Author Topic: What malware is supposed to be hosted at my site? (Read 4077 times)

jipumarino · « **on:** April 13, 2011, 10:08:26 PM »

Avast users are getting a warning when accessing hxtp://escaladenotas.cl
Is this a false positive? At one point I assumed it was the faulty virus database released on Monday, but I'm still getting this warning?

Thanks in advance.

polonus · « **Reply #1 on:** April 13, 2011, 10:36:20 PM »

Avast detects it as infected with URL:MAL, probably cross site scripting attack ...clicktale
See: htxp://jsunpack.jeek.org/dec/go?report=5de05ecce6aaa479e7ac7a3413b56bbf0c8f00b1
Go there only if you are security aware, sandboxed and with ample script protection...

polonus

spg SCOTT · « **Reply #2 on:** April 13, 2011, 11:05:29 PM »

I can't see anything that avast would directly alert to, i.e. the site seems to scan clean.

I can't quite fathom this one out...Ignoring the network shield, I don't get any alerts on the site, but trying to translate with google causes an alert
(This however could be related to the way google translate works - including the site within a frame...and if the site is blocked by network shield then could cause an alert.)

That said, this clicktale seems interesting...
http://www.mywot.com/en/scorecard/s.clicktale.net

Either way, I'd say that this needs someone from the avast team to comment.

Scott

Domz · « **Reply #3 on:** April 13, 2011, 11:17:15 PM »

I see that in my Network Shield log all the time. It blocks Google Analytics.

polonus · « **Reply #4 on:** April 13, 2011, 11:26:17 PM »

Think I have found it, it is this there script on the site "src= ... htxp://s.clicktale.net/WRb6.js
similar like htxp://urls--clicktale--net.reachlocal.net/WRb6.js So like google is blocking here:
hxtp://www.careerint.com/SearchVacancies/.../wrb6js.htm

When it is hxtp://www.google-analytics.com/ga.js it must be altered...

I hope I can get this confirmed,

@jipumarino make the link htxp// until the site is cleansed...

polonus

jipumarino · « **Reply #5 on:** April 14, 2011, 05:07:57 AM »

Hi, thank you all for your help.
I already disabled clicktale entirely, but I keep getting the same warning, so Analytics seems to be the one to blame. What can be so special about my Analytics setup?

Again, thanks for your help.

spg SCOTT · « **Reply #6 on:** April 14, 2011, 12:46:29 PM »

This is the network shield, so it would take avast to have a look, and determine whether it can be removed from the block list...
You can report it here:
http://www.avast.com/contact-form.php?loadStyles

polonus · « **Reply #7 on:** April 14, 2011, 05:09:47 PM »

Hi jipumarino,

Looked into your site, the sucuri scan is all green. But it seems there is another issue now &usg=AFQ etc. HTML:RedirME-inf[Trj] now found by the Webshield, it seems your site has been hacked and you have to cleanse and upgrade your webapps, see attached gif image..

polonus

Author Topic: What malware is supposed to be hosted at my site? (Read 4077 times)

jipumarino

What malware is supposed to be hosted at my site?

polonus

Re: What malware is supposed to be hosted at my site?

spg SCOTT

Re: What malware is supposed to be hosted at my site?

Domz

Re: What malware is supposed to be hosted at my site?

polonus

Re: What malware is supposed to be hosted at my site?

jipumarino

Re: What malware is supposed to be hosted at my site?

spg SCOTT

Re: What malware is supposed to be hosted at my site?

polonus

Re: What malware is supposed to be hosted at my site?