Author Topic: What is wrong with LighZone's web site?  (Read 4752 times)

0 Members and 1 Guest are viewing this topic.

Offline jacal

  • Jr. Member
  • **
  • Posts: 31
What is wrong with LighZone's web site?
« on: December 28, 2015, 06:22:08 PM »
LightZone is an open-source photo editor. It's web site has been blocked for me by (free) Avast's web shield for the last four days. A single LightZone's forum user reported Google's browser blocking the site, other users seem to have no problems.

Comodo Web Inspector:

https://app.webinspector.com/public/reports/46320889
https://app.webinspector.com/public/reports/46321798

VirusTotal:

https://www.virustotal.com/en/url/0d6e35206702f132a71b56e7191c3187b17dd76f6196282b5ca0d349c3dcc679/analysis/1451318631/
https://www.virustotal.com/en/url/d3d3018ded139f23e670cdcc7dc1d4320529fc72383be44b486c070dc56c5ac0/analysis/1451318870/

Zulu URL Risk Analyzer:

http://zulu.zscaler.com/submission/show/4547f55ecde183d0109100ba9e15d08a-1451318480

URLVoid:

http://www.urlvoid.com/scan/lightzoneproject.org/

urlQuery:

http://urlquery.net/report.php?id=1451319928068

After I visit LightZone's forum with web shield disabled, Avast finds threats in my browser's cache (JS:Injection-A [Trj]) and puts them to chest.

MBAM (free) doesn't find these files problematic.



Any opinion would be appreciated.
I am on Win7/64, using free Avast and MBAM, both updated.

Have all a nice day!


Edit: typo
« Last Edit: December 28, 2015, 11:06:45 PM by jacal »


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: What is wrong with LighZone's web site?
« Reply #2 on: December 28, 2015, 06:50:56 PM »
« Last Edit: December 28, 2015, 11:50:01 PM by Pondus »

Offline jacal

  • Jr. Member
  • **
  • Posts: 31
Re: What is wrong with LighZone's web site?
« Reply #3 on: December 28, 2015, 07:10:57 PM »
Thank you both!

Additional question: in urlQuery results, I only see "No alerts detected" everywhere, what am I missing?

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: What is wrong with LighZone's web site?
« Reply #4 on: December 28, 2015, 07:19:46 PM »
The bottom part of the results is what you are missing.  ;D
Note the IDS and BL's in the results.

Offline jacal

  • Jr. Member
  • **
  • Posts: 31
Re: What is wrong with LighZone's web site?
« Reply #5 on: December 28, 2015, 08:26:23 PM »
Thanks again! I will inform LightZone's administrators about this.

Have a nice evening!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: What is wrong with LighZone's web site?
« Reply #6 on: December 28, 2015, 10:02:15 PM »
There is code these administrators should retire as vulnerable library code: -http://www.lightzoneproject.org/
Detected libraries:
jquery - 1.4.4 : (active1) -http://www.lightzoneproject.org/
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
(active) - the library was also found to be active by running code

Unable to properly scan your site. Site returning error: HTTP/1.1 503 Service Temporarily Unavailable
Could be in the process of cleansing.
Nothing here: http://isithacked.com/check/http%3A%2F%2Fwww.lightzoneproject.org%2F
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.lightzoneproject.org%2Fsites%2Fdefault%2Ffiles%2Fjs%2Fjs_xAPl0qIk9eowy_iS9tNkCWXLUVoat94SQT48UBCFkyQ.js
Quttera flags 57 instances of Severity:   Malicious
Reason:   Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details:   Detected malicious JavaScript code
Read: http://www.kriesi.at/support/topic/strange-scripts-in-header-php/
Bitdefender TrafficLight flags websites with this malcode...
Also consider this WOT report for that IP: https://www.mywot.com/en/scorecard/66.147.244.181?utm_source=addon&utm_content=warn-viewsc   
Website risk status 9 red out of 10: http://toolbar.netcraft.com/site_report?url=http://66.147.244.181

polonus
« Last Edit: December 28, 2015, 10:10:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jacal

  • Jr. Member
  • **
  • Posts: 31
Re: What is wrong with LighZone's web site?
« Reply #7 on: December 28, 2015, 10:37:01 PM »
As you can imagine, such small, non-commercial, enthusiast sites have problems with this kind of things, most often having no security experts on-board. Thank you for your time, dzięki. I made a link to this thread on LightZone's forum, disabling my web shield to do this, but it might take some time for anything to be resolved.

