Ebay Login - False Positive???

When bringing up Ebay.com’s login screen, I get a notice from Avast that the connection with Ebay is aborted due to a redirecter - “JD” or something like that. However, I am still able to get into Ebay.

Follow up scans with MalwareBytes and Avast full scan show nothing. Is this a false positive?

I am using Firefox, Win7 64bit and this has never happened before. From searching the net, it seems this was a problem for some folks at one time, though.

Ebay Login - False Positive???
Use Viruses and Worms forum section for False positive posts

as the info for this section say

Avast Free/Pro/IS/Premier topics and issues, not viruses or false alarms here!<<

Screenshots of Avast messages is a big help, then we avoid the … or something like that

Not really comfortable to log in again, but the Avast abort connection warning is “JS Redirector -BKG”

JS Redirector -BKG
Meaning it contain a java script (JS) that redirect you to another site

avast message should also say exactly where it See this … screenshot say more then thousand words :wink:

I tried Internet Explorer, a browser that I never use, and no problem.
I will post a screen shot.

Thank you for your kind help.

Here is the SS… also, please see below thread for discussion…thanks.

https://community.ebay.com/t5/Technical-Issues/JS-Redirector-BKD/td-p/27724701

Susceptible to man-in-the-middle attacks:

SSL expires soon
HTTP Strict Transport Security (HSTS) not enforced
HSTS header does not contain max-age
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Secure cookies not used

Vulnerable to cross-site attacks:

HttpOnly cookies not used
HttpOnly cookies not used
When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain type of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
EXPECTED:
[all set-cookie headers include ‘httponly’]
FOUND:
set-cookie (s): s HttpOnly;, set-cookie (dp1): dp1, set-cookie (ebay): ebay, set-cookie (nonsession): nonsession

Emails can be fraudulently sent: Lenient SPF filtering
Sender Policy Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain’s behalf. This record should definitely not contain (+all) or (?all) mechanisms, as these allow any domain to send email posing as this domain. This record should preferably not use the (~all) mechanism, as this will still allow emails flagged as being from an invalid domain, but will still allow the message to be delivered. Best practice is to use (-all).
EXPECTED:
contains -all
FOUND:
contains ~all

DNS is susceptible to man-in-the-middle attacks:

DNSSEC records prevent third parties from forging the records that guarantee a domain’s identity. DNSSEC should be configured for this domain.
EXPECTED:
true
FOUND:
false

Not all is resolving: https://urlquery.net/report/cb19788e-6e82-4cee-b17a-c348840f0aaf

Only CLEANMX comes up with a detection for PHISHING.

Detection for

All Malicious or Suspicious Elements of Submission
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
-signin.ebay.com/ws/$$d$$ benign
-(embed) -signin.ebay.com/ws/$$d$$
status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&_trksid=m570.l1524)saved 16879 bytes 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6
info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js
info: [script] -secureinclude.ebaystatic.com/js/e1057/us/v4_e10572us.js
info: [script] -secureinclude.ebaystatic.com/js/e1057/us/e10572us.js
info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
info: [img]- ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
info: [img] -ir.ebaystatic.com/cr/v/c1/66165_060618_BAU_VA_FLASH_COUPON_D150x30_R1.png
info: [script] -ir.ebaystatic.com/rs/v/qd3dhgal0203tnw1xo4kmgsjcmq.js
info: [img] -rover.ebay.com/roverimp/0/0/9?imp=1018649
file: 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6: 16879 bytes
/////////////////////
: [script] wXw.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
info: [script] -secureinclude.ebaystatic.com/js/v/in/roverlv.js
info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
info: [img] -ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
info: [img] -rover.ebay.com/roversync/?site=0&stg=1&mpt=1528302877907
info: [img] -c.paypal.com/v1/r/d/b/ns?s=EBAY_SIGNIN&js=0&r=1&f=d5f33c851630ab112eb6b596ff94caa8
info: [iframe] wXw.ebay.com/n.html?id=usllpic0&id=d5f33cd31630ab112eb03b20fffbb256&suppressFlash=true
info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js#SYS-ZAM_e1063_1_EUS
info: [script]- ir.ebaystatic.com/rs/v/dw5a31rmxmzjfazlcvx4wnwylmt.js
info: [embed] -signin.ebay.com/ws/$$d$$
info: [decodingLevel=0] found JavaScript
error: line:162: SyntaxError: missing ; before statement:
error: line:162: t.msg=msg;t.ajxUrl=msg.svcConfig.url;if(t.tkSp)t.tkSp.innerHTML=“<input type=“hidden” name=”“+t.tkP4S+”" value=“”+t.tkvalue+“”>“;},udtImgSrc:function(urlObj){var t=this,url=t.imUrl,p4S=t.tkP4S,value=t.tkvalue;if(urlObj){if(urlObj.url)t.imUrl=url=urlObj.ur
error: line:162: …^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <script src=”-https:/www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js" t
error: line:3: …^
file: 56b5297e88f451e05e14a9687962420025555493: 176541 bytes
-www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js suspicious
[suspicious:5] (ipaddr:23.209.177.108) (script) -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&_trksid=m570.l1524)saved 205496 bytes 5ad5129f9cef2979443f55661271399ed7db90cb
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [img] -www.ebay.com/rdr/js/s/
info: [decodingLevel=0] found JavaScript
error: undefined function document.querySelectorAll
error: undefined variable s9F
info: DecodedGenericCLSID detected CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
info: DecodedMsg detected /info.ActiveXObject ShockwaveFlash.ShockwaveFlash
info: [decodingLevel=1] found JavaScript
info: file: saved -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js to (5ad5129f9cef2979443f55661271399ed7db90cb)
file: 5ad5129f9cef2979443f55661271399ed7db90cb: 205496 bytes
file: d897ae35cddc448eda57f3bc8898014a9c10fe74: 248 bytes
See sources in sinks in that code: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.ebay.com%2Frdr%2Fjs%2Fs%2Frrbundle-v1.0.2.js

polonus (volunteer website security analyst and website error-hunter)

Thank you once again… however, I am not an expert.

