Avast reporting my site infected, but its not?

[NatalieB]

Several people running Avast have visited my website in the past week and told me Avast tells them it has a Trojan.

My webhost did a database scan and cant find it, and both Google and Virus Total say it is clean.

What can I do?

http://www.virustotal.com/url-scan/report.html?id=2d44fa5feb47b5a3a44aa8a3a9323404-1287692997

http://www.google.com/safebrowsing/diagnostic?site=http://melbournedollmarket.net

[DavidR]

Well I have just visited the home page for the site using firefox 3.6.11 and no alert from avast.

[NatalieB]

Hi David

Thanks for checking it.

This is the post I have put in a web development forum:

Hi everyone

I'm stuck in a big nightmare with one of the commercial websites I host.

Several website visitors in the past two weeks tell me that they get an alert that the website has a Trojan. One visitor says the website actually downloaded a trojan to her PC. Those that responded to requests for further information can only tell me that some of them run AVAST as their antivirus.

I use avast, and it said that the site had a trojan.

and

i actually did get the virus. it wasn't as soon as the page loaded, but when i clicked on one of the links there was a pop up saying you have to download a new version of AVG to run something. the popup wouldn't close and i had to use the task manager to close IE.i can't remember which trojan it was but PC-cillin removed it after a full scan and a restart.

The problem:

Google SafeBrowsing says the website is clean: http://www.google.com/safebrowsing/diagnostic?site=http://melbournedollmarket.net

Virus Total says the website is clean: http://www.virustotal.com/url-scan/report.html?id=2d44fa5feb47b5a3a44aa8a3a9323404-1287692997

My WebHost (mediatemple) have been kind enough to run a full site and database scan and tell me the website is clean.

I've visited the site myself through Proxify, and also via Safari, Opera and Firefox (browser of choice) and receive no such warnings.

I've visited via searching from Google, and again no warnings.

Does anyone have any idea how all this checking can fail to pick up a Trojan and how I might be able to do more scans on the website?

----

Now I have a bunch of people who posted a warning to a Forum saying dont go to my site, it's infected.

[Tarq57]

I'm currently receiving no alerts from your site, but I wonder why NorthCarolina Backpackers is trying to run scripts on the home page.
Google analytics is blocked (as always), the doll site allowed. No problems. A bit slow to load, though.

[NatalieB]

I'm currently receiving no alerts from your site, but I wonder why NorthCarolina Backpackers is trying to run scripts on the home page.
Google analytics is blocked (as always), the doll site allowed. No problems. A bit slow to load, though.

I've bolded the part of your response that interests me - I don't understand? There should be no third party scripts.

Can you screen shot or give me more info?
Thank you so much!

[Tarq57]

I'd be happy to, but there is a database error; unable to establish an internet connection.

GoogleAnalytics isn't running scripts on your site?

I had more than one tab open when I was checking. It is possible that northcarolinabackpackers may have been scripting on a different site, so don't take that earlier post too seriously, yet. (Sorry, I've just thought of that.)

[NatalieB]

I think my webhost is currently running some scans on the DBs again, as all my DBs on all the sites I host are down (there are 8 of them).

Nope, back up now!

Yes, GA is running on the site, at least Google says it is running fine.

[Tarq57]

Right, I've been able to check your site again, and while some other tabs are up.
These other tabs have a lot of scripting blocked. (News sites, travel sites...)

The information on scripts that are blocked are specific to the tab being viewed at the time.
So the backpackers site was specific to yours. But yours now opens without that item being blocked.

[NatalieB]

Thanks Tarq.

I'm not really familiar with cleaning up problems like this, in my 12 years as a web designer, this year has been a massive problem for hacks and the like with my webhost.

I'm getting to the point where I think perhaps rebuilding the site from scratch, with a new database as well, might be the only answer, as no one can tell me why the site is getting malware warnings.

If anyone here does work it out, I'll be in your debt!

[NatalieB]

A reader on the other forum I mentioned just supplied this:

User #152271 • 400 posts
the jolly beggar
my comments are conditional
Forum Regular
:|
   

I have AVAST free home edition, and yes i get a trojan warning too:

Infected file:
http://melbournedollmarket.net/images/play.png

http://ce.northcarolinamountainsbackpacking.com/in.cgi?2|>{gzip}

22/10/2010 12:30:51 PM http://ce.northcarolinamountainsbackpacking.com/in.cgi?2|>{gzip} [L] HTML:RedirME-inf [Trj] (0)

Edit: funny, I remember reading an article a while ago about how you can compress JS and fit it into a png or something.

But, /images doesn't exist - there is no such directory or path.

Does this help to isolate the issue?

[NatalieB]

Guys, are you getting the same problem here?

http://deluxe.flashsuperheroes.com/

That is the base theme for the website, and I want to make sure I didn't get whatever it is from there.

Ta.

[DavidR]

First - Please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Your customer report that the alert is on the hXXp://ce.northcarolinamountainsbackpacking.com/in.cgi?2 link so that is out of your control, it is that site that is infected. But you have to find the script reference to hXXp://ce.northcarolinamountainsbackpacking.com/in.cgi?2 and remove it until you are sure that site has cleaned up its house (assuming that it is legit to have that link on your site).

The hXXp://melbournedollmarket.net/images/play.png file isn't found (so you get a custom 404 page, site under maintenance), are there any references on your site to this file ?
If so check it as it is possible that this file could be hacked to point to the ce.northcarolinamountainsbackpacking.com site.

It is possible for a hack to insert a file and references to it and this has happened it isan indication the site has been hacked. This is usually down to content management software being vulnerable and exploited. So if you are using Jumla, Wordpress, PHP, etc. you need to ensure the versiom is up to date.

I have visited the hXXp://deluxe.flashsuperheroes.com/ page and no alerts, there is however no cross site link/script to the hXXp://ce.northcarolinamountainsbackpacking.com site.