Author Topic: Website detected as infected by URL:Mal with version 6.0.1119  (Read 5457 times)

0 Members and 1 Guest are viewing this topic.

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1369
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Dear All,

This morning when i try to browse and surfing with version 6.0.1119 for some IT magazine website, and then avast give me a notification that this website has infected by URL:Mal. But the weird things if we surfing with previous version such version 6.0.1000 or above, nothing happened with avast notifications.

Here's we attached the picture.

URL : hxxp://xxx.digicom.co.id

Please take a note, i put the thread in here since because of the detection capability for each avast's version.

I am not sure whether i have any mistaken when analysis this issues or not.

cheers,
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GSG

Offline The_ChamP

  • Jr. Member
  • **
  • Posts: 69
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #1 on: May 07, 2011, 06:28:49 AM »
Getting same notification as u
dont know if it fp or not
RT - Avast 7 free beta , Windows backup
OD - Mbam ,  Hmp , Eek
7 x64 Ultimate Sp1 - 6gb Ram

Offline Cast

  • Sr. Member
  • ****
  • Posts: 302
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #2 on: May 07, 2011, 06:37:13 AM »
Virus Total report
http://www.virustotal.com/url-scan/report.html?id=13219aee0cea50b1a5575d7f65d6d040-1304735711

Shows clean, but you never know

Also when i visited, i got the same notifcation about a threat.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85773
  • No support PMs thanks
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #3 on: May 07, 2011, 03:23:01 PM »
The problem is that the URL in the URL:Mal image doesn't match the site you were visiting, so somewhere on that page is an active link (or it was hacked) to what was blocked by the Network Shield.

Or it was something else possibly unrelated to this site as I don't get any avast alert when I checked it out. However, I have firefox and the RequestPolicy add-on which blocks cross site scripting as there is an active link to 7879.in (almost certainly malicious), image1 and it is this which is being alerted on. Without RequestPolicy I would have had the alert too and if I didn't have avast also would have been exposed to potential malware.

So this site would appear to have been hacked as there is a bunch of obfuscated script and an iframe tag after the closing HTML tag, a standards no, no and highly suspect. This is even more suspect as it is all on a single line (see image2), which I have broken to make it easier to see in the image.

As you can see from image3 avast alerts on the 7879.in site when accessed outside of the digicom.co.id site.

So essentially the detection is good and should have been in the viruses and worms topic as it is unrelated to the avast version only VPS.

@ Castayr
So the VT results are invalid for this blocking by the network shield.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Ashish Singh

  • Poster
  • *
  • Posts: 437
  • Proud to be an Indian
    • Quick Heal
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #4 on: May 08, 2011, 07:31:40 AM »
Hi David I visited the same page but why not I was notified..?
I am using 1091 version database up to date..
Windows 7 Ultimate(32 bit), avast! free (always latest released or beta), Intel Core2Duo, 2GB RAM, Outpost Firewall Pro 7.5,IE 9,TuneUp Utilities 2011,Diskeeper 2011

http://www.incredibleindia.org 

Caution! Online world is full of man made Aliens

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 4905
  • Whatever will be, will be.
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #5 on: May 08, 2011, 10:20:39 AM »
First time I accessed that page I had an Request Policy alert that there is a external link to 7879.in, like DavidR says.
However I reload that page Request Policy does not show any external link this time and I can't see any malicious scripts either.
So that script seems dynamically created only one time per one IP address.
Main: Win10 Pro 20H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 21 Premium Beta(Icarus) / Comodo Firewall (testing again)
Mobile: Win10 Pro 20H2 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

Avast の設定について解説しています。よろしければご覧ください。

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37106
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #6 on: May 08, 2011, 12:15:48 PM »
The link hxxp://xxx.digicom.co.id looks down

http://www.downforeveryoneorjustme.com/http://www.digicom.co.id


EDIT: and now it is up  ???
« Last Edit: May 08, 2011, 12:17:37 PM by Pondus »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85773
  • No support PMs thanks
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #7 on: May 08, 2011, 02:32:04 PM »
Hi David I visited the same page but why not I was notified..?
I am using 1091 version database up to date..

I haven't the slightest idea as I know nothing about your settings.

In all honesty if you can't figure out why you weren't getting the alert (I know why I didn't in the initial page), should you have been visiting the pages in the first place. I certainly wouldn't go poking my nose into some of these sites with IE.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85773
  • No support PMs thanks
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #8 on: May 08, 2011, 02:46:34 PM »
First time I accessed that page I had an Request Policy alert that there is a external link to 7879.in, like DavidR says.
However I reload that page Request Policy does not show any external link this time and I can't see any malicious scripts either.
So that script seems dynamically created only one time per one IP address.

There is no way that could be a selective insertion as there would have to be other code to be selective.

The link hxxp://xxx.digicom.co.id looks down

http://www.downforeveryoneorjustme.com/http://www.digicom.co.id

EDIT: and now it is up  ???

I would have hoped it may have been down for cleaning, perhaps they did clean it, but the suspect obfuscated script is still there/back.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Online NON

  • Japanese User
  • Avast Überevangelist
  • Ultra Poster
  • *****
  • Posts: 4905
  • Whatever will be, will be.
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #9 on: May 08, 2011, 04:01:09 PM »
There is no way that could be a selective insertion as there would have to be other code to be selective.
If that page itself is dynamically created selective insertion could be done.
But I tried using proxy to access it and got neither RP alert nor malicious script, so now I can't say this is IP selective... :-X

I would have hoped it may have been down for cleaning, perhaps they did clean it, but the suspect obfuscated script is still there/back.
Isn't it something cache thing?
Main: Win10 Pro 20H2 64bit / Core i5-7400 3.0GHz / 16GB RAM / Avast 21 Premium Beta(Icarus) / Comodo Firewall (testing again)
Mobile: Win10 Pro 20H2 64bit / Core i5-3340M 2.7GHz / 8GB RAM / Avast 21 Free / Windows Firewall Control

Avast の設定について解説しています。よろしければご覧ください。

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 85773
  • No support PMs thanks
Re: Website detected as infected by URL:Mal with version 6.0.1119
« Reply #10 on: May 08, 2011, 04:38:53 PM »
Yes, but that dynamic creation has nothing to do with what IP you came from or are using, otherwise I wouldn't have got it for a second time, based on your assumption you only get served up to you once.

Pages that are created dynamically are normally because the page content changes and requires something like PHP which this site uses, is vulnerable to being hacked if is using an old version. The actual templates can be infected, but it would have to have some additional processing in that PHP to check the referrer or user IP to serve up a different template with the inserted code.

I don't believe it is a caching thing on my system, as I refreshed the Page (shift + refresh or shift + F5).

However now the index.php isn't bringing up this inserted script after the closing HTML tag (as I said a standards no, no and highly suspect) and no reference to 7879 in any of the page source code; so we will have to see if it has been cleaned.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 21.8.2487 (build 21.8.6586.697) UI 1.0.666/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security