Author Topic: National Cencorship Institution (Read 2775 times)

Yanto.Chiang · « **on:** July 05, 2011, 05:18:48 AM »

Dear All,

Today we found one of Indonesia Institution website was infected by HTML:i-frame.

But according to google safe browsing summary and Unmask Parasites that this website is safe.

The link :
hxxp://www.google.com/safebrowsing/diagnostic?site=www.lsf.go.id

Which part of source coding that has infected?

Uploaded with ImageShack.us

Yanto.Chiang · « **Reply #1 on:** July 05, 2011, 09:22:43 AM »

But according to robtex.com this website hosted on suspicious web server AS45287 (VARNION).

source :
hxxp://www.robtex.com/dns/lsf.go.id.html#records
hxxp://www.google.com/safebrowsing/diagnostic?site=www.lsf.go.id
hxxp://www.google.com/safebrowsing/diagnostic?site=AS:45287

But i am still can't found where is exactly the i-frame script which triggered avast antivirus.

spg SCOTT · « **Reply #2 on:** July 05, 2011, 01:18:47 PM »

Hi Yanto

A rather simple one to find here...

The iframe is located in the homepage, before the redirection takes place.

So before loading (being redirected to) film.php?module=home, the page serves an iframe, that is probably what is causing the alert.

Scott

EDIT: Just for info, that iframe in a text file, sent to VT:
http://www.virustotal.com/file-scan/report.html?id=b527e08976b88c70a0372d38ba4b426825b8877b492267fcda7c30e70840b702-1309864405

polonus · « **Reply #3 on:** July 05, 2011, 04:06:03 PM »

iFrame validation:

(Level: 0) Url checked:
-http://www.lsf.go.id/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lsf.go.id/config/validasi.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lsf.go.id/jscripts/clock.js
Zeroiframes detected on this site: 0
No ad codes identified HTML:iFrame-inf

Site starts to redirect immediately to: -http://www.lsf.go.id/film.php?module=home
Avast alerts HTML:Iframe-inf and deconnects...
The redirect-site that has been given in spg SCOTTS's image is now been taken offline, see http://www.netirk.com/s/description2011.ru (it had PUA.PDF embedded malware & and unknown google_malware and Riskware:W32/WindowsPack.A on it, now all dead...)
According to what I can see, site is being cleansed now, but avast still alerts,
correct me if I am wrong here,

polonus

spg SCOTT · « **Reply #4 on:** July 05, 2011, 09:05:53 PM »

Something is still there...iframe loads a page, which then loads another, which i think goes on...

1.gif is the iframe location
2.gif is the next page

polonus · « **Reply #5 on:** July 05, 2011, 11:17:57 PM »

Hi spg SCOTT,

Thank you very much for that analysis, so good avast keeps blocking it, and I hope Yanto.Chiang will inform the webmasters at that site that they have still some work to do..

polonus

Yanto.Chiang · « **Reply #6 on:** July 06, 2011, 09:53:28 AM »

Hi Scott and Polonus,

Thank you very much for both of you details information,

Let me informed to the webmaster, just for additional information WOT has been detected this website as a poor website.

Link : http://www.mywot.com/en/scorecard/www.lsf.go.id

cheers,

Author Topic: National Cencorship Institution (Read 2775 times)

Yanto.Chiang

National Cencorship Institution

Yanto.Chiang

Re: National Cencorship Institution

spg SCOTT

Re: National Cencorship Institution

polonus

Re: National Cencorship Institution

spg SCOTT

Re: National Cencorship Institution

polonus

Re: National Cencorship Institution

Yanto.Chiang

Re: National Cencorship Institution