Author Topic: Avast gives a false positive in my site.  (Read 2851 times)

0 Members and 1 Guest are viewing this topic.

titodj

  • Guest
Avast gives a false positive in my site.
« on: July 18, 2010, 06:28:06 AM »
Hi,

My site, www.miespaciovirtual.com , was infected some monts ago, the problem was solved long ago, but avast is still blocking my site. I am so worried because it is my professional site! What can I do to fix it? Thanks a lot :-)

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37190
« Last Edit: July 18, 2010, 12:04:09 PM by Pondus »

psw

  • Guest
Re: Avast gives a false positive in my site.
« Reply #2 on: July 18, 2010, 11:40:38 AM »
There is a hidden frame referenced to something like to dolphin.biz.

Online DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 86832
  • No support PMs thanks
Re: Avast gives a false positive in my site.
« Reply #3 on: July 18, 2010, 04:56:44 PM »
Bad new, your site is still infected so you may have cleaned up before but there is still likely to be the vulnerability which allowed the site to be hacked in the first place. Unless you resolve this the site could continue to be reinfected.

Obviously the network shield blocks the site completely because of reports of detections, etc. Without the network shield the web shield alerts as the home page (and probably others) is still infected. avast is not alone in finding the home page suspect, http://www.virustotal.com/analisis/74eade022b3cba4bc9f437d6f5c60c58b5956b874a68c7073a77867ff1a6c035-1279464076 10/41 detections. Whilst this is a low number there aren't many AVs even looking for these hacks much less detect them.

There is an obfuscated script tag directly after the opening BODY tag (see image1) and this is most likely to be the problem, see image2 for the decoded script creating a hidden iframe tag.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Avast gives a false positive in my site.
« Reply #4 on: July 18, 2010, 05:42:55 PM »
Hi titodj,

A lot of scanners does not flag these hacks: hxtp://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.miespaciovirtual.com%2F&x=12&y=10
But Trendmicro has it: This URL is currently listed as malicious.
finjan detects it also as infected with  Troj/Badsrc-D Aliases * Trojan-Downloader.JS.Psyme.hz
Troj/Badsrc-D is a malicious script injected into compromised web pages,
for the purpose of loading content from a remote server when the web page is browsed.

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbadsrcd.html?_log_from=rss
php malcode: (iframe) d0lphin.biz/mx/in.php (infected with Trojan.Crypt)
mentioned here: http://www.malwaredomainlist.com/forums/index.php?topic=3190.90
suspiscious here: http://wepawet.iseclab.org/view.php?hash=2dcc99a3c8bffe12543f2ea028cda0cb&t=1251461377&type=js
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit     
55a7f1b6b03d2a67ff84298c4b31f6e7  
http://anubis.iseclab.org/?action=result&task_id=174420a0055fd55d4a53f4d3493cc8e0e   
 
The attached malscript code is flagged by avast as HTML:Iframe-JF

polonus    
« Last Edit: July 18, 2010, 08:05:09 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!