Puzzled by trojan alert on friend's website

[starrigger]

Hi.  This afternoon I googled a friend's website and as soon as I clicked the link, I got a popup window that looked like Avast (grey box, radiation symbol) saying that a Trojan horse had been detected on the site.  This seemed odd, as it's a simple html site.  The warning in the log said:

Application 1824  Sign of "HTML:Illiframe-B [Trj] has been found in "http://www.earthlink [dot] net/~haldeman/" file.

I canceled the request and closed the window.  

I tried later from a different computer (both run Avast Pro) and got the same result, but it happened on mouseover of the link--not even requiring clicking the link.  

Later still, I tried it again.  This time, the warning no longer occurred from a Google search page.  But when I did the same search on Bing, I clicked a link with the same URL, and got the warning popup--plus, in this case, a maroon screen saying:

Reported Attack Site!

   This web site at home.earthlink.net has been reported as an attack site and has been blocked based on your security preferences.
Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.

Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.

I clicked nothing, but closed the window.  

Why would the warning occur from Google, for a while, then stop?
Why would it occur from Bing, when it's not occurring on Google?
Why would I get a warning on mouseover (sometimes)?  
Might these be phishing links, and how could I tell?


I have no idea if the warning is legit, or what it indicates. I'm trying to find out for my friend if there might be a problem with his site.  But he's in the middle of a medical crisis, so I really just wonder what information I should pass on to someone who might be in a position to deal with it for him.

I'm running an Avast scan on my own computer right now, just to be on the safe side.  

[YoKenny]

Please read:
Every 3.6 seconds a website is infected 
http://forum.avast.com/index.php?topic=47096.0

Your friend's site has been hacked.

Your system will be safe as the infection has been prevented.

Maybe Earthlink.net can help but they probably will just delete the site.

[DavidR]

I tried to check this out but the URL you gave states the page isn't on the web site (see image), so perhaps they have taken the site down. Either that or the URL you gave or I typed in was wrong, check the URL in the image and confirm it is correct please ?

[starrigger]

I tried to check this out but the URL you gave states the page isn't on the web site (see image), so perhaps they have taken the site down. Either that or the URL you gave or I typed in was wrong, check the URL in the image and confirm it is correct please ?

Dang.  I was trying to be careful, typing in the URL, and I got it wrong.  

It's hXXp://home.earthlink.net/~haldeman/

I just checked it again, and it still has the maroon sign saying it's a "reported attack site."  So I guess it has been hacked.  Just what he needs, in the middle of a medical crisis.

Thanks.  

But I'm still puzzled by the occasions on which I got the Avast warnings after simply mousing over the link to the site.  Does Avast actually do something to check sites before you click on them?

[Lisandro]

But I'm still puzzled by the occasions on which I got the Avast warnings after simply mousing over the link to the site.  Does Avast actually do something to check sites before you click on them?

Which is your browser? Any addon that could try to get information from the links on the page?
I couldn't scan the site with Dr. Web... scanning hangs?!

[DavidR]

<snip>
Dang.  I was trying to be careful, typing in the URL, and I got it wrong. 

It's hXXp://home.earthlink.net/~haldeman/

I just checked it again, and it still has the maroon sign saying it's a "reported attack site."  So I guess it has been hacked.  Just what he needs, in the middle of a medical crisis.

Now I have the right URL, I can't even get close enough to check as Firefox blocks it on its safebrowsing checks, see image. Unfortunately there is no way Iwould use IE as my browser to check out a suspect site.

Please 'modify' your post change the URL from http to hXXp or www to wXw, as I did with the quoted text to break the link and avoid accidental exposure to suspect sites, thanks.

But I'm still puzzled by the occasions on which I got the Avast warnings after simply mousing over the link to the site.  Does Avast actually do something to check sites before you click on them?

avast doesn't pre-check as such, but your browser may be set to pre-fetch web pages in the background and when this happens then avast would appear to be pre-checking, but something is trying to load that page as avast is an on-access scanner.

[starrigger]

Now I have the right URL, I can't even get close enough to check as Firefox blocks it on its safebrowsing checks, see image. Unfortunately there is no way Iwould use IE as my browser to check out a suspect site.

Please 'modify' your post change the URL from http to hXXp or www to wXw, as I did with the quoted text to break the link and avoid accidental exposure to suspect sites, thanks.

Oops--sorry.  Yes, I've broken it now.

I get the same warning notice, though the screen looks different. 

avast doesn't pre-check as such, but your browser may be set to pre-fetch web pages in the background and when this happens then avast would appear to be pre-checking, but something is trying to load that page as avast is an on-access scanner.

I'm using Firefox with McAfee SiteAdvisor.  Maybe it's SiteAdvisor that's doing the pre-fetch.  If not that, then I have no idea. 

[DavidR]

OK, the screen being different is probably down to using different firefox themes, not important so long as the message is the same.

SiteAdvisor could be a contributing factor, personally I feel siteadvisor is a waste of space as its database is wildly out of date so none to accurate.

I have tried a different browser, Avant and I don't get either the firefox home.earthlink.net has been reported as an attack site (because it doesn't have that check), nor do I get an alert from avast, so perhaps they have cleaned it out, see image. Though that doesn't get round the firefox block.

I also checked out the URL using other tools, http://wepawet.iseclab.org/view.php?hash=2277e1cd96eb929b00b200e41bdb5d31&t=1253926037&type=js and http://www.google.com/safebrowsing/diagnostic?site=home.earthlink.net/~haldeman/

This is for home.earthlink.net in general and this is what is triggering the firefox alert I believe, http://www.google.com/safebrowsing/diagnostic?site=home.earthlink.net, so home.earthlink.net doesn't have a good rep.

[mathboyx215]

In firefox 3.5,there is a preference in the about:config called network.prefetch-next.It is enabled by default so that might be the reason why avast alerts you when you put your mouse over the link.

[starrigger]

OK, the screen being different is probably down to using different firefox themes, not important so long as the message is the same.

SiteAdvisor could be a contributing factor, personally I feel siteadvisor is a waste of space as its database is wildly out of date so none to accurate.

I have tried a different browser, Avant and I don't get either the firefox home.earthlink.net has been reported as an attack site (because it doesn't have that check), nor do I get an alert from avast, so perhaps they have cleaned it out, see image. Though that doesn't get round the firefox block.

I also checked out the URL using other tools, http://wepawet.iseclab.org/view.php?hash=2277e1cd96eb929b00b200e41bdb5d31&t=1253926037&type=js and http://www.google.com/safebrowsing/diagnostic?site=home.earthlink.net/~haldeman/

This is for home.earthlink.net in general and this is what is triggering the firefox alert I believe, http://www.google.com/safebrowsing/diagnostic?site=home.earthlink.net, so home.earthlink.net doesn't have a good rep.

Thanks for that.  I just temporarily unchecked "block reported attack sites" in Firefox and visited the site, and all seemed well.  (Then I restored the block in my options, and the Firefox warning reappeared.) 

So earthlink might be having problems, and now Joe's site is listed in whatever database Firefox draws on for the warnings.  (Well, actually, since Avast first gave the warning, there probably really was a problem on his site.  But since Avast no longer gives a warning, presumably it's been cleaned out.  Fair presumption?)  I wonder what has to be done to get that Firefox warning cleared. 

[starrigger]

In firefox 3.5,there is a preference in the about:config called network.prefetch-next.It is enabled by default so that might be the reason why avast alerts you when you put your mouse over the link.

Okay, that makes sense.  (I guess.) 

[YoKenny]

Maybe you need to run CCleaner to clean out the Temporary Internet Folder (TIF is what it is called in IE)
CCleaner v2.23.999 - Slim http://www.ccleaner.com/download/builds

McAfee SiteAdvisor is useless like DavidR says as it lists sites as good with known malware.

Joe Haldeman looks like an interesting person having taught at MIT and published several books.

[DavidR]

<snip>
Thanks for that.  I just temporarily unchecked "block reported attack sites" in Firefox and visited the site, and all seemed well.  (Then I restored the block in my options, and the Firefox warning reappeared.) 

So earthlink might be having problems, and now Joe's site is listed in whatever database Firefox draws on for the warnings.  (Well, actually, since Avast first gave the warning, there probably really was a problem on his site.  But since Avast no longer gives a warning, presumably it's been cleaned out.  Fair presumption?)  I wonder what has to be done to get that Firefox warning cleared. 

You're welcome.

The problem with the firefox reported attack sites alert is, it is guilt by association as Joe's site being on the home.earthlink.net sub-domain and it is a cumulation of other such sites in the home. sub-domain.

So earthlink have to take action across the board so that their sites in that area are free from malware.

[starrigger]

Maybe you need to run CCleaner to clean out the Temporary Internet Folder (TIF is what it is called in IE)
CCleaner v2.23.999 - Slim http://www.ccleaner.com/download/builds

McAfee SiteAdvisor is useless like DavidR says as it lists sites as good with known malware.

Joe Haldeman looks like an interesting person having taught at MIT and published several books.

Is that different from clearing the cache? 

That's two votes against McAfee.  Maybe it's just another unnecessary resource drain. 

Joe Haldeman's actually a world-reknowned SF writer (The Forever War and others), with numerous awards for his books.  He's also, unfortunately, in the hospital and completely unable to attend to any of this about his website right now.  I'm trying to gather information about it to pass on to his wife. 

[Lisandro]

Is that different from clearing the cache? 

CCleaner cleans more applications and system places than just the browser cache.

That's two votes against McAfee.  Maybe it's just another unnecessary resource drain. 

3