Author Topic: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js  (Read 31853 times)

0 Members and 1 Guest are viewing this topic.

Offline mehuge

  • Newbie
  • *
  • Posts: 6
http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« on: January 03, 2013, 07:59:16 PM »
e.g. visiting (remove the braces)

(http)://www.wix.com/support/forum/flash/other/other/spurious-code

The page injects some javascript (using document.write) to load the script http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js

I can access (https)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js (the very same code) and not get a virus alert.  I can download (http)://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js using wget and scan it and not get an alert.  The alert its giving is a URL:Mal

I can upload the downloaded code to jotti.org and it passes as clean.

http://virusscan.jotti.org/en/scanresult/9cd19dba5af53585bfcc4a5244c21382e539fc60

False positive?

« Last Edit: January 04, 2013, 12:40:48 AM by mehuge »

Offline joshuachavanne

  • Newbie
  • *
  • Posts: 2
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #1 on: January 03, 2013, 08:50:51 PM »
Have had this happen on several sites today, and upon a cursory search there seems to be a lot of references to this same code.

Offline poppie1234

  • Newbie
  • *
  • Posts: 12
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #2 on: January 03, 2013, 09:00:32 PM »
Yep same thing just happened to me visiting a jewellery website that i have used before (all the w's acotisjewellery.co.uk) exactly the same pop up,avast blocked a malicious URL ://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js as other people are getting.  :-\

Offline whetzelmomma

  • Newbie
  • *
  • Posts: 5
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #3 on: January 03, 2013, 09:06:00 PM »
I am getting this alert when I view my blog/website. I also get it when I try to expand the HTML template of my blog in the admin area. I use blogger, and have not recently made any changes to my site, nor do I allow spam comments on my blog. Pretty sure this is a false pos, but how do I report it?

Offline Bowdon

  • Jr. Member
  • **
  • Posts: 73
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #4 on: January 03, 2013, 09:12:04 PM »
I'm getting it when visiting the national newspaper Daily Mail. It was ok until this afternoon. Then this warning.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83029
  • No support PMs thanks
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #5 on: January 03, 2013, 09:12:58 PM »
@ mehuge

Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.2.2401 (build 20.2.5130.570) UI-1.0.505/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline whetzelmomma

  • Newbie
  • *
  • Posts: 5
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #6 on: January 03, 2013, 09:20:19 PM »
It's not a site, it's part of a java script on pages.

Offline sfreeman

  • Newbie
  • *
  • Posts: 5
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #7 on: January 03, 2013, 09:25:53 PM »
Since it only seems to be getting caught by Avast, it would be great if someone from Avast could chime in and say if it's a false positive, or something we actually need to worry about.

Offline designyou

  • Newbie
  • *
  • Posts: 1
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #8 on: January 03, 2013, 09:35:45 PM »
I have the same problem and agree would be nice with some info from Avast!!!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36633
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #9 on: January 03, 2013, 10:44:18 PM »
could you attach a screenshot of the avast warning popup...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32437
  • malware fighter
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #10 on: January 03, 2013, 10:50:29 PM »
Pondus

Somehow, do not seem able to reproduce it. Maybe it has gone with a new definition update..
RUM means real user monitoring by automatically injected javascript. Info on what RUM does from Dan Wright in this article of his -> link here: http://blog.newrelic.com/2011/05/17/how-rum-works/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Jonny788

  • Newbie
  • *
  • Posts: 3
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #11 on: January 03, 2013, 10:56:00 PM »
Hello, I've registered just to say I'm getting this problem too and it started today, It's popping up at many safe websites I visit daily, including filehippo and ausgamers just to name a couple.

It would be great if someone at avast! could confirm if this is a false positive, before I decide to disintegrate my harddisk.

Offline Borgis

  • Newbie
  • *
  • Posts: 2
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #12 on: January 03, 2013, 10:58:01 PM »
could you attach a screenshot of the avast warning popup...
My warning

Offline poppie1234

  • Newbie
  • *
  • Posts: 12
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #13 on: January 03, 2013, 10:59:40 PM »
With so many of us getting the same pop up it must be a false positive surely?

Wish someone from Avast would let us know. :(

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32437
  • malware fighter
Re: http://d1ros97qkrwjf5.cloudfront.net/42/eum/rum.js
« Reply #14 on: January 03, 2013, 11:06:56 PM »
Just wondering what it is, and where it comes from. From the header request I get:
Code: [Select]
HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:01:18 GMT
Expires: Thu, 03 Jan 2013 22:01:18 GMT
X-Amz-Cf-Id: XwrpY8dIAJVQveFH1V5Sym206IB0K8Vw7BQo_q1YB4gJ2VV87JmyXw==
X-Cache: Error from cloudfront
From the GET
Code: [Select]
HTTP/1.0 403 Forbidden
Content-Type: text/html
Content-Length: 49
Connection: close
Server: CloudFront
Date: Thu, 03 Jan 2013 22:03:04 GMT
Expires: Thu, 03 Jan 2013 22:03:04 GMT
X-Amz-Cf-Id: UwQcftUvjCf9p_iJDZYCAUEnIwku1Cj3z96FN6k3L-Zgf2cRB7l8Cw==
X-Cache: Error from cloudfront

<html><body>Sorry, invalid request</body></html>

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!