false positive??

Hi to all,
I’m trying to access this website:
(www).informatikserver.at
and avast is always warning me of a JS:HideMe-I (tr)infection on this site. Did anyone come across this? The site normally is clean, an austrian website with informations about computing and school.

Thank you, fl

Please modify the link so it is unclickable, we don’t want unsuspecting users clicking on malicious links thankyou.

Our forum member craigb is right, and here you see why: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.informatikserver.at%2F
and http://urlquery.net/report.php?id=5060516
/media/jui/js/jquery.min.js
Quttera scan result