Please explain what this all of this means and what should I do?

4 Avast and MBytes scans come up zero, ADW Cleaner = same.

I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest… I deleted immediately. i am running a boot scan for safety sake.

Also tried it on a second machine - Avast ids the threat as before.

Wonder what is going on? Hard to believe the Ebay login is infected and there is no word about it…

Howdy to you, The Sniggler,

Hopefully an avast team member will come to this thread and give the detection or FP the final verdict.

The detection for “Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold”
is a generic IDS detection, the code is running longer than expected max run-time,
and that is always somewhat alarming.

As you can see, it says in the unpacker javascript evaluation SUSPICIOUS,
so that does not mean malicious per se.

So bide your time until to-morrow as it is near a quarter past eleven in the evening here in old Europe.

EBay infested, would fill some news line on the security forums.
Hope, that is not so and that it is only a glitch in the code.

Have a nice day from here near Rotterdam some 20 kilometers from the North-Sea coast,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

P.S. In the meantime the analysts of such browser based issues, can read here for backgrounds:
https://www.aldeid.com/wiki/Category:Digital-Forensics/Browser-based-Malwares/JavaScript

Damian

I deleted immediately. i am running a boot scan for safety sake.
Why boot scan?

Boot scan does not give any better detection, it is the same engine and signatures that run. It is a tool meant to be used if you have problems removing a infection

I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest...[b] I deleted immediately. [/b]
So now you can't send it to avast lab for analysis ::) Why the rush to delte quarantined items?

Hi Pondus,

As I added there “Do not panic”, everything is under control and soon it will be clear if it is code to be quarantined (and then inside the chest, n it cannot do any harm like someone jailed) or it is indeed not the real McCoy and a false positive, and all can give a sigh of relief. ;D

We shall see what will be the final outcome soon,

polonus

Probably because avast suggests running a boot time scan after an alert.

I removed it to get it off my system… I have not had a virus in the past 15 years and thought removal was best.

I did the boot scan to be absolutely sure there was nothing on my PC. I always thought the boot scan was the most thorough. Thanks for your advise.

It is strange that Avast says that the connection to Ebay is aborted, but I can still log on. So the connection is not cut.

Also, I note that if I clear the notification in Avast the warning does not re-appear. However, if I reboot and then start over, then the warning will re-appear.

I wish I knew what is going on here… although others have faced this in the past, there is no other current discussion of this anywhere and I have been an Ebay user for many years with no problems. No clue as to what to do with my Ebay listing as I am afraid to log on.

Thanks again.

Many,many thanks for your kind words… from your icon, I thought Poland, perhaps.

FWIW, Avast notification says:

Moved rrbundle.flat.min[1].js to Viruschest infected with JS:redirector-BK [TRj]

Hello.

I have already found the file and submitted it here

rrbundle.flat.min[1].js

https://www.virustotal.com/#/file/580bcd36c4ffc5f66642b7823c5d547c71f1b4b48aab27dc8ee0e3ceb0b527be/detection

Avast detects as JS:Redirector-BKG [Trj]

Screenshots detection of the attached

Reported Vírus Lab ~

JS:Redirector-BKG [Trj] was already disabled yesterday, but I am strongly against using obfuscated scripts. Minified scripts are ok, but this specifically was bloated to avoid detection of redirection.

Hello:

I just got the same message from Avast
that this threat was avoided here is the
report:

Threat name: JS:Redirector-BMU [Trj]

URL: https://www.ebay.com/rdr/js/s/rrbundle.flat.min.js

Process: C:\Program Files\Mozilla Firefox\firefox.exe

I tried it on a new computer with Avast
and it turned up the same warning
about this same Redirect.

Is this a false positive?

I was able to logon to ebay and conduct
business as usual but I’m somewhat
worried about this. I ran Malawarebytes,
SuperAntiSpyware, a number of other
stand alone scanners such as Viper Rescue.
Nothing. And Avast other than this
warning showed nothing when I did the
suggested scan included with the warning.

Someone please reply. I’m new here
and never posted before. I noticed others
on the internet reporting the same exact
same problem when siging in to ebay.

Thanks for any help I love Avast.

This was an earlier analysis of that specific uri:
https://www.hybrid-analysis.com/sample/92f0cef3f180ee7c220e6aab82b0bb8c7a67904d4c4c6f02b5c13a6d18e634e1?environmentId=100
What HonzaZ meant was an anti-detection stealthyness: Creates a resource fork (ADS) file (often used to hide data) 1/67 reputation engines marked “-http://www.ebay.com” as malicious (1% detection rate)
source
External System
relevance
10/10
Various AV will return it as clean, but we see no best policies followed here :smiley:

polonus (volunteer website security analyst and website error-hunter)