avast blocking piriform forum

Piriform’s various programs, including CCleaner, check for program updates when run by default. Could this somehow be leveraged to spread infections to the machines using their programs, short of the actual installer programs on Piriform’s site being infected? Right now, the discussion is only about their forum.

OK it looks like this:

HTML Redirector>>Redirects to Blackhole exploit!>>Infected!!

Looks like it was cleaned…then re-infected again and again cleaned now…Infected HTML was removed and clean one looks to be restored back again.

Scan of the new HTML: https://www.virustotal.com/file/6258da3cd6fb37ad51dab41fc576bf1ab14a66947b987b1c257a728bbf0a2726/analysis/1351871681/

If you have read my post above yours do you really think this is a coding problem or a false positive, I don’t. Revisit the urlquery link given by Pondus in reply #4 and that shows what is going on quite clearly. Look at the Intrusion Detection Systems entries, expand the two GET entries. At the very least it looks very strange.

Hi GopherJohn,

I do not think it is malcious intent on their side, but they “blundered” by not defining absolute path - file does not exist, and they have to go over their file logs.

“Virtual server path” from “filesystem path” is not distinguised, and then we get a PHP error: Fatal error: require_once() [functi…
but that is neither Apache nor PHP related. See whether this is just a programming error or malware related as described here:
http://labs.sucuri.net/db/malware/php-error-fatal-error.
They have to "run php -f /common/configs/config_templates.inc.php"there as a validity check for the PGP syntax.
People (webmasters, hoster admins, etc.) keep websites up, not very savvy at serversecurity (hardening) or securing PHP etc.
@true indian, and then they were infected…

Not actually with Blackhole because that was when the site had another IP 46.166.147.133 and is now at 50.28.75.78
Check the ip against the IDS alert IP…
@DavidR → check this further down on the urlquery result page…
The PHP hick-up error could be due to the former iFrame injection, but I do not have their logs, so that is an assumption…
At least I think the site is still vulnerable…but they are not alone there ;D

polonus

I don’t know. It’s working OK for me now which is all I care about. I posted in their forum and referenced this thread, so at least they’re notified now.

In general I assume all avast blocks are false positives, which is usually the case in my experience. It’s only a warning of a possible infection. I don’t let my panties get tied up in a knot about it. :slight_smile:

@ polonus
Yes, the Russian IP to a site considered malicious by avast is basically the point I’m trying to make this really had to have started out as a genuine infection (injected iframe). So a case of avast making a good detection on a site which would otherwise have been considered safe/good.

It just proves the rule that there is no such thing as a safe site (any more) as the volume of hacked sites marches on.

Not to mention the power of the web and network shields to protect avast users and a function that many antivirus tests are incapable of testing. True life scenarios, where avast isn’t reliant on the actual payload being detected by conventional on-demand scanning.

It is correct detection…every scanner confirms it…its not a FP… avast just saved your ass!! ;D

You can believe that, but I am not convinced.

I trust Piriform (I use several of their free programs), and my question was more about these programs phoning home to check for updates and triggering a payload from Piriform’s servers somehow. I would guess that the server that hosts the install programs is much better protected and may not be compromised. The programs use port 80 during their update checks.

pirirform http://forum.piriform.com/index.php?showtopic=37118&hl=avast&fromsearch=1

Wilders http://www.wilderssecurity.com/showthread.php?t=335211

:o ::slight_smile:

yeah…most likely a Halloween trick ;D

@JohnnyBob,

Why can posters here not belief that there are loads and loads of websites of which those that have to concern themselves with website security or server security of that particular website, have zero knowledge or too little of these issues. If they knew what they were doing we did not have issues with sites that are being attacked, hacked, injected, malvertised, misconfigured, laden with malcious iFrames, Java and javascript malcode etc. every minute of the day. Sites are open to vulnerabilities because website software has not been updated, servers are given away full version numbers, hackable php and perl as low hanging fruit for malcreants on automation and what more.
Seen from the range of infested or suspicious or vulnerable websites I have seen and analyzed through scanning over some couple of years at the virus and worms section, I feel oblidged to look good and hard before I declare a website all clean and secure, and I am not fearmongering here or spreading fud, this is the sorry state of overall website security, alas these are the facts and a threatening situation for visitors of many websites…

polonus

If you think every avast! block is a false positive then you should not be using it. I do not tolerate those who do not take for granted what they have. Some people do not have avast! and they would’ve got infected. You should be lucky that you’ve this antivirus.

~!Donovan