I am getting a virus alert when I go to my provider’s web page to check my web mail. I don’t know if it is a false positive or not because avast is the only program picking it up. It is the HTML:Iframe-inf message. Can someone help? It is www.gvtc.com, and if it is a virus then I need to call and let them know. Thanks.
Hmm… Maybe they found out about it. This is the only source code left for that site:
Which, if you know html code, you’ll see that nothing is there but a blank page.
They might have been hacked, or they might be rebuilding due to a recent attack I suppose.
Hi scythe944,
Did a server query and this is what I got back: blank page - index_default.page
Initiating server query …
Looking up IP address for domain: wXw.gvtc.com
The IP address for the domain is: 216.177.160.25
Connecting to the server on standard HTTP port: 80
[Connected] Requesting the server’s default page.
The server returned the following response headers:
HTTP/1.1 200 OK
Date: Tue, 19 May 2009 19:55:41 GMT
Server: Apache/2.0.52 (Red Hat)
X-Powered-By: PHP/4.3.9
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
Query complete,
polonus
You are right. I re-checked and now the site is blank now. I called them and let them know about my avast warning and what the forum had said, and the call center said they were sending the report up. Thanks a bunch for the help. When it comes back up, I’ll try it again.
Gvtc is back up, but I am getting the virus detected alarm again. It says it is HTML:Iframe-inf virus detected. Is it a false positive? Thanks.
It isn’t blank right now and it is alerting.
It looks like the site has been hacked, there is a hidden iframe tag after a closing table tag, see image I have broken the line it was on to make it easier to see.
This tries to connect to another site which is a known malicious site, both avast’s network shield would block that and firefox safe browsing also detect this site as an attack site.
It is no false positive.
David, thanks a lot. If I give you an email address to our help desk can you forward the gifs to them. They are not coming out in my email to my provider’s help desk. Thanks again.
Sorry I’m just an avast user like you.
Well you can copy them right click and select save as (change the name to something like pic1.gif and pic2.gif) and then embed the images in the email. If that is the problem you can’t embed them, try attaching them to the email.
You could just as easily send them a link to this topic.
Hi jlh,
You should report this yourself to their web admin and/or webmaster or via their abuse mail address.
This is what was found there, using the Bad Stuff Detektor:
Check took 22.22 seconds
(Level: 0) Url checked:
hxtp://www.gvtc.com
Zeroiframes detected on this site: 1
No ad codes identified
(Level: 1) Url checked: (iframe source) (The one that DavidR reported rightly!) *
hxtp://crazeyt.com/?click=35e710c
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
hxtp://www.gvtc.com//spryassets/sprymenubar.js
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
hxtp://www.gvtc.com/inc/contentslider.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified
The iframe source is the malcode flagged, non of the common link scanners alerted this obviously, which is making the avast capability to flag this remarkably accurate.
*Malicious software includes 5 trojan(s), 3 scripting exploit(s), 2 exploit(s).
This site was hosted on 66 network(s) including AS8708 (RDSNET), AS41571 (TELESON), AS25133 (MCLAUT).
It looks like crazeyt.com was an intermediairy to infect sites.
Was there malware hosted?
This malicious software has infected 5 domains, e.g.r tomex.kom.pl/, loan-lenders.org/, bellaquinceanera.com/.
polonus
Thanks to all of you. I finally described the part in the script (don’t know why they could not see the gifs, mine were fine), and they deleted the script. One of the help guys was familiar with avast and said it had alerted and thats when they started taking me seriously. I went to the site and no alert, so hopefully it is solved. Avast is the only one of my programs that alerted, so I must congratulate them on having a good product.
Well no alerts here either, though they will also have to do some investigation as to how they were hacked or it will happen again.
Hi DavidR,
Yep they will have to upgrade and patch their software. Very likely PHP allowed enough maneuverability for the hackers from crazeyt. They will to have to go over their logfiles and harden it.
Not a lot of users of av know that malware and viruses are two different entities. Malware is malcode that can attack any OS and software, viruses are OS specific. This is important knowledge for folks that wanna protect a website from infestations, an occasional scan here: http://www.blacklistdoctor.com/bld/diagnose.php
won’t harm them either. We have to add here that none of the specific exploit scanners, except the Bad Stuff Link Checker, a user initiative online, like Exploit Prevention Labs Link Checker, unmask parasites scanner, DrWeb’s av link checker, or any of the real time scanners like finjan alerted this malcode, that we could identify so that the site could be cleansed, avast shield detection deserves the laurels here, bravo, well done avast!!
polonus
I hope our info helps those guys get their site fixed…