Author Topic: false positive ? (Read 5704 times)

newkid215 · « **on:** December 02, 2010, 05:34:23 PM »

Hello,
Would someone help to identify whether these two sites are actually virus or malware infected or it was false positive?

hxxp://www.preceptgroup.net/ (reported infected by JS:Illredir-CI [Trj])

hxxp://www.premierfitness.ca/overview (reported infected with HTML:iframe-inf)

I remember that seeing around ten detections of iframe.inf from known business sites. Is iframe.inf generates many false positive detections?

Some advice please,
Many thanks.

swarnava · « **Reply #1 on:** December 02, 2010, 05:52:52 PM »

working fine here..

spg SCOTT · « **Reply #2 on:** December 02, 2010, 06:08:42 PM »

Hi newkid215,

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becoming infected.
EDIT: Thanks igor for doing this

1

Code: [Select]

hXXp://www.preceptgroup.net/menumachine/precept_drop_downs/menuspecs.js
This javascript file has been hacked, and a malicious site added at the end. It also tries to avoid detection by using port 8080, which obviously doesn't work. (capture.gif)

2

Code: [Select]

hXXp://www.premierfitness.ca/overview
avast! is alerting on a set of iframes that all have zero size (basically hidden). (capture2.gif)

I would say that both sites are infected.

Scott

@Swarnava/Heaven GOD

Based on what?
Why link the siteadvisor green tick?

Tenko · « **Reply #3 on:** December 02, 2010, 06:46:24 PM »

I have looked through some scanner and here are the results

hxxp://www.preceptgroup.net/
http://anubis.iseclab.org/?action=result&task_id=1b84b6df2610e7594ad1f904f131e44d5
http://wepawet.iseclab.org/view.php?hash=9fe00bfa583a62d4aa3e2cef244a5a61&t=1291310958&type=js
http://www.virustotal.com/url-scan/report.html?id=9fe00bfa583a62d4aa3e2cef244a5a61-1291307168

hxxp://www.premierfitness.ca/overview
http://anubis.iseclab.org/?action=result&task_id=1e08b3ef81fd08fa429940f01ff6cee76
http://wepawet.iseclab.org/view.php?hash=ceb50bdb70711aecbdaedbf3c1a8cecf&t=1291311637&type=js
http://www.virustotal.com/url-scan/report.html?id=ceb50bdb70711aecbdaedbf3c1a8cecf-1291308163

I hope this will help.

DavidR · « **Reply #4 on:** December 02, 2010, 06:49:47 PM »

Quote from: newkid215 on December 02, 2010, 05:34:23 PM

Hello,
Would someone help to identify whether these two sites are actually virus or malware infected or it was false positive?
hXXp://www.preceptgroup.net/ (reported infected by JS:Illredir-CI [Trj])
hXXp://www.premierfitness.ca/overview (reported infected with HTML:iframe-inf)

I remember that seeing around ten detections of iframe.inf from known business sites. Is iframe.inf generates many false positive detections?

On the contrary the avast web shield has been extremely accurate in its detections in regard to hacked sites it is IMHO the best, when you consider the slew of hidden iframes to dubious looking domain names, I would say this is a good detection.

spg SCOTT · « **Reply #5 on:** December 03, 2010, 01:28:16 PM »

@Tenko,

You have also posted live links to the sites in question, could you please deactivate them, like in DavidR's post.

Quote from: spg SCOTT on December 02, 2010, 06:08:42 PM

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becomin infected.

Scott

Tenko · « **Reply #6 on:** December 03, 2010, 01:33:42 PM »

I will change it now SCOTT

newkid215 · « **Reply #7 on:** December 03, 2010, 04:03:33 PM »

Thank you guys for all the good advices.
Next time will only post hxxp link.

Thanks

DavidR · « **Reply #8 on:** December 03, 2010, 05:23:18 PM »

You're welcome, I trust that you have now found and dealt with the offending scripts and iframe tags.

Then you only have to deal with the exploit that allowed the site to be hacked.

swarnava · « **Reply #9 on:** December 03, 2010, 06:00:43 PM »

Quote from: spg SCOTT on December 02, 2010, 06:08:42 PM

Hi newkid215,

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becomin infected.

1
Code: [Select]
hXXp://www.preceptgroup.net/menumachine/precept_drop_downs/menuspecs.js
This javascript file has been hacked, and a malicious site added at the end. It also tries to avoid detection by using port 8080, which obviously doesn't work. (capture.gif)

2
Code: [Select]
hXXp://www.premierfitness.ca/overview
avast! is alerting on a set of iframes that all have zero size (basically hidden). (capture2.gif)

I would say that both sites are infected.

Scott

@Swarnava/Heaven GOD

Based on what?
Why link the siteadvisor green tick?

i scan it specially with macafee & kaspersky..both are working fine

spg SCOTT · « **Reply #10 on:** December 03, 2010, 06:47:37 PM »

Shame they both miss the fact that they are infected...like I've shown above

http://www.virustotal.com/file-scan/report.html?id=581d5411a54d814899d592cddecfb13b61764c67375bc94253c75ee4367443e6-1291397841
http://www.virustotal.com/file-scan/report.html?id=1c56e74f32a5a05ca70647b5bc6cb1a473549c609d4a3ef4fddda6256f2f0a0e-1291397951

Author Topic: false positive ? (Read 5704 times)

newkid215

false positive ?

swarnava

Re: false positive ?

spg SCOTT

Re: false positive ?

Tenko

Re: false positive ?

DavidR

Re: false positive ?

spg SCOTT

Re: false positive ?

Tenko

Re: false positive ?

newkid215

Re: false positive ?

DavidR

Re: false positive ?

swarnava

Re: false positive ?

spg SCOTT

Re: false positive ?