186 times)

philly12

False positive or real infection on popular site?

!Donovan

Re: False positive or real infection on popular site?

philly12

Re: False positive or real infection on popular site?

!Donovan

Re: False positive or real infection on popular site?

philly12

Re: False positive or real infection on popular site?

!Donovan

Re: False positive or real infection on popular site?

polonus

Re: False positive or real infection on popular site?