false positive on neomag.co.uk

Viruses and worms
1

I just tried to connect to hxxp://www.neomag.co.uk and avast interrupted with the following notice
Sign of “HTML:Script-inf” has been found in “hxxp://www.neomag.co.uk/” file.
I know this is a false positive since I’ve accessed this site both this morning (UK time) and yesterday before I got the 090209 VPS update and on other computers with other AV solutions without problems (or infections)

Fix this before I get annoyed with having to go a round about route to access that sites forums

Edit: I broke the links just to be safe (for now)

2

There is a very small script to winzxm.com
That site is considered dangerous by some, http://www.mywot.com/en/scorecard/winzxm.com. I don’t know if that is what is causing the alert, but it is the only suspicious thing that I say in a quick look.

This script tag appears within another TD tag which is a bit of a no, no, so to my untrained eye it could be that this page has been hacked and this script inserted.

See image, I have broken the line down so it is easier to see.

So I don’t believe it is a false positive.

3

Has script pointing to blocked malicious site u.winzxm.com

4

Hi demonix00,

Here this site was flagged as well:
neomag.co.uk
Summary
•Computer Threats: 7
•Identity Threats: 0
•Annoyance factors: 0

Total threats on this site: 7

•Community Reviews: 0

The Norton rating is a result of Symantec’s automated analysis system. Learn more.
The opinions of our users are reflected separately in the community rating on the right.
General Info
Web Site Location United Kingdom

Norton Safe Web has analyzed neomag.co.uk for safety and security problems. Below is a sample of the threats that were found.

neomag.co.uk
Threat Report

Total threats found: 7

Small-whitebg-red Drive-By Downloads (what’s this?)

Threats found: 7
Here is a complete list:
Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/about.asp

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/FAQ.asp?IntID=5

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/news.asp

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/article.asp?IntID=54

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/index.asp

Threat Name: Process Started
Process name: C:\DOCUME~1\user\LOCALS~1\Temp\GameeeEeee.pif
Location: hxxp://www.neomag.co.uk/subscribe.asp

But it seem they are cleaning up their acts, because at the moment the site is unavailable because of maintanance. The normal link checkers like WOT, finjan, McAfee flag it all green,

These flag it as green also:

LinkScanner Logo
GreenCheck Congratulations! LinkScanner Online did not find any exploits.
Scanned:
Monday, February 09, 2009

Checking: hxxp://www.neomag.co.uk/
Engine version: 4.44.0.9170
File size: 10.75 KB

hxxp://www.neomag.co.uk/ - archive HTML

hxxp://www.neomag.co.uk//JavaScript.0 - Ok
hxxp://www.neomag.co.uk//JavaScript.1 - Ok
hxxp://www.neomag.co.uk//JavaScript.2 - Ok
htxxp://www.neomag.co.uk//JavaScript.3 - Ok
hxxp://www.neomag.co.uk//Script.4 - Ok
hxxp://www.neomag.co.uk//Script.5 - Ok
hxxp://www.neomag.co.uk/ - Ok

Checking: hxxp://u.winzxm.com/u.js (The one that kubecj pointed at)
File size: 83 bytes

hxxp://u.winzxm.com/u.js - Ok (The script kubecj mentioned, site not available for scanning by finjan,
and flagged red by WOT on four counts)

Checking: hxxp://www.the-gamer-hub.com/ads/adx.js
File size: 73 bytes

hxxp://www.the-gamer-hub.com/ads/adx.js - Ok

Checking: hxxp://kona.kontera.com/javascript/lib/KonaLibInline.js
File size: 41.40 KB

hxxp://kona.kontera.com/javascript/lib/KonaLibInline.js - Ok

Checking: hxxp://www.google-analytics.com/urchin.js
File size: 22.11 KB

hxxp://www.google-analytics.com/urchin.js - Ok

NetShield is no longer blocking when I went there, you should understand that vulnerable sites go hacked by malcreants all the time even for shorter periods, also sites with a good reputation, not every webmaster is also a webserver security expert,

polonus

5

polonus

I just did a quick scan where norton states that the site is downloading files and it didn’t find anything (plus I couldn’t find the file in question) so what happened must’ve started within the past few hours (either that or adblockplus has been getting it’s hands dirty) also the site is still available since I’m currently accessing their forums (they use Vbulletin and none of their site elements run in that section) unless they’ve taken down their whole main site and left the forums running since that isn’t affected.

It just means that I’ll have to remember to bookmark the forums so I can by-pass the main site for the time being

6

Hi demonix00,

Looking for a solution and explaining what is going on is our mission here, and we are happy when you are,
else report there to the webmaster or the hosting party for the site so they can clean up their act, or they already may be busy doing so. We are seeing that the number of website malware threats are increasing tremendously, and it is an ever changing landscape now, with websites being infected just for a short while and then the malcreants or cybercriminals move on to the next victim for their malware injections. Real scanning is the only way of protection, and knowing the site is “normally safe” or has “a good reputation” would not help you much under these new circumstances. Yes, my friend, the WWW is becoming a risky place to be (as it always was in a sense), and a fundamental solution to these threats may be a long time off. For the time being be vigilant, surf safe and secure, is the wish and command of,

polonus aka Damian