false positive ?

Avast Free Antivirus / Premium Security
1

Hello,
Would someone help to identify whether these two sites are actually virus or malware infected or it was false positive?

hxxp://www.preceptgroup.net/ (reported infected by JS:Illredir-CI [Trj])

hxxp://www.premierfitness.ca/overview (reported infected with HTML:iframe-inf)

I remember that seeing around ten detections of iframe.inf from known business sites. Is iframe.inf generates many false positive detections?

Some advice please,
Many thanks. :slight_smile:

2

working fine here…
http://www.siteadvisor.com/images/green-xbg2.gif

3

Hi newkid215,

Please can you deactivate the links in your post(change http to hXXp) to prevent others potentially becoming infected.
EDIT: Thanks igor for doing this :slight_smile:

1

hXXp://www.preceptgroup.net/menumachine/precept_drop_downs/menuspecs.js

This javascript file has been hacked, and a malicious site added at the end. It also tries to avoid detection by using port 8080, which obviously doesn’t work. (capture.gif)

2

hXXp://www.premierfitness.ca/overview

avast! is alerting on a set of iframes that all have zero size (basically hidden). (capture2.gif)

I would say that both sites are infected.

Scott

@Swarnava/Heaven GOD

Based on what?
Why link the siteadvisor green tick?

4

I have looked through some scanner and here are the results

hxxp://www.preceptgroup.net/
http://anubis.iseclab.org/?action=result&task_id=1b84b6df2610e7594ad1f904f131e44d5
http://wepawet.iseclab.org/view.php?hash=9fe00bfa583a62d4aa3e2cef244a5a61&t=1291310958&type=js
http://www.virustotal.com/url-scan/report.html?id=9fe00bfa583a62d4aa3e2cef244a5a61-1291307168

hxxp://www.premierfitness.ca/overview
http://anubis.iseclab.org/?action=result&task_id=1e08b3ef81fd08fa429940f01ff6cee76
http://wepawet.iseclab.org/view.php?hash=ceb50bdb70711aecbdaedbf3c1a8cecf&t=1291311637&type=js
http://www.virustotal.com/url-scan/report.html?id=ceb50bdb70711aecbdaedbf3c1a8cecf-1291308163

I hope this will help.

5

On the contrary the avast web shield has been extremely accurate in its detections in regard to hacked sites it is IMHO the best, when you consider the slew of hidden iframes to dubious looking domain names, I would say this is a good detection.

6

@Tenko,

You have also posted live links to the sites in question, could you please deactivate them, like in DavidR’s post.

Scott

7

I will change it now SCOTT

8

Thank you guys for all the good advices.
Next time will only post hxxp link.

Thanks

9

You’re welcome, I trust that you have now found and dealt with the offending scripts and iframe tags.

Then you only have to deal with the exploit that allowed the site to be hacked.

10

i scan it specially with macafee & kaspersky…both are working fine :slight_smile:

11

Shame they both miss the fact that they are infected…like I’ve shown above ::slight_smile:

http://www.virustotal.com/file-scan/report.html?id=581d5411a54d814899d592cddecfb13b61764c67375bc94253c75ee4367443e6-1291397841
http://www.virustotal.com/file-scan/report.html?id=1c56e74f32a5a05ca70647b5bc6cb1a473549c609d4a3ef4fddda6256f2f0a0e-1291397951