Author Topic: Is my web site infected or is it a False Positive  (Read 7321 times)

0 Members and 1 Guest are viewing this topic.

Kingtosser

  • Guest
Is my web site infected or is it a False Positive
« on: August 11, 2010, 07:36:06 PM »
I called Godaddy.com today after receiving an avast! Warning that my site (I replaced the T's with X's):

hXXp://kingtoss.com

was infected with JS:Illredir-AQ [Trj]

Godaddy.com says that the site is not infected and that this is a false positive.  Is there a way to verify this?

Thanks in advance.

spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #1 on: August 11, 2010, 07:46:25 PM »
Hi Kingtosser, welcome to the forum :)

It looks like this is a genuine detection, there is an obfuscated script at the end of the page, outside of the html block that is causing avast! to alert.

http://www.UnmaskParasites.com/security-report/?page=kingtoss.com
http://www.virustotal.com/url-scan/report.html?id=d61870cf888d5bab31e18948463b233c-1281541188

http://www.virustotal.com/file-scan/report.html?id=9d136ddbaa17cee7810f064f2ca39849a05f91e03244d7d440a000f8ab56eaf0-1281548391

From the last link, you can see that it is not only avast! that detects this.

Apparently, GoDaddy need to looking into their security departments or what ever they have for this... ::)

Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #2 on: August 11, 2010, 07:48:14 PM »
Thanks.  I have no idea what that is, but I will delete it and see if it clears up the problem.

spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #3 on: August 11, 2010, 07:57:04 PM »
You're welcome :)

Good luck.

Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #4 on: August 11, 2010, 08:00:20 PM »
My avast! software will not let me FTP the file down to be fixed.  I'll have to try to do it another way.

spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #5 on: August 11, 2010, 08:04:34 PM »
Do you have a backup copy that is clean?

Maybe you could re-upload it?

You could also try to get GoDaddy to help you remove that script?

Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #6 on: August 11, 2010, 08:23:25 PM »
I have a backup copy on a different computer.  I'll give that a shot.

I noticed that there is a "JS" folder on the web site that includes a lot of files with the same date as the page that has the infected script.  I didn't make any changes to the web site on that date.  I may delete that folder as well.

spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #7 on: August 11, 2010, 08:31:40 PM »
Do you have an example of the files in the JS folder? (remember hXXp ;))

If they shouldn't be there (or weren't put there by you as part of the site) then they are worth investigating

Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #8 on: August 11, 2010, 08:44:49 PM »
This is what the "js" folder contains:

hXXp://www.kingtoss.com/js/ajax-dynamic-content.js
hXXp://www.kingtoss.com/js/animatedcollapse.js
hXXp://www.kingtoss.com/js/ddaccordion.js
hXXp://www.kingtoss.com/js/dynamic.js
hXXp://www.kingtoss.com/js/jquery-1.2.2.pack.js
hXXp://www.kingtoss.com/js/jquery-1.2.3.js
hXXp://www.kingtoss.com/js/jquery-1.2.6.pack.js
hXXp://www.kingtoss.com/js/jquery.cycle.lite.js
hXXp://www.kingtoss.com/js/popup1.js



spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #9 on: August 11, 2010, 08:54:29 PM »
It would appear that, at minimum, they have been added to...It seems as though the same script is in the js files...

They look as though they may be used in the functioning of the site, so you will need to remove the script from all of the js files.

I would check all other pages on the site as well.



Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #10 on: August 11, 2010, 08:57:19 PM »
Will do.  I sincerely appreciate your help with this.

Kingtosser

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #11 on: August 12, 2010, 04:29:41 AM »
Just a follow up.  I had to get the developer of the web site to "scrub" the malicious script out of the web site.  Godaddy.com was less than helpful.  The Tech Support person with whom I spoke said there had been an incident (he originally used the word "outbreak" but immediately corrected himself and said it was contained quickly) where malicious code had been injected into some web sites Godaddy.com hosted.  He said he was 100% certain that my site was not affected, but could not give any reason for his conclusion.  In any event, the malicious script was present in the index.html file of every web site on my hosting account.  Some of those sites had not been updated in more than three years.  So I have no idea how the script may have been injected into my web sites.  But they appear to be gone now.  Thanks again for your assistance.

spg SCOTT

  • Guest
Re: Is my web site infected or is it a False Positive
« Reply #12 on: August 12, 2010, 02:04:52 PM »
Hi Kingtosser :)

You're welcome

I am glad that you have managed to sort it out, and it seems to have worked. I can now browse the site without alerts.

That is what is done when sites are hacked...more often than not, many people only notice the one page, and miss the others...so they inject the code into all pages they can...

I would be questioning someone at GoDaddy as to why this so called 'Tech Support' person who was 100% sure that your site wasn't infeted when in fact he was 100% wrong.

Hopefully events like this will prove to some people that even legitimate sites, with no malicous intentions at all can be hacked and be made malicous...overnight...

Kudos to you and the developer for investigating and your persistance :)

-Scott-

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: Is my web site infected or is it a False Positive
« Reply #13 on: August 12, 2010, 04:09:51 PM »
You only need to do a forum search on the viruses and worms sub forum for godaddy to see just how many infected/hacked sites were hosted at godaddy.

Whilst godaddy must have a huge number of hosted sites, what seems common in all such incidents, when reported is their support staff primary denial of a problem at all on their part at all. Even now they have admitted after you gave proof that there was an outbreak/incident, yet they still say they don't believe it effected your site.

If that were my host that I was paying good money for I would be looking for another host that provided better support.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Is my web site infected or is it a False Positive
« Reply #14 on: August 13, 2010, 08:01:02 PM »
Hi Kingtosser,

The site seems to be clean now: http://www.urlvoid.com/scan/kingtoss.com
The mentioned malscript has not been found there,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!