False Positive JS:ScriptIP-inf

Hello,

hxxp://www.surfactif.fr/site_under_total.php

False positive, nothing detected with nod32, kaspersky and bitdefender.

Thank you.

Test it at VT (virustotal.com) and post the link here.

So you don’t think that this little obfuscated gzip file being loaded isn’t suspicious.

VT only has three detections avast and GData.
http://www.virustotal.com/file-scan/report.html?id=1c24ff93092f2f9b57f231f9c4fe58ed0dfccfd3d27b60371edfd230d7630307-1306514843

Usually, I would guess on FP with this dedection rate.
But since you posted the obfuscated gzip file… :-\

So this link is bad ?

I use nod32 on my main computer, so I have no problem with this link, but on some websites called autosurf (trafic generator on a website), you can see this link in a viewbar.

I use avast on a second computer, and I have some alert with this link.

I can’t say for sure, but it is most certainly suspicious. I’m always concerned when any level of obfuscation is used.

Avast (the company) answer me : “False positive will be fixed in next VPS update.”

So it seems to be okay, no worry about this link, it’s weird ::slight_smile:

Thanks for the update, weird is certainly right.

Hi DavidR,

There were some GET /favicon.ico HTTP/1.1 but could not connect,
According to this report the site is safe: htxp://urlquery.net/report.php?id=2763
See the warnings ar urlquery.net, only visit given link there if security aware and know what you are doing.
But when I analyze the site here: htxp://monkeywrench.de/result.html?id=3805338&displaykey=zd8821f3
avast webshield flags JS:ScriptPE-inf [Trj] there
As unmaked parasites is also flagging the site for 1 suspicious inline script found:
see attached gif image
Goes to a suspicious link, see: http://www.urlvoid.com/scan/cashinlink.com
banner-clicker

polonus

Yes I saw that one and another when I downloaded just the php file. But I suspect they may well have been affiliate/sponsored links.