Author Topic: Ebay Login - False Positive???  (Read 7561 times)

0 Members and 1 Guest are viewing this topic.

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Ebay Login - False Positive???
« on: June 06, 2018, 03:33:31 PM »
When bringing up Ebay.com's login screen, I get a notice from Avast that the connection with Ebay is aborted due to a redirecter - "JD" or something like that. However, I am still able to get into Ebay.

Follow up scans with MalwareBytes and Avast full scan show nothing. Is this a false positive?

I am using Firefox, Win7 64bit and this has never happened before. From searching the net, it seems this was a problem for some folks at one time, though.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37130
Re: Ebay Login - False Positive???
« Reply #1 on: June 06, 2018, 03:36:52 PM »
Quote
Ebay Login - False Positive???     
Use Viruses and Worms forum section for False positive posts


as the info for this section say
>>Avast Free/Pro/IS/Premier topics and issues, not viruses or false alarms here!<<

Screenshots of Avast messages is a big help, then we avoid the ... or something like that 




« Last Edit: June 06, 2018, 03:40:34 PM by Pondus »

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #2 on: June 06, 2018, 03:58:25 PM »
Not really comfortable to log in again, but the Avast abort connection warning  is "JS Redirector -BKG"

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37130
Re: Ebay Login - False Positive???
« Reply #3 on: June 06, 2018, 04:03:59 PM »
Quote
  JS Redirector -BKG   
Meaning it contain a java script (JS) that redirect you to another site

avast message should also say exactly where it See this .... screenshot say more then thousand words    ;)


« Last Edit: June 06, 2018, 04:10:53 PM by Pondus »

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #4 on: June 06, 2018, 04:25:55 PM »
I tried Internet Explorer, a browser that I never use, and no problem.
I will post a screen shot.

Thank you for your kind help.
« Last Edit: June 06, 2018, 04:34:00 PM by The Sniggler »

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #5 on: June 06, 2018, 04:45:46 PM »
Here is the SS...  also, please see below thread for discussion...thanks.

https://community.ebay.com/t5/Technical-Issues/JS-Redirector-BKD/td-p/27724701
« Last Edit: June 06, 2018, 04:50:05 PM by The Sniggler »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #6 on: June 06, 2018, 06:45:17 PM »
Susceptible to man-in-the-middle attacks:

SSL expires soon
HTTP Strict Transport Security (HSTS) not enforced
HSTS header does not contain max-age
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Secure cookies not used

Vulnerable to cross-site attacks:

HttpOnly cookies not used
HttpOnly cookies not used
When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain type of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
EXPECTED:
[all set-cookie headers include 'httponly']
FOUND:
set-cookie (s): s HttpOnly;, set-cookie (dp1): dp1, set-cookie (ebay): ebay, set-cookie (nonsession): nonsession

Emails can be fraudulently sent: Lenient SPF filtering
Sender Policy   Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should definitely not contain (+all) or (?all) mechanisms, as these allow any domain to send email posing as this domain. This record should preferably not use the (~all) mechanism, as this will still allow emails flagged as being from an invalid domain, but will still allow the message to be delivered. Best practice is to use (-all).
EXPECTED:
contains -all
FOUND:
contains ~all

DNS is susceptible to man-in-the-middle attacks:

DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
EXPECTED:
true
FOUND:
false

Not all is resolving: https://urlquery.net/report/cb19788e-6e82-4cee-b17a-c348840f0aaf

Only CLEANMX comes up with a detection for PHISHING.

Detection for
Quote
All Malicious or Suspicious Elements of Submission
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
-signin.ebay.com/ws/$$d$$ benign
-(embed) -signin.ebay.com/ws/$$d$$
     status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&amp;_trksid=m570.l1524)saved 16879 bytes 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6
     info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js
     info: [script] -secureinclude.ebaystatic.com/js/e1057/us/v4_e10572us.js
     info: [script] -secureinclude.ebaystatic.com/js/e1057/us/e10572us.js
     info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
     info: [img]- ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
     info: [img] -ir.ebaystatic.com/cr/v/c1/66165_060618_BAU_VA_FLASH_COUPON_D150x30_R1.png
     info: [script] -ir.ebaystatic.com/rs/v/qd3dhgal0203tnw1xo4kmgsjcmq.js
     info: [img] -rover.ebay.com/roverimp/0/0/9?imp=1018649
     file: 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6: 16879 bytes
/////////////////////
: [script] wXw.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
     info: [script] -secureinclude.ebaystatic.com/js/v/in/roverlv.js
     info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
     info: [img] -ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
     info: [img] -rover.ebay.com/roversync/?site=0&amp;stg=1&amp;mpt=1528302877907
     info: [img] -c.paypal.com/v1/r/d/b/ns?s=EBAY_SIGNIN&amp;js=0&amp;r=1&amp;f=d5f33c851630ab112eb6b596ff94caa8
     info: [iframe] wXw.ebay.com/n.html?id=usllpic0&amp;id=d5f33cd31630ab112eb03b20fffbb256&amp;suppressFlash=true
     info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js#SYS-ZAM_e1063_1_EUS
     info: [script]- ir.ebaystatic.com/rs/v/dw5a31rmxmzjfazlcvx4wnwylmt.js
     info: [embed] -signin.ebay.com/ws/$$d$$
     info: [decodingLevel=0] found JavaScript
     error: line:162: SyntaxError: missing ; before statement:
          error: line:162: t.msg=msg;t.ajxUrl=msg.svcConfig.url;if(t.tkSp)t.tkSp.innerHTML="<input type="hidden" name=""+t.tkP4S+"" value=""+t.tkvalue+"">";},udtImgSrc:function(urlObj){var t=this,url=t.imUrl,p4S=t.tkP4S,value=t.tkvalue;if(urlObj){if(urlObj.url)t.imUrl=url=urlObj.ur
          error: line:162: ................................................................^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD HTML 4.01 Transitional/EN" "-http:/www.w3.org/TR/html4/loose.dtd"><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><script src="-https:/www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js" t
          error: line:3: ...............^
     file: 56b5297e88f451e05e14a9687962420025555493: 176541 bytes
-www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js suspicious
[suspicious:5] (ipaddr:23.209.177.108) (script) -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
     status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&amp;_trksid=m570.l1524)saved 205496 bytes 5ad5129f9cef2979443f55661271399ed7db90cb
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [img] -www.ebay.com/rdr/js/s/
     info: [decodingLevel=0] found JavaScript
     error: undefined function document.querySelectorAll
     error: undefined variable s9F
     info: DecodedGenericCLSID detected CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA
     suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
     info: DecodedMsg detected /info.ActiveXObject ShockwaveFlash.ShockwaveFlash
     info: [decodingLevel=1] found JavaScript
     info: file: saved -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js to (5ad5129f9cef2979443f55661271399ed7db90cb)
     file: 5ad5129f9cef2979443f55661271399ed7db90cb: 205496 bytes
     file: d897ae35cddc448eda57f3bc8898014a9c10fe74: 248 bytes
See sources in sinks in that code: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.ebay.com%2Frdr%2Fjs%2Fs%2Frrbundle-v1.0.2.js

