Author Topic: HTML:Iframe-ZG [trj] False Positive maybe ??  (Read 23376 times)

0 Members and 1 Guest are viewing this topic.

Offline Ray crchjr

  • Newbie
  • *
  • Posts: 1
HTML:Iframe-ZG [trj] False Positive maybe ??
« on: April 06, 2013, 02:38:21 AM »
I have a website that got hacked recently. It took us weeks to get it cleaned up. I still have one file that avast says contains a trojan. I had my host server scan the file and all other files on  my site and they say they are all clean. So is it avat thats wrong or are they wrong.  The file i have an issue with is for front page express 2003 and the file name is _vti_inf.html. any suggestions ?
« Last Edit: April 06, 2013, 03:25:45 PM by Ray crchjr »

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6437
  • volunteer
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #1 on: April 07, 2013, 04:17:41 AM »
You could submit the file via email to avast lab
virus@avast.com  zipper and password, please.

Check the file VirusTotal - Multi engine on-line virus scanner Maximum file size: 64 MB
https://www.virustotal.com/en/

and report the findings here in the topic.

Submitting files from the Virus Chest to avast! virus Lab

https://support.avast.com/index.php?languageid=1&group=eng&_m=knowledgebase&_a=viewarticle&kbarticleid=1406#idt_07
« Last Edit: April 26, 2013, 11:29:11 PM by jefferson santiag »

Offline walzz

  • Newbie
  • *
  • Posts: 1
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #2 on: April 12, 2013, 02:39:55 AM »
When visiting this URL - hxtp://www.409shop.com.hk/mic.htm  Avast blocks the page and reports 'HTML:Iframe-ZG [trj]'

This seems to be a false positive.  When I do an online URL scan using virustotal.com, none of the 36 scanners report an exploit.

I suggest Avast have a look at this and confirm there really IS an exploit, or incorporate a change in the next definition update.
« Last Edit: May 10, 2013, 08:41:51 AM by Milos »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #3 on: April 12, 2013, 03:15:51 AM »
Please 'modify' your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

Avast isn't the only one to consider it infected:
http://sitecheck.sucuri.net/results/www.409shop.com.hk/mic.htm
http://www.urlvoid.com/scan/409shop.com.hk/

There is a hidden iframe after the closing html tag which in itself is suspicious, this iframe links to a site that is considered malicious by avast.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pleuris

  • Newbie
  • *
  • Posts: 8
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #4 on: April 24, 2013, 03:40:57 PM »
I'm also getting the HTML:Iframe-ZG [Trj] popup on my site

http://sitecheck.sucuri.net/results/www.ksasintjozef.be

The code from the corfuparadise has been removed by me from all the pages that were infected. But still i get popups

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #5 on: April 24, 2013, 03:52:41 PM »
Well a re-scan of the securi.net link you provided is still indicating the site is still infected, see attached image.

EDIT: Also see http://urlquery.net/report.php?id=2146441.
« Last Edit: April 24, 2013, 03:54:49 PM by DavidR »
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pleuris

  • Newbie
  • *
  • Posts: 8
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #6 on: April 26, 2013, 12:20:57 PM »
well, i realy don't understand it anymore. Only sucuri.net and avast give a positive result. Every other way says the site is clean. Nobody can help me to get rid of the "problem"?

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #7 on: April 26, 2013, 12:42:30 PM »
Sucuri shows the files where these 'hidden' iframes tags are to be found, you have to either remove those pages relating to 404 and or find and remove the iframe tags.

The fact that this iframe tag is outside the closing HTML tag is also suspicious in its own right.

The first thing to ask yourself is, is that iframe tag legit, e.g. you created it and the location it is connecting to is correct (corfuparadise.gr).
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pleuris

  • Newbie
  • *
  • Posts: 8
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #8 on: April 26, 2013, 01:30:50 PM »
there is NO iframe in the html. I removed it manually last week. Strangely sucuri still finds it.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82305
  • No support PMs thanks
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #9 on: April 26, 2013, 01:36:05 PM »
I can't account for it still being detected, but if you are using any content management software check its templates as it may be being inserted.

Are these two files that are being flagged by sucuri essential as I can't see why a javascript file would be required to handle a 404 error/issue. 404 errors can either be dealt with by default or the use of a custom 404 page and that doesn't require javascript.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.544) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36319
  • Weihrauch Airguns
« Last Edit: April 26, 2013, 02:10:09 PM by Pondus »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #11 on: April 26, 2013, 02:14:38 PM »
Hi Pleuris,

Of course they wouldn't provide you the iframe directly in the html. Then removing the malware would be somewhat easy, no?

DavidR is indeed correct. The 404 files still return the hidden iframe.

The report itself: http://www.UnmaskParasites.com/security-report/?page=www.ksasintjozef.be/404

Confirmed Malicious. See attached.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31966
  • malware fighter
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #12 on: April 26, 2013, 02:40:51 PM »
Also see: http://sitecheck.sucuri.net/results/www.ksasintjozef.be
Here it is not detected or it must have been already cleansed: http://evuln.com/tools/malware-scanner/www.ksasintjozef.be/
But here 16 suspicious files are being listed: http://quttera.com/detailed_report/www.ksasintjozef.be
varous suspicious external elements flagged here: http://zulu.zscaler.com/submission/show/9293cbcff3be00c917201c236c418c01-1366979689
About cleansing counter.php malcode, read: http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html

polonus
« Last Edit: April 26, 2013, 02:45:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #13 on: April 26, 2013, 11:26:08 PM »
Hi Polonus,

I do not think that evuln scanned a 404 page because this kind of iframe should've been detected. I tried to query the url with /404 but evuln itself returned a 404.

All links that were marked suspicious on Quttera lead to the 404 page, which is why they were detected.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Online polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31966
  • malware fighter
Re: HTML:Iframe-ZG [trj] False Positive maybe ??
« Reply #14 on: April 26, 2013, 11:57:31 PM »
Hi !Donovan,

Makes sense, the more as Quttera is a realtime scanner, also http://evuln.com/tools/malware-scanner/corfuparadise.gr/

Damian
« Last Edit: April 27, 2013, 12:00:35 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!