Author Topic: What do I do because I HAVENT got a virus on my website but avast warns I have.  (Read 6545 times)

0 Members and 1 Guest are viewing this topic.

365drills

  • Guest
My website is http://www.365drills.com but some customers report a false claim the site is showing a virus / worm via website avast

I know our site is safe and there is no worm but what do I do to correct this?  It seems like a case of mistaken identity.

I am not a techie so is there anything I can do via ftp to change my pages to stop this warning.  We do have some youtube vids embeded but I doubt it would be that.

What are we doing that would cause avast users to flag this up

Richard

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11815
    • AVAST Software
If you are so sure that your site is safe, then I'd ask - what is that encrypted block of javascript, appended to the end of the main page?
It certainly doesn't look right.

365drills

  • Guest
Hi all that was - was a link thing that a company called free index wanted us to add to share link exchange. 

If you think its causing grief I have deleted it from the main index.

The index is  frameset (nav and main) so I hope that deleting that has removed any avast confusion with worms and malware.

I do usually keep a frame javascript in each page so that if view out of its frameset the viewer is taken back to the landing page.

Richard

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86685
  • No support PMs thanks
Well personally, I would have to wonder why they have to go to such lengths to hide what the javascript is doing. Considering that javascript is a plain language scripting tool.

To have this monster piece of obfuscated script on my site where I haven't got the faintest idea what it is for, no way. See image, this is what avast is alerting on, I have broken the single line of script to make it easier to see.

As for some sort of link exchange, I don't see how this could help either party as any link exchange should surely be able to be seen by search-bots indexing your site.

I see no problem in having javascript to keep navigation within the frameset, but there really is no need to obfuscate in this way, if that is what is going on.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

sded

  • Guest
Both Comodo Site Inspector and Link Scanner refuse to scan your website.  Not a good sign; no way to verify its integrity independently.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33634
  • malware fighter
Hi 365drills,

I saw no flags by other link checkers, like Norton Safe Web and Exploit Prevention Labs LinkChecker,
WOT, scandoo, McAfeeSiteAdvisor or finjan. Dr Web av link checker gives:
Checking: hxxp://www.365drills.com/
Engine version: 4.44.0.9170
File size: 2522 bytes

hxxp://www.365drills.com/ - archive HTML
>hxxp://www.365drills.com//Script.0 - Ok
hxxp://www.365drills.com/ - Ok

Checking: hxxp://www.365drills.com/nav.htm
File size: 6963 bytes

hxxp://www.365drills.com/nav.htm - Ok

Checking: hxxp://www.365drills.com/homepage.htm
File size: 7458 bytes

hxxp://www.365drills.com/homepage.htm - Ok

Logo Comodo Inc.

    * Home
    * Virtual Machines
    * Urls Reports
    * Recent Urls
    * Malicious Urls
    * Pending Urls

URL    Result
hxxp://www.365drills.com    clean
Back to URL checking


Think avast just warned about the possibly suspicious obfuscated JS,

polonus
« Last Edit: January 26, 2009, 02:07:33 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Hello,

script included in your index.html looks very suspicious.

This script contains encrypted iframe that points to malware server. That server is trying to look like legitimate counter, but it is not. Please remove it (look at DavidR message with a picture of the script -> this script on the picture have to be removed from your index.html).

Please let us know what company (url) requested that script on your website?

Regards

CharleyO

  • Guest
***

This is most likely the company ......

http://www.freeindex.co.uk/


***

365drills

  • Guest
All:  Thanks for this.

I have now removed that link which was (correctly observed) to be a link to http://www.freeindex.co.uk a website that acts as a search engines for companies.

If that piece of code was enough to upset some of my customers then I dont want it. 

Hopefully all that is now left is a basic site with html coding plus a little bit of javascript to turn off text underlining and a frames checker. 

I just want a simple site with a navigation bar on the left and a content area the right.  I do know some search engines dont like frames which is why I have another site http://www.365drills.net so that hopefully I get the best of both worlds.

The code is now deleted from http://www.365drills.com homepage so I hope that this resolves the problem.   

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86685
  • No support PMs thanks
You're welcome, glad the your problem is resolved.

