A site that I do some work for uses a package called Sitebuilder to produce pages and this package–for unknown reasons–uses a js redirect in a .php file for accessing my scripts (in a subfolder).
Avast! identifies this simple redirect code as a virus. Worse still, if I replace the js redirect with a php redirect (Header(Location:…)), it drops the connection without any error message. I’ve looked at the code and, other than the mystery of why the package menu item doesn’t point to my subfolder directly, it is perfectly harmless.
Avast! is the problem here. If I turn Avast! web shield off, I get no errors at the site.
I can understand that Avast would want to (optionally) provide a warning in the event of a redirect but this apparent complete rejection of all simple redirects seems to be not a very sophisticated approach that kills quite reasonable web features.
A bit hard to speculate here without that site’s URL. I have no crystal ball here, so with a site address we could give you a possible indication of what is being flagged.
The site is http://www.deserttrailshiking.com. Click the menu item “Hiking” on the right; on that page the menu on the right will now show three submenu items at the bottom. Click any one of them (eg ‘Dynamic Hike Schedule’ and see if you get the same error message that I do.
If you now return to the “Hiking” page, you’ll see that the link for those submenu items points to something like “www.deserttrailshiking.com/page13.php”. That PHP file contains the simple js script that I was referring to. It is not a virus and should not be identified as such.
To answer your next questions:
Windows 8.1
Asus Ultrabook
Waterfox (latest)
Avast! AV Free version (latest)
I’ve done complete system scans with Malwarebytes, and Avast and AdwCleaner over the last 24 hours.
Sucuri gives this site as vulnerable through outdated Website software: Outdated cPanel -Found -
Vulnerable Header: cPanel Security cPanel 11.42.1.16
Framework could not be detected here: http://guess.scritch.org/%2Bguess/?url=http%3A%2F%2Fwww.deserttrailshiking.com%2Fpage13.php
I haven't been able to detect the framework (for the main site this was no problem as you will see below).
If you know more, please let us know!
Please note that the CMS Detector does not follow “non-30x” redirects (e.g. javascript, meta-equiv redirection), so you might want to copy the exact url from your browser. Also, the CMS Detector may get confused by CMS-es that aren’t located in the root of the site (e.g. http://site.com/cms/).
So that sub-link has some error for Framework Parallels Plesk Sitebuilder 4.5.0 100% -
You should check that and that might have led to the FP
See site was attacked from http://www.deserttrailshiking.com/./ through to http://www.deserttrailshiking.com/././././././././././././././
Could have been a “binary of the bin command” attack to try and exploit and attack common holes in your web application.
This always could have been a valid reason for the false positive.
So whenever this is the case update the software and file a fp report here: www.avast.com/contact-form.php
Let me be the first to concede that Sitebuilder would not be my weapon of choice for a CMS tool; it is also possible that the support staff at the site managed some kluge to overcome its shortcomings in order for us to get links to the additional features I designed for the site so there may not be some features that do not fit with the framework.
But let’s be clear: there has been no virus infection that I can detect. No other AV product registers a problem. Page13.php contains (its entirety) is:
Thanks for bringing all this up, rather interesting to say the least. Remember I am not an avast! team member, just in here “for the good of my soul” and a bit of relevant knowledge. The avast! alert for htxp://www.deserttrailshiking.com/page13.php was JS:Redirector-BJF[Trj],
but not being flagged here: https://www.virustotal.com/nl/url/4df766054531b43c54b624fa941c0a2e8c4d3f312cde7cb30089decfe750bceb/analysis/1405553133/
Just wait for the results of your reporting to avast!.
Two suspicious files reported here: http://quttera.com/detailed_report/www.deserttrailshiking.com
page30.php
Severity: Potentially Suspicious
Reason: Detected unconditional redirection to external web resource.
Details:
&
page17.php
Severity: Potentially Suspicious
Reason: Detected unconditional redirection to external web resource.
Details:
Threat dump:
Remember I am not an avast! team member, just in here “for the good of my soul”
…and mine! Impressive knowledge of resources! I think the fact that none of these sites are identifying any particular pages at DTH and certainly not the pages that Avast! is identifying as problem pages is dispelling any doubts that the problem is with Avast!
I went to report the problem at the link you provided but when I went back to the site to reproduce the reported error, Avast! had suddenly stopped reporting a virus at those links so I couldn’t complete the report at that point. However, I had setup the URL as an ‘exclusion’ in my copy of Avast!; it hadn’t worked before but may be working sporadically. Will try to remove the exclusion and see if I get the error reliably and will report it then.
But again, thanks for your efforts and considerable wisdom.
J.
Hi jobowo,
this exact script was used in malware campaign since January this year and it redirected users to exploit kit landing pages.
Now it is not used anymore, so avast will not report this file after next VPS update.
Thank you for noticing me about Sitebuilder. I am sorry for trouble you had.