False positive on website? Can anyone confirm/debunk?

Web Shield is blocking hteateap://www.brokenteeth.com/ due to an html:iframe-inf exploit.
It’s only done this since an update in the last day or two.

hteateap://wepawet.cs.ucsb.edu/view.php?hash=ccd83cefa517d399e49ca464afa40138&t=1272997527&type=js says benign, but I need to make sure. [if wepawet wasn’t alpha I’d be more confident :P]

TIA.

-SS

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.brokenteeth.com

Diagnostic page for tradbox.net
http://www.google.com/safebrowsing/diagnostic?site=tradbox.net
Malicious software includes 61 scripting exploit(s).

To me it looks likes the site has been hacked and wepawet has got this one wrong as it doesn’t even mention the iframe tag outside the closing HTML tag, a standards no, no and highly suspect, see image.

avast isn’t the only scanner to consider that page infected/suspect, etc. http://www.virustotal.com/analisis/ca12264c4e37ca5cb463472fcb37108d31a8713f09b6d96b3b7b5c76cb596fdf-1273009198

This iframe tries to go to a p o r n site with a poor reputation.

Not only that but avast considers that site malicious, as does firefox safe browsing (images2&3), so I would say wepawet is way off the mark.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Thanks for the confirmation.
I’ve let the webmaster know.

-SS

You’re welcome.

Hopefully they will quickly resolve it, not just removing the inserted iframe tag, but removing the vulnerability which was exploited for the tag to be inserted.

Hi malware fighters,

Not yet resolved: What is the current listing status for tradbox.net?

Site is listed as suspicious - visiting this web site may harm your computer.

Part of this site was listed for suspicious activity 1 time over the past 90 days.

What happened this site was visited?

Of the 80 pages we tested on the site over the past 90 days, 0 page resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-05-04, and the last time suspicious content was found on this site was on 2010-05-04.

Malicious software includes 64 scripting exploits.

This site was hosted on 1 network(s) including AS14383 (VCS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, tradbox.net appeared to function as an intermediary for the infection of 2 sites including quickbeats.net/, tulsapage-ok.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 43 domains, including 3isoftwaresolutions.com/, quickbeats.net/, elyseskitchen.com/.

How did this happen?

In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message. Here:     *  <IFrame> hidden link - htxp://tradbox.net/doxt/pWtI

polonus