False Positive question on web site.

Hello,

the following url is raising alarms in Avast but not other AV programs:

hxxp://www.phoenixexecutivenetwork.com/WebSiteFiles/Home.php

Is there a process I need to go through to verify this and submit for verification? i.e. how can I verify that this is indeed a trojan? or should I submit via a different method?

Thanks
Jim

I’m verifying it for you… wait…

Strange, page seems ok for me. I can’t find anything obvious on it.
Maybe an infected file is being linked there?

Generally, avast detection is accurate in these cases.
Wasn’t the site hacked in anyway?
Maybe you could contact its webmaster.

It hasn’t raised any alert on firefox 3.0.11, is this the exact page avast is alerting on ?

When I open the page I get alerts… it si downloaded to the temporary internet files…
Here are the log-entries:

13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of "JS:Redirector-B [Trj]" has been found in "C:\Users\*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\EmphasizeText[1].css" file.

13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of “JS:Redirector-B [Trj]” has been found in “C:\Users*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\MenuBar[1].css” file.

13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of “JS:Redirector-B [Trj]” has been found in “C:\Users*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\MainContent[1].css” file.

possibly that helps…
I have the files in my chest now if someone needs them.

yours
onlysomeone

Looks like firefox doesn’t raise an alert, why that might be I don’t know, could this have something to do with the recent firefox update to 3.0.11 ???

I do get the same alerts in avant browser.

I have had the same in another topic, http://forum.avast.com/index.php?topic=46074.0 where I don’t get an alert in firefox but do in avant or IE.

Hi DavidR,

No alert there but this could be it

 EDITED link rel="icon" href="favicon.ico" type="image/x-icon" /^ 
^link rel="shortcut icon" href="favicon.ico" type="image/x-icon" /^  

XSS (Cross Site Cripting)

=== Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

Clear cut case here, avast should alert,

polonus

That really isn’t XSS as it is on the ‘same’ site, so I thing the XSS rule in this case is wrong.

Hi DavidR,

You are tricked here because part of the cross-site script was wrapped "out of site/“sight”. That is why it is so difficult to detect, my friend. Read the online blogs on this devious malcode.
Not gonna argue here, but the final result is the same, form of terminology, redirect is not to the same domain. I googled the code sequence and I found the verdict that rolled out there, not gonna argue with Google nor with Snort rules there, be it whatever it should be termed.
For the strict it is malcode or exploitable, it should be cleansed.

polonus

I only have your edited script for reference, which is why I post images so there is no possibility of code being mistaken or having to be heavily edited so as not to see its intent.

The real problem as onlysomeone posted are the redirects in the .css files. I uploaded one of them (EmphasizeText.css) to VT and there were lots of hits.

Some nice examples here: http://rgaucher.info/pub/rgaucher.info-Aug-2008.log_scalp_Tue-16-Sep-2008.html

pol

Examples are not really going to help the OP or us to see what is on the site.

This image is what I posted in our other forum about this and it doesn’t show anything outside that is going to get wrapped or joined or appended, it is a relative link to the favicon.ico, that’s all.

The others to the .css files are what cause the alert by the standard shield as by default the web shield doesn’t scan text/css files. Now if we are starting to see infected .css files then perhaps we should be scanning them with the web shield. I believe from the other forum we are going to check if .css should be added to scanning by default.

So I guess we could add .css to the list for scanning inside the web shield or rather remove the exclusion.

Update, I have deleted the text/css exclusion and restarted the web shield and visited the site again and got three alerts one for each of the infected .css files. For me that is preferable to the file being downloaded into the browser cache and being detected by the standard shield.

So to clarify, is this site infected, false positive, or a matter of loose coding? Should I contact the author of the site or is there a way for me to view the site correctly (given its not infected)?

Jim

The site ‘is infected,’ well those .css files listed in Reply #4 and the image I posted in Reply #11 above.

As I said I uploaded one of them to virustotal and there were multiple hits confirming the file I sent was infected.

In its infected state you can’t really use the site (without disabling avast, not advised) as avast would continually alert where these file are used.