Author Topic: HTML:RedirBA-inf [TRJ]  (Read 18537 times)

0 Members and 1 Guest are viewing this topic.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66761
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HTML:RedirBA-inf [TRJ]
« Reply #15 on: September 19, 2011, 03:16:26 PM »
Due to the fact that I have is a different antivirus

I see.
So ask the one who reported it to you to provide the link.
As mine is in German and wouldn't help you much. ;)
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: HTML:RedirBA-inf [TRJ]
« Reply #16 on: September 19, 2011, 03:25:38 PM »
@Magnum,

If you can concentrate on sending this to Avast as a possible FP as instructed in reply #3, you could gain some time (instead of passively waiting for someone from Avast Team to see and read this topic).

The "details" (at least for now) is not specifically for "you" (your site), so that's why is not *that* important.

If it is indeed a FP, then Avast will solve this and your friend (and everyone else that has Avast) will be able to get to your site without problems, but for that to happen as promptly as it can, you should probably report this as suggested.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #17 on: September 19, 2011, 03:44:35 PM »
@Magnum,

If you can concentrate on sending this to Avast as a possible FP as instructed in reply #3, you could gain some time (instead of passively waiting for someone from Avast Team to see and read this topic).

The "details" (at least for now) is not specifically for "you" (your site), so that's why is not *that* important.

If it is indeed a FP, then Avast will solve this and your friend (and everyone else that has Avast) will be able to get to your site without problems, but for that to happen as promptly as it can, you should probably report this as suggested.

These requests have already been sent to specialists avast.
This was done primarily

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83763
  • No support PMs thanks
Re: HTML:RedirBA-inf [TRJ]
« Reply #18 on: September 19, 2011, 04:26:53 PM »
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1), is this meant to happen ?

See image2 for an extract of the obfuscated file being loaded.

So I'm not sure this is a false positive, but it certainly needs investigation, I know you have said you reported it. But if you didn't use the link in Reply #3 I would use that as that seems to have a faster response.

If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (network shield and Web Shield), etc. a link to this topic might also help.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #19 on: September 19, 2011, 04:36:55 PM »
I still believe that this is a false alarm. because if we remove from the code page of the site:
<base href="http://www.magnum-blog.pp.ua/" />
and
<script type="text/javascript" src="http://www.magnum-blog.pp.ua/plugins/system/lknlightbox/lknlightbox.js"></script>

avast no longer see the threat. So, what's so wrong with these two lines?

If you scan the file avast lknlightbox.js on the path above. That virus is not there

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66761
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HTML:RedirBA-inf [TRJ]
« Reply #20 on: September 19, 2011, 04:37:48 PM »
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1), is this meant to happen ?

See image2 for an extract of the obfuscated file being loaded.

Interesting, Sucuri says clean though...
Guess we need a reply from the virus lab here.
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #21 on: September 20, 2011, 10:42:34 AM »
Already found the cause for which the full antivirus complains to the site.
It just shocked me.
Site address for some unknown reason is in the black list antivirus.

As I checked out. simple.

The site has a service address, if you go through it, the antivirus is silent.

A response to my request no.

If interested I can give a service address

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83763
  • No support PMs thanks
Re: HTML:RedirBA-inf [TRJ]
« Reply #22 on: September 20, 2011, 12:28:55 PM »
Well I don't know if giving out the service address on-line would be wise.

So I don't know what the difference is between the two addresses, as it obviously isn't loading this {gzip} file at the start or the web shield would be alerting. When there are sufficient web shield alerts, that feedback goes through the CommunityIQ feature and eventually the site would be added to the the malicious sites list in the network shield.

So the question I asked before is still the same and remains unanswered:
There is a packed obfuscated script file being loaded {gzip} with the home page (image 1 in my last post), is this meant to happen ?

Plus why this file isn't loaded in the service address.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #23 on: September 20, 2011, 12:47:43 PM »
To be honest I did not understand which file?
On your picture, I saw only vague set of characters

Also, I checked the site on the local host. Avast there is nothing to see, although the files have not changed!
I just scanned them and avast there, too, he finds nothing.

I am more than confident that there is no infected file is razed
« Last Edit: September 20, 2011, 12:55:27 PM by Magnum »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83763
  • No support PMs thanks
Re: HTML:RedirBA-inf [TRJ]
« Reply #24 on: September 20, 2011, 12:58:21 PM »
That set of vague characters is the contents of the compressed file that is being loaded (which was image2), the first image is showing that avast is alerting on that compressed file being loaded by the page the /|>{gzip} bit at the end of the URL. I don't know what that is, but there must be something calling a file to be loaded.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #25 on: September 20, 2011, 01:07:30 PM »
But then the files should be loaded regardless of what the current address of the site. Files are the same

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83763
  • No support PMs thanks
Re: HTML:RedirBA-inf [TRJ]
« Reply #26 on: September 20, 2011, 01:48:10 PM »
Obviously that isn't the case or you would have an alert like I did in image1 when I visited the main site home page again.

I don't know why that is.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 66761
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: HTML:RedirBA-inf [TRJ]
« Reply #27 on: September 20, 2011, 01:50:44 PM »
Obviously that isn't the case or you would have an alert like I did in image1 when I visited the main site home page again.

He isn't using avast... ;)
Win 8.1 [x64] - Avast PremSec 20.8.2427.B#2 [UI.560] - CC 5.71 - EEK - FF ESR 68.12 [NS/AOS/uBO/PB] - TB 68.12 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline Magnum

  • Newbie
  • *
  • Posts: 19
Re: HTML:RedirBA-inf [TRJ]
« Reply #28 on: September 20, 2011, 01:56:45 PM »
So this is a false alarm.
For example here is an alternative web address http://www.magnum.zoxt.net/
And you'll see that there is no virus there is no!

And yes, I do not use anti-virus for which the level of false positives is very high, and at times it surpasses avast

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83763
  • No support PMs thanks
Re: HTML:RedirBA-inf [TRJ]
« Reply #29 on: September 20, 2011, 02:16:15 PM »
You can't compare two different sites, if the software at one is of a different version or one site has been hacked you are going to get different results.

I don't get an alert at this site but I do at the other, so there has to be a difference.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro