Website detected as infected by URL:Mal with version 6.0.1119

[Yanto.Chiang]

Dear All,

This morning when i try to browse and surfing with version 6.0.1119 for some IT magazine website, and then avast give me a notification that this website has infected by URL:Mal. But the weird things if we surfing with previous version such version 6.0.1000 or above, nothing happened with avast notifications.

Here's we attached the picture.

URL : hxxp://xxx.digicom.co.id

Please take a note, i put the thread in here since because of the detection capability for each avast's version.

I am not sure whether i have any mistaken when analysis this issues or not.

cheers,

[The_ChamP]

Getting same notification as u
dont know if it fp or not

[Cast]

Virus Total report
http://www.virustotal.com/url-scan/report.html?id=13219aee0cea50b1a5575d7f65d6d040-1304735711

Shows clean, but you never know

Also when i visited, i got the same notifcation about a threat.

[DavidR]

The problem is that the URL in the URL:Mal image doesn't match the site you were visiting, so somewhere on that page is an active link (or it was hacked) to what was blocked by the Network Shield.

Or it was something else possibly unrelated to this site as I don't get any avast alert when I checked it out. However, I have firefox and the RequestPolicy add-on which blocks cross site scripting as there is an active link to 7879.in (almost certainly malicious), image1 and it is this which is being alerted on. Without RequestPolicy I would have had the alert too and if I didn't have avast also would have been exposed to potential malware.

So this site would appear to have been hacked as there is a bunch of obfuscated script and an iframe tag after the closing HTML tag, a standards no, no and highly suspect. This is even more suspect as it is all on a single line (see image2), which I have broken to make it easier to see in the image.

As you can see from image3 avast alerts on the 7879.in site when accessed outside of the digicom.co.id site.

So essentially the detection is good and should have been in the viruses and worms topic as it is unrelated to the avast version only VPS.

@ Castayr
So the VT results are invalid for this blocking by the network shield.

[Ashish Singh]

Hi David I visited the same page but why not I was notified..?
I am using 1091 version database up to date..

[NON]

First time I accessed that page I had an Request Policy alert that there is a external link to 7879.in, like DavidR says.
However I reload that page Request Policy does not show any external link this time and I can't see any malicious scripts either.
So that script seems dynamically created only one time per one IP address.

[Pondus]

The link hxxp://xxx.digicom.co.id looks down

http://www.downforeveryoneorjustme.com/http://www.digicom.co.id


EDIT: and now it is up 

[DavidR]

Hi David I visited the same page but why not I was notified..?
I am using 1091 version database up to date..

I haven't the slightest idea as I know nothing about your settings.

In all honesty if you can't figure out why you weren't getting the alert (I know why I didn't in the initial page), should you have been visiting the pages in the first place. I certainly wouldn't go poking my nose into some of these sites with IE.

[DavidR]

First time I accessed that page I had an Request Policy alert that there is a external link to 7879.in, like DavidR says.
However I reload that page Request Policy does not show any external link this time and I can't see any malicious scripts either.
So that script seems dynamically created only one time per one IP address.

There is no way that could be a selective insertion as there would have to be other code to be selective.

The link hxxp://xxx.digicom.co.id looks down

http://www.downforeveryoneorjustme.com/http://www.digicom.co.id

EDIT: and now it is up 

I would have hoped it may have been down for cleaning, perhaps they did clean it, but the suspect obfuscated script is still there/back.

[NON]

There is no way that could be a selective insertion as there would have to be other code to be selective.

If that page itself is dynamically created selective insertion could be done.
But I tried using proxy to access it and got neither RP alert nor malicious script, so now I can't say this is IP selective...

I would have hoped it may have been down for cleaning, perhaps they did clean it, but the suspect obfuscated script is still there/back.

Isn't it something cache thing?

[DavidR]

Yes, but that dynamic creation has nothing to do with what IP you came from or are using, otherwise I wouldn't have got it for a second time, based on your assumption you only get served up to you once.

Pages that are created dynamically are normally because the page content changes and requires something like PHP which this site uses, is vulnerable to being hacked if is using an old version. The actual templates can be infected, but it would have to have some additional processing in that PHP to check the referrer or user IP to serve up a different template with the inserted code.

I don't believe it is a caching thing on my system, as I refreshed the Page (shift + refresh or shift + F5).

However now the index.php isn't bringing up this inserted script after the closing HTML tag (as I said a standards no, no and highly suspect) and no reference to 7879 in any of the page source code; so we will have to see if it has been cleaned.