Author Topic: False positive with html:script-inf  (Read 3078 times)

0 Members and 1 Guest are viewing this topic.

YunShui

  • Guest
False positive with html:script-inf
« on: August 23, 2011, 04:42:49 PM »
Hi,
I own a site xxx and today I get it blocked by Avast. It says it is infected with html:script-inf but using Dr. Web online scanner the site appears to be clean.
The site is a wordpress, it has not been hacked nor modified in the last weeks and I'm using a security plugin to avoid any attack.

« Last Edit: August 23, 2011, 05:05:18 PM by YunShui »

Offline jsejtko

  • Avast team
  • Full Member
  • *
  • Posts: 171
    • ALWIL Software
Re: False positive with html:script-inf
« Reply #1 on: August 23, 2011, 04:47:35 PM »
Hello,

Your website is infected -> contains injected script tag that refers to superpuperdomain.com which is known malicious domain.

You will have to fix that and check how was your server hacked/infected.

Regards

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37697
  • F-Secure user
Re: False positive with html:script-inf
« Reply #2 on: August 23, 2011, 04:53:53 PM »
see attached screenshot ( click to enlarge )

Malware info: Malware entry: MW:JS:67473
http://sucuri.net/malware/malware-entry-mwjs67473
« Last Edit: August 23, 2011, 04:55:29 PM by Pondus »

spg SCOTT

  • Guest
Re: False positive with html:script-inf
« Reply #3 on: August 23, 2011, 04:57:31 PM »
Just to add:
(Mainly)
If the mods haven't done it yet, Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.


(Aleady Covered)
The script is located at the end of the page, and this seems to be a rather directed attack on wordpress sites. You are not the first.
Overall detection at VT:
http://www.virustotal.com/file-scan/report.html?id=3819afed8e3b325b75196977324f753dac173fba6cdfa1ba0c7cbe2cbc4a58c8-1314111077

Scott

YunShui

  • Guest
Re: False positive with html:script-inf
« Reply #4 on: August 23, 2011, 05:10:14 PM »
Thank you guys. Do you have any idea about how it can attacked? I'm ussing a wordpress plugin that protects the site against XSS, CSRF, Base64_encode and SQL Injection and has httaccess protection.

Should I change my webhost or it's a WP vulnerability?


YunShui

  • Guest
Re: False positive with html:script-inf
« Reply #6 on: August 23, 2011, 05:52:30 PM »
Thank you again Scott.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34034
  • malware fighter
Re: False positive with html:script-inf
« Reply #7 on: August 23, 2011, 07:40:44 PM »
Hi YunShui,

Site seems now cleansed, see: http://urlquery.net/report.php?id=1948

There is still a theme issue here: Wordpress theme: -http://bichi-web.com/wp-content/themes/bichi/
Wordpress internal path: -/home/bichiweb/public_html/wp-content/themes/bichi/index.php

Your website makes use of cookies without Platform for Privacy Preferences Project (www.w3.org/P3P/)
The website gives away  that the content is being generated dynamically through the "X-Powered-By" HTTP Header. It is a better security policy to remove this header.
The website makes use of a tracking graphical.
The server gives away details of the server software version, this should be avoided, so hackers won't be any the wiser,

Spam Check and Safe browsing status green, Child safety rate a non critical 0.28 % hit.

Stay safe and secure online is the wish of,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!