Author Topic: HTML:Iframe-inf exploit  (Read 14014 times)

0 Members and 1 Guest are viewing this topic.

digitalnotepad

  • Guest
HTML:Iframe-inf exploit
« on: April 29, 2009, 01:08:10 PM »
Hi everyone, I'm new here.  Just read Avast news on the above exploits on legit websites.  Like to report the following website for Avast to look into.  Cheers.

site: hxxp://www.learncpp.com

possible exploit detected:
file: hxxp://feeds.feedburner.com/LearnCpp\{gzip}
Malware name: HTML:Iframe.inf
Malware type: Virus/Worm
« Last Edit: April 29, 2009, 07:57:04 PM by digitalnotepad »

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: HTML:Iframe-inf exploit
« Reply #1 on: April 29, 2009, 01:38:10 PM »
Hello and welcome to forum.

please note that it's better to write the link to infected sites in this format:   hXXp://www.virus-site.com/

Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: HTML:Iframe-inf exploit
« Reply #2 on: April 29, 2009, 05:55:48 PM »
Well it shouldn't be avast looking into it but the site owners, etc.

However, the learncpp.com loads OK for me and no alert, the detection is on the feedburner.com site. It is only when you click on the Entries RSS link that avast alerts having tried to load the hXXp://feeds.feedburner.com/LearnCpp page.

So it look like the feedburner.com site has been hacked as there has been a script inserted into that page right in the middle of a Sentence (see edited image to make it easier to see). This is a 1x1 sized iframe, suspicious.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

digitalnotepad

  • Guest
Re: HTML:Iframe-inf exploit
« Reply #3 on: April 29, 2009, 08:04:38 PM »
Hi all

Posted on this forum as the 'avast news' April 29, 2009 mentions:

"If avast! displays this warning, you should discontinue your attempt to connect to that particular website and either report the infection to the relevant party so that it can be removed, or post a message on the avast! forum in the section Viruses and Worms so that it can be investigated to determine whether the website is really infected. "

True, avast detected the exploit as soon as the site learncpp was accessed.  Not sure why others are not detecting it stright away.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: HTML:Iframe-inf exploit
« Reply #4 on: April 29, 2009, 08:40:05 PM »
Because avast basically is one of the few that even check and avast IMHO is the best, of all the ones reported in these forums that I have checked every one has proved to be a good detection.

avast is all over this latest fast growing exploit of injecting iframes or script (into legit sites) like a rash.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

shmo3

  • Guest
Re: HTML:Iframe-inf exploit
« Reply #5 on: April 29, 2009, 09:01:42 PM »
im not sure if this a iframe exploit..

avast! found it... i move to chest.. if someone can help me get a little more info about this thx..

hxxp://www.gamespy.com

file name: bg-tab-lft-0[1].gif

malware name: nutcracker family

malware type:virus/worm


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: HTML:Iframe-inf exploit
« Reply #6 on: April 29, 2009, 09:09:09 PM »
There is a topic on this one, which I have reported as a false positive.

Try a forum search for bg-tab-lft-0, you should find it.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

txbutsko

  • Guest
Re: HTML:Iframe-inf exploit
« Reply #7 on: April 29, 2009, 09:39:54 PM »
I am new to this site as well, and need to let someone know I got the warning about hacked websites when trying to access Southwest DING! Will someone be able to check hxxp://www.southwest.com?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: HTML:Iframe-inf exploit
« Reply #8 on: April 29, 2009, 10:54:46 PM »
Nothing (no avast alert) on the URL you gave is that full URL ?

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx or URL, see #### below) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe - Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

almac152

  • Guest
Re: HTML:Iframe-inf exploit
« Reply #9 on: July 04, 2009, 10:53:48 PM »
Iwant to report another website with the HTML:lframe-inf virus, www.slingo.com.. When attempting to download a number of different games I was told by Avast to disconnect..

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: HTML:Iframe-inf exploit
« Reply #10 on: July 04, 2009, 11:13:27 PM »
Hi almac152,

Please, make the link non-clickable by putting wXw.slingo.com

Apparently not functioning, but this might be it:
Level: 2) Url checked: (script source)
hxtp://ad.yieldmanager.com/+rm_url+
Blank page / could not connect
No ad codes identified
Malicious software includes 178 trojan(s), 171 exploit(s), 49 scripting exploit(s).

This site was hosted on 6 network(s) including AS14778 (INKTOMI), AS36752 (YAHOO), AS14777 (INKTOMI).

It seems that ad.yieldmanager.com during the last 90 days been redirecting to infect 362 sites, including e.g. thepiratebay.org/, servimg.com/, xinhxinh.com.vn/


polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: HTML:Iframe-inf exploit
« Reply #11 on: July 04, 2009, 11:28:28 PM »
Where you should really be reporting it is the webmaster as it looks like their site has been hacked, very common now. I have had a very quick rummage around but didn't find anything - Can you give the full path that avast is alerting on so we don't have to go looking, note the comments #### below.

####
Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: HTML:Iframe-inf exploit
« Reply #12 on: July 04, 2009, 11:42:59 PM »

It seems that ad.yieldmanager.com during the last 90 days been redirecting to infect 362 sites, including e.g. thepiratebay.org/, servimg.com/, xinhxinh.com.vn/

ad.yieldmanager.com is blocked by hpHosts and MVPS HOSTS file.

Currently listening to
Hey You From The Album The Wall by Pink Floyd
http://4everfloyd.com
« Last Edit: July 04, 2009, 11:45:35 PM by YoKenny »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: HTML:Iframe-inf exploit
« Reply #13 on: July 04, 2009, 11:49:59 PM »
Hi readers of this thread,

Some general info on this parasite, you'll find here:
http://www.wiki-security.com/wiki/Parasite/adyieldmanagercom
Not a link you like to have on any webpage, I guess,

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!