More importantly you have learnt an important lesson in this type of obfuscated script, without the tools and experience you would never know what it does and have to 'trust' (something in short supply) the originator.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

365drills

  • Guest
This is still causing concern.  This is a message from our forum

oh, on another note, i've been meaning to tell you that when I try to go on your site my anti-virus software (Kaspersky) goes mad. it didn't do this before, just since last week

when i go to open it, it says

Web Anti-Virus

File contains Trojan programe. You are advised to terminate the download

Trojan Program:
Trojan-downloader.JS.Agent.dmt


What am I missing here?

Hi Richard,

This continuing saga of your infected website.........

I have had a number of PMs from members who tell me that they are still
getting the virus alert message from the link to your website.

I think it probably needs more than just removing freeindex link to cure the
problem!!

Regards,

Stretch


As you can see this is affecting quite a few people.  Also this is the response from Rackspace

Hi Richard

Many thanks for your ticket, I'm afraid this is something you will need to resolve yourself by checking the contents of each of your site files for any malicious code and cleaning your files.

If you have not already done so you should action our alert of 1st December: http://www.sitehq.co.uk/clients/announcements.php?id=193

Kind regards,
Beyond Ego Limited (SiteHQ)
Support & Billing: https://www.sitehq.co.uk/clients/


So they were helpful... (Beyond ego are a part of Rackspace)

And this is the response from Kaspersky when I asked them to help
=======================================================
From: <newvirus@kaspersky.com>
 Sent: Sunday, February 15, 2009 2:54 PM
Subject: RE: [VirLabSRF][Unknown malicious program][M:1][LN:EN][L:0] [KLAN-23135085]

Hello,

This url not detect our antivirus.
if you site detect please fild detect url and sent url to mail.


=========================================================
Couldnt even understand WHAT his English was all about...  What the hell isa fild detect?


« Last Edit: February 15, 2009, 08:49:04 PM by 365drills »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33634
  • malware fighter
Hi 365drills,

Exploit Prevention Lab's Link Scanner does not alert this site anymore:
http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://www.365drills.com/
Norton Safe Web does the same:

Site Owner? Click here

   
365drills.com
Summary
Norton Safe Web found no issues with this site.
•Computer Threats:    0
•Identity Threats:    0
•Annoyance factors:   0
   
Total threats on this site:    0
     
•Community Reviews:   0

The Norton rating is a result of Symantec's automated analysis system. Learn more.
The opinions of our users are reflected separately in the community rating on the right.
General Info
Web Site Location     United Kingdom

Norton Safe Web has analyzed 365drills.com for safety and security problems.
   
365drills.com
Threat Report

Total threats found: 0
Small-whitebg-green    Heuristic Viruses (what's this?)    

Threats found: 0
Small-whitebg-green    Downloaders (what's this?)    

Threats found: 0
Small-whitebg-green    Spyware (what's this?)    

Threats found: 0
Small-whitebg-green    Security Risks (what's this?)    

Threats found: 0
Small-whitebg-green    Hacking Tools (what's this?)    

Threats found: 0
Small-whitebg-green    Trojans (what's this?)    

Threats found: 0
Small-whitebg-green    Malicious Browser Changes (what's this?)    

Threats found: 0
Small-whitebg-green    Drive-By Downloads (what's this?)    

Threats found: 0
Small-whitebg-green    Malicious Downloads (what's this?)    

Threats found: 0
Small-whitebg-green    Viruses (what's this?)    

Threats found: 0
Small-whitebg-green    Suspicious Applications (what's this?)    

Threats found: 0
Small-whitebg-green    Phishing Attacks (what's this?)    

Threats found: 0
Small-whitebg-green    Backdoors (what's this?)    

Threats found: 0
Small-whitebg-green    Remote Access Software (what's this?)    

Threats found: 0
Small-whitebg-green    Information Stealers (what's this?)    

Threats found: 0
Small-whitebg-green    Dialers (what's this?)    

Threats found: 0
Small-whitebg-green    Worms (what's this?)    

Threats found: 0
Small-whitebg-green    Adware (what's this?)    

Threats found: 0

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!