avast blocking piriform forum

avast blocking piriform forum

http://forum.piriform.com/

Sometimes I get an avast popup saying it is blocking a virus, sometimes not, but I always get:

Fatal error: require_once() [function.require]: Failed opening required ‘./initdata.php’ (include_path=‘.:/usr/local/php53/pear’) in /home/ccleaner/public_html/index.php on line 23

anybody else?

http://sitecheck.sucuri.net/results/forum.piriform.com/
http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v22
http://zulu.zscaler.com/submission/show/e1820da766e49e123ab35c26999edc76-1351838538

Thanks for the links. The first time I tried the zscaler.com link, it said forum.piriform.com is OK. The second time is said it is malicious. The securi.net link reports it as malicious.

forum.piriform.com is an old established forum. I don’t go there frequently so don’t know how long this problem has existed. Of course they could be infected but I doubt it. I suspect it’s just a bug in their code. I tried to email their webmaster but it was returned as undeliverable.

  1. You’re welcome.
  2. Good.
Of course they could be infected but I doubt it.
of cours not....avast must be wrong ;)

http://urlquery.net/report.php?id=77737

and the site seems to be down now

we have a article somwhere in here (cant find the link now) about infected websites hacked/found every 3,5sek

They always say that… ::slight_smile:

According to the following 2 testers, forum.piriform.com is up
http://www.isup.me/forum.piriform.com
http://host-tracker.com/check_res_ajx/11494891-0/

found it

Every 3.6 seconds a website is infected
http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/

noting is 100% secure…
and the more people that visit a site, the more interesting it is for thew bad guys to infect as they fish in the pond that have most fish…bigger chanse that somone take the bait

see the urlQuery link i posted above…click the picture in top right corner

Any site can get infected… Geeks to Go was hit about a year back, only Avast spotted it. The site was down for a day whilst they cleared the redirect malware

EDIT: A hack has been confirmed, cleaning it now

I’m not getting the avast block anymore (are you?), just
Fatal error: require_once() [function.require]: Failed opening required ‘./initdata.php’ (include_path=‘.:/usr/local/php53/pear’) in /home/ccleaner/public_html/index.php on line 41
So I think this is a case of a buggy website, not a virus. They’ve cut themselves off from the outer world by making their registration private and not providing a working email address to contact them. So they may still be unaware.

there is infection there…better not go there ::slight_smile:

I can’t. Apparently nobody can because of the website coding bug. It’s not working. I doubt that it is a virus.

Neither Eset nor MBAM will allow you to go there , so methinks an infection is the best bet

Lets put it this way, why would piriform.com, a UK Company, be connecting to a Russian IP address (rather than a plain language domain name), at best that is obfuscation, at worst highly suspect.

http://en.wikipedia.org/wiki/Piriform_(company).

"Piriform is a privately owned software house based in the West End of London, UK"

Though server appears to be in Texas.

When this is in relation to an iframe, I get even more suspicious as it reeks of iframe injection. Look further and you will find that the 46.166.147.133 IP address is on the avast malicious sites list and WOT doesn’t like it either. I’m sure if you do any further analysis on the 46.166.147.133 IP you will no doubt find more, so it looks like an iframe injection attack on piriform.

The forum.piriform.com website is back up now. I’ve been able to go there and login as usual, with no more avast blocks/warnings. It is still producing some errors but I believe that’s faulty coding or a server error. I believe the former virus block was probably a false positive from avast, but that’s just my impression. Possibly it was infected and they’ve fixed it already. I don’t know of any way to find out except - I’ve finally managed to send them the info via a support ticket.

yep! infected…

I sent a copy of infected HTML to Avira labs and even they confirmed it:

The file ‘Piriformforum_infection.html’ has been determined to be ‘MALWARE’. Our analysts named the threat JS/Redir.BF. The term “JS/” denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

Why the insistence that it was a coding error… Three antimalware programmes call it infected along with several URL checkers ?

Oops not fully cleaned

Me neither…Spoke too soon…went there once got nothing from avast…second attempt and got a hit ;D
scanned my chrome folder and temp files and didnt find anything…it looks like it comes clean once and a hit at next atttempt!