Do you think users of other AVs are in some real danger, still using this site and forum normally? (Of course, some might be unable to access it and report.) About 25 % of users are using Linux, and about 25 % Apple's operating system.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: What is wrong with LighZone's web site?
« Reply #8 on: December 28, 2015, 11:13:45 PM »
In general :

You could say it is always a risk if anti-malware software and/or other security software/hardware isn't detecting/blocking sites with infections/security issues.

Just my opinion :

Commercial or non commercial doesn't matter.
The problem is that everyone who can afford it, can get a domain and basically put everything on their site as they wish without even having the basic knowledge about things.

When I see infections/problems like this I always wonder where the security from the host is. >:(
The host should have detected it and at least should have noticed the domain owner of the problem(s) in my opinion.

Few years ago I used a little JavaScript in one of my webpages.
Within 24 hours I received a (automated) email that something malicious was detected.
It was a false positive, but nevertheless they alerted me.
Not even 24 hours later they had solved it.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: What is wrong with LighZone's web site?
« Reply #9 on: December 28, 2015, 11:39:54 PM »
Hi jacal,

When people (often victims) come to report a site is being flagged by Avast (AOS, webshield etc.) it means the site has actually already been infested with malware. Before that a site may have long been open to abuse, either vulnerable or open to exploits etc. Often those that have put the site up, do not know what and where to look for weaknesses in the site's code, the configuration, DNS errors, etc. etc.
We scan in a specific sequence with scanners for such insecurities and the presence of retirable code (libraries), outdated software (server, CMS, PHP), outdated plug-ins, vulnerable jQuery, cloaking, status codes, spammy looking links, defacement, iFrames, blacklist checks, and quite some other issues to report, so one could better protect or ask some expert to do this.

Eddy is right where he says that a lot of hosting parties do not do much in the way of pro-active protection of a website or a blog's security, they just cash in and leave it at that. Also software vendors (in order to keep their downloading customers satisfied) let you download the whole "kaboodle" and leave what to install and more important what to not install up to you. Just like Eddy I think this is a very unsatisfactory general situation. Whenever we can give volunteer support and spread our relevant knowledge of issues, give feedback (also to Avast's) and educate to improve that situation, we feel grateful when we see results from our mission to make the Interwebs and websites more secure,

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: December 28, 2015, 11:42:33 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: What is wrong with LighZone's web site?
« Reply #10 on: December 28, 2015, 11:53:18 PM »
Report from F-Secure lab

===================================================================
The file you sent was found to be malicious.

We will be detecting the sample you submitted as Trojan.JS.Injector.KX in the next database update.
===================================================================




Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31080
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: What is wrong with LighZone's web site?
« Reply #11 on: December 28, 2015, 11:55:57 PM »
And again avast was faster with the detection than F-Secure :D

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37509
  • Not a avast user
Re: What is wrong with LighZone's web site?
« Reply #12 on: December 29, 2015, 12:01:09 AM »
And again avast was faster with the detection than F-Secure :D
Some AV will always be first, no AV is first on evrything
anyway this was done to get a second opinion to confirm if avast was correct



« Last Edit: December 29, 2015, 02:43:44 AM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: What is wrong with LighZone's web site?
« Reply #13 on: December 29, 2015, 11:25:59 AM »
Thanks, Pondus, for the cross checking on the found malware, with Avast's detection confirmed, we sure know now there is malcode out there to be cleansed, taken down or whatever to dismantle it. I hope webmasters and hosters alike take some education to make their environment a little bit more secure. Here we are just preaching for the choir. When they have people on the workfloor that are incompetent in these fields or underpaid, we are stuck with the situation at hand for a long, long time to come. That is the balance greed on the one hand versus little initiative or willingness to spend any money on pro-active security. "Penny on the pound scrooges" you cannot have it all for almost nothing......

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jacal

  • Jr. Member
  • **
  • Posts: 31
Re: What is wrong with LighZone's web site?
« Reply #14 on: December 29, 2015, 11:14:10 PM »
The site maintenance was announced and started approximately at the same time as I started this thread. I don't know the details, but Drupal and JQuery were updated and Avast doesn't block the site any more. This issue seems to be solved:

http://retire.insecurity.today/#!/scan/b81dc94baf40913d8936120997709c125724a87c604a9ffcb378aa259570e56b

Work is not over yet, anti-spam defence has to be upgraded etc., I will try to check the site again in a week or so, when everything is done . Thank you all for your kind help, have nice holidays!