Avast Detecting Virus Scanned with google clean

system · September 20, 2011, 9:29pm

Hi I would like to know what is ad.nce.name/in.cgi?2
I am encountering it in one of my website http://noahsarkventure.com
I scanned my site with safe browsing by google and looks clean, tested with other virus scan looks clean

I tried googling for ad.nce.name/in.cgi?2 but no success

Pondus · September 20, 2011, 9:36pm

anubis report
http://anubis.iseclab.org/?action=result&task_id=1799e809f5187a104b92a88c385b844e8&format=html

wepawet report - seems to be a redirect… scroll down to the bottom where it say redirect
http://wepawet.iseclab.org/view.php?hash=07238bbd4d30ab3ebd4e421c052c0bed&t=1316554292&type=js

both redirect URLs listed seems to be dead

http://www.downforeveryoneorjustme.com/http://ad.nce.name/in.cgi?2
OBS…this seems to respond s23.ru.tf/dog.php

dog.php - 3/17
http://www.metascan-online.com/results.cgi?uid=16gra6u679kfhe4lk4bns9lq7qzpx9s3

polonus · September 20, 2011, 11:06pm

Hi noahsarkventure & Pondus,

2noahsarkventure break that link like -http://noahsarkventure.com/ until it is taken out the avast Netshield’s sinkhole the users clicking may get a Netshield alert…

Here the URL is found to be clean: http://urlquery.net/report.php?id=3330 (no alerts)
and here: http://www.google.com/safebrowsing/diagnostic?site=noahsarkventure.com
(non-suspicious)
Vulnerability here at: Wordpress internal path: -/home/noahsa7/public_html/wp-content/themes/u-design/index.php
-http:/ad.nce.name/in.cgi?2 blocked by avast Network Shield as URL:Mal
because redirects to Ransom LockEmAll -s23.ru.tf/dog.php
This is a compromised zombie website / Directs to Exploits, but I get a 404 not found trying to ho there - server IP(s): 146 dot 185 dot 242 dot 8

polonus

system · September 21, 2011, 7:53pm

Thanks for the input does it mean i have a dog.php file or redirect link s23.ru.tf/dog.php in my site?

Pondus · September 21, 2011, 8:35pm

looks like that yes…

system · September 21, 2011, 10:52pm

I scanned my files looking the keyword “s23.ru.tf/dog.php” didnt find any using agent ransack
check index.php no suspicious code found

Pondus · September 21, 2011, 11:04pm

i am no expert on this…not sure if this help ?
but if you look in the wepawet report…and count 14 lines from bottom and up, they are listed just under the about:blank

system · September 21, 2011, 11:15pm

I did look for such url but did not find any

Pondus · September 21, 2011, 11:20pm

I can PM Scott so he can have a look, he is usually good at finding stuff on these websites

OK, done…but i dont know when he will arrive

system · September 21, 2011, 11:43pm

I don’t get any alerts on the site ???

Do you have a screenshot of the detection?

Also, that redirect listing is not there when I check the site on wepawet
http://wepawet.iseclab.org/view.php?hash=3c8a85bc90c9dba8fa52a0009ca68bb6&t=1316650152&type=js

Pondus · September 22, 2011, 12:48am

I guess someone must have been making changes to the website since my wepawet scan ?

polonus · September 22, 2011, 12:46pm

Hi Pondus,

I did a link check there and indeed dead links there
406 http://noahsarkventure.com/feed
406 http://noahsarkventure.com
406 http://noahsarkventure.com/blog
406 http://noahsarkventure.com/request-quote
406 http://noahsarkventure.com/portfolio
406 http://noahsarkventure.com/clients-testimonial
406 http://noahsarkventure.com/sitemap
error occurs in the final step - it typically indicates the programming of our systems or of the Web server which manages the site. Just see a renewed check performed, here are the resuls: http://urlquery.net/queued.php?id=3368
Bad stuff detection results:
Check took 7.08 seconds

(Level: 0) Url checked:
-http://noahsarkventure.com
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://noahsarkventure.com/wp-content/themes/u-design/scripts/dd_belatedpng_0.0.8a-min.js
Blank page / could not connect *
No ad codes identified

we get a nothing found for * see above & rel=“pingback” href=“-http://noahsarkventure.com/xmlrpc.php” /> “pagetitle”>Page Not Found (Error 404)

(Level: 1) Url checked: (script source)
-http://noahsarkventure.com/wp-includes/js/l10n.js?ver=20101110
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.google.com/jsapi
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
-http://www.google.com///:
Blank page / could not connect *
No ad codes identified

(Level: 2) Url checked: (script source)
-http://www.google.com/+b+
Blank page / could not connect *
No ad codes identified

(Level: 1) Url checked: (script source)
-http://noahsarkventure.com/wp-content/plugins/google-calendar-widget/date.js?ver=alpha-1
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://noahsarkventure.com/wp-content/plugins/google-calendar-widget/wiky.js?ver=1.0
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://noahsarkventure.com/wp-content/plugins/google-calendar-widget/ko-calendar.js
Zeroiframes detected on this site: 0
No ad codes identified

may indicat bad links (or redirecting/footer script)

polonus

polonus · September 22, 2011, 2:25pm

Hi noahsarkventure,

Well the site seems secure, but still have these issues, site vulnerable to:

Oracle Java Web Start Plugin Command Line Argument Injection, CVE-2010-0886
Java Plugin LaunchJNLP DocBase, CVE-2010-3552
Furthermore one security issue, the site uses tracking graphics…
Spamcheck and safebrowsing secure, test here: http://www.java.com/en/download/help/testvm.xml

polonus

Avast Detecting Virus Scanned with google clean

Announcements