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #7 on: June 06, 2018, 07:30:34 PM »
Thank you once again... however, I am not an expert.

Please explain what this all of this  means and what should I do?

4 Avast and MBytes scans come up zero, ADW Cleaner = same.
« Last Edit: June 06, 2018, 07:45:05 PM by The Sniggler »

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #8 on: June 06, 2018, 10:54:54 PM »
I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately. i am running a boot scan for safety sake.

Also tried it on a second machine - Avast ids the threat as before.

Wonder what is going on? Hard to believe the Ebay login is infected and there is no word about it.....

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #9 on: June 06, 2018, 11:17:48 PM »
Howdy to you, The Sniggler,

Hopefully an avast team member will come to this thread and give the detection or FP the final verdict.

The detection for "Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold"
is a generic IDS detection, the code is running longer than expected max run-time,
and that is always somewhat alarming.

As you can see, it says in the unpacker javascript evaluation SUSPICIOUS,
so that does not mean malicious per se.

So bide your time until to-morrow as it is near a quarter past eleven in the evening here in old Europe.

EBay infested, would fill some news line on the security forums.
Hope, that is not so and that it is only a glitch in the code.

Have a nice day from here near Rotterdam some 20 kilometers from the North-Sea coast,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

P.S. In the meantime the analysts of such browser based issues, can read here for backgrounds:
https://www.aldeid.com/wiki/Category:Digital-Forensics/Browser-based-Malwares/JavaScript

Damian
« Last Edit: June 06, 2018, 11:28:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37130
Re: Ebay Login - False Positive???
« Reply #10 on: June 06, 2018, 11:24:18 PM »
Quote
I deleted immediately. i am running a boot scan for safety sake.   
Why boot scan?

Boot scan does not give any better detection, it is the same engine and signatures that run. It is a tool meant to be used if you have problems removing a infection


Quote
  I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately.  
So now you can't send it to avast lab for analysis   ::)
Why the rush to delte quarantined items?

« Last Edit: June 06, 2018, 11:28:49 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33373
  • malware fighter
Re: Ebay Login - False Positive???
« Reply #11 on: June 06, 2018, 11:38:41 PM »
Hi Pondus,

As I added there "Do not panic", everything is under control and soon it will be clear if it is code to be quarantined (and then inside the chest, n it cannot do any harm like someone jailed) or it is indeed not the real McCoy and a false positive, and all can give a sigh of relief.  ;D

We shall see what will be the final outcome soon,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85956
  • No support PMs thanks
Re: Ebay Login - False Positive???
« Reply #12 on: June 06, 2018, 11:40:12 PM »
Quote
I deleted immediately. i am running a boot scan for safety sake.   
Why boot scan?

Boot scan does not give any better detection, it is the same engine and signatures that run. It is a tool meant to be used if you have problems removing a infection
<snip quotes>

Probably because avast suggests running a boot time scan after an alert.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.9.2494 (build 21.9.6698.703) UI 1.0.672/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #13 on: June 06, 2018, 11:46:24 PM »
I removed it to get it off my system.... I have not had a virus in the past 15 years and thought removal was best.

I did the boot scan to be absolutely sure there was nothing on my PC. I always thought the boot scan was the most thorough. Thanks for your advise.

It is strange that Avast says that the connection to Ebay is aborted, but I can still log on. So the connection is not cut.

Also, I note that if I clear the notification in Avast the warning does not re-appear. However, if  I reboot and then start over, then the warning will re-appear.

I wish I knew what is going on here... although others have faced this in the past, there is no other current discussion of this anywhere and I have been an Ebay user for many years with no problems. No clue as to what to do with my Ebay listing as I am afraid to log on.

Thanks again.




Offline The Sniggler

  • Full Member
  • ***
  • Posts: 120
Re: Ebay Login - False Positive???
« Reply #14 on: June 06, 2018, 11:50:36 PM »

Have a nice day from here near Rotterdam some 20 kilometers from the North-Sea coast,

Damian

Many,many thanks for your kind words... from your icon, I thought Poland, perhaps.