Author Topic: Avast blocks malware?? (Read 5324 times)

Maccalusso · « **on:** July 03, 2010, 12:38:36 AM »

When I go to the site "Biblioteca Pleyades", Avast says it has blocked a malware threat.
OBJECT: http://ww.bibliotecapleyades.net/stmenu.js
INFECTION: HTML: lFrame-inf

After I'm in, there is no problem accessing any of the links.
I'm curious as to what might be causing this oddity.
Thanks for any help.

bibliotecapleyades.net

polonus · « **Reply #1 on:** July 03, 2010, 01:07:49 AM »

Hi Maccalusso,

Just look at the attached image, things there that should not be there and therefore are being detected,
a hidden iFrame to htxp://jjibuswjoxk.com/ld/gnh11 might be at the crux why it has been flagged,
Re: http://support.clean-mx.de/clean-mx/viruses?id=607901

polonus

Asyn · « **Reply #2 on:** July 03, 2010, 01:08:14 AM »

Report    2010-07-03 00:57:33 (GMT 1)
Website    bibliotecapleyades.net
Domain Hash    faf02b719de58c49619a77851467ddf1
IP Address    62.149.128.163 [SCAN]
IP Hostname    mxd2.aruba.it
IP Country    IT (Italy)
AS Number    31034
AS Name    ARUBA-ASN Aruba S.p.A. - Network
Detections    0 / 17 (0 %)
Status    CLEAN

Pondus · « **Reply #3 on:** July 03, 2010, 01:09:48 AM »

NoVirusThanks - CLEAN
http://scanner.novirusthanks.org/analysis/12cab28263afc069f8c630367c67fb4b/aW5kZXg=/

polonus · « **Reply #4 on:** July 03, 2010, 01:14:18 AM »

Hi Asyn and Pondus

All scanners give it clean, they are somehow mistaken, because there is an hidden iFramelink to a malware domain there as I demonstrated, whether it is a live link or not, it should not be there. The malware domain is not available at this moment or has been removed by authorities, but that does not mean that the site has not been hacked or been infested before!
The site has become malscript injected at some time, so not clean and is still vulnerable at the moment, again the avast shields worked perfectly well,
Maccalusso should thank avast for the detection,

polonus

Pondus · « **Reply #5 on:** July 03, 2010, 01:25:28 AM »

The link is dead http://downforeveryoneorjustme.com/http://jjibuswjoxk.com/ld/gnh11google.com

Maccalusso · « **Reply #6 on:** July 03, 2010, 07:19:42 AM »

Thanks for all the responses. I would tend to agree with polonus that there is still some sort of threat embedded into the site, perhaps due to the nature of the information posted there.
And yes, I am thankful that Avast works as advertised. I've only used the program for a few weeks since my BitDefender subscription expired but I've found it quite impressive, especially being that it's free. Cheers

Asyn · « **Reply #7 on:** July 03, 2010, 11:07:35 AM »

You're welcome..!
asyn

polonus · « **Reply #8 on:** July 03, 2010, 03:05:02 PM »

Hi Maccalusso,

Good for your users as reported by Pondus that the threat code does not have any payload anymore now because the site the code re-directed to was apparently taken down, but your website programs should be upgraded and patched so the injectors do not play the same trick with an hidden iFrame injection against your site once more. For what measures to take to cleanse and protect from hidden iFrame injections, read here:
http://www.diovo.com/2009/03/hidden-iframe-injection-attacks/

polonus

Author Topic: Avast blocks malware?? (Read 5324 times)

Maccalusso

Avast blocks malware??

polonus

Re: Avast blocks malware??

Asyn

Re: Avast blocks malware??

Pondus

Re: Avast blocks malware??

polonus

Re: Avast blocks malware??

Pondus

Re: Avast blocks malware??

Maccalusso

Re: Avast blocks malware??

Asyn

Re: Avast blocks malware??

polonus

Re: Avast blocks malware??