Author Topic: Question on False Alarm Hit..  (Read 4761 times)

0 Members and 1 Guest are viewing this topic.

merchelweb

  • Guest
Question on False Alarm Hit..
« on: October 26, 2009, 06:52:47 PM »
I have build a few sites and i received an email earlier today from a user from my site.  He received an alert from his avast program saying that the page he was on contained a virus.    He included a screen shot of this and this is something new to me.  I have never used avast but this concerns me that he got this false alert from my site.  the site is relatively new and very low traffic at the present time. I have searched my site code and i see no indications that it has been hacked.  The only thing that i can think of is possibly he received the error from the Google adsense code.  Has anyone seen this? And what would be some suggestions?

Regards,
Brad

Hermite15

  • Guest
Re: Question on False Alarm Hit..
« Reply #1 on: October 26, 2009, 06:56:19 PM »
could you post the screen shot here? just mask the web site name if you prefer, what's needed is just the type of infection that was detected...yeah, a third party site could be responsible too...but adsense I have doubts...I suppose that Google is checking the content of the ads and where they link to.
« Last Edit: October 26, 2009, 06:58:46 PM by Logos »

spg SCOTT

  • Guest
Re: Question on False Alarm Hit..
« Reply #2 on: October 26, 2009, 07:02:06 PM »
Welcome to the forums, merchelweb.

If you could post the link to the site that the user was alerted on, then someone here could take a look to see anything...
Just remember to deactivate the link (change http to hXXp or www to wXw) that way, people can't potentially infect themselves...

This kind of detection is very common these days, with many 'legitimate sites' becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

-Scott-

merchelweb

  • Guest
Re: Question on False Alarm Hit..
« Reply #3 on: October 26, 2009, 07:03:31 PM »
Below is the screenshot he sent me.


Hermite15

  • Guest
Re: Question on False Alarm Hit..
« Reply #4 on: October 26, 2009, 07:08:40 PM »
so that's your own site right...the detection is about an iFrame (I'm not a specialist, others might bring you here more details...). iFrames are hidden pieces of scripts able if programmed that way to redirect to a bad site. You should check your server or ask your host to scan it for you.

spg SCOTT

  • Guest
Re: Question on False Alarm Hit..
« Reply #5 on: October 26, 2009, 07:12:32 PM »
Your site seems to have been hacked...

http://www.UnmaskParasites.com/security-report/?page=www.junkshed.com/index.php%3Fcityid%3D21

There are two hidden iframes pointing to hxxp://msnupdateserver.info...which according to Google is malicious...

I presume that you didn't put them there...



A post worth reading by DavidR:

Actually cleaning the file is not going to resolve why you got hacked it will only clean the file (well avast doesn't clean the file just alerts to it, you have to find and strip out the injected code) and not the cause, you need to contact your host, see below.

-- HACKED SITES - This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
Quote
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains.  We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

1. check all index pages for any signs of java script injected into their coding. On windows servers check any "default.aspx" or
"default.cfm" pages as those are popular targets too.

2. Remove any "rouge" files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

3. Check all .htaccess files, as hackers like to load re-directs into them.

4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
"strong" password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.



Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.



-Scott-


EDIT: This is what avast! is alerting on, I have just tested it...
« Last Edit: October 26, 2009, 07:14:46 PM by spg SCOTT »

merchelweb

  • Guest
Re: Question on False Alarm Hit..
« Reply #6 on: October 26, 2009, 07:13:08 PM »
Yes this is my site..    going through the code line by line i think i may have found it.    

merchelweb

  • Guest
Re: Question on False Alarm Hit..
« Reply #7 on: October 26, 2009, 07:14:45 PM »
I have found the code.  I appreciate your help with this.  This is something that i havent run into before..

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Question on False Alarm Hit..
« Reply #8 on: October 26, 2009, 07:37:39 PM »
Then you need to close the vulnerability or it could well be back again, check out the quoted text in Reply #5 as a start point.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

spg SCOTT

  • Guest
Re: Question on False Alarm Hit..
« Reply #9 on: October 26, 2009, 08:09:07 PM »
That was quick... ;D
The Unmaskparasites link in my last post now reports it as clean...

Good on you for reporting this, many site owners will just dismiss reports of this nature ::)
I hope you will also consider the other points mentioned...

-Scott-

Hermite15

  • Guest
Re: Question on False Alarm Hit..
« Reply #10 on: October 26, 2009, 08:15:09 PM »
Quote
many site owners will just dismiss reports of this nature
true, the number of them who just let go during months is amazing; nice reaction the OP had here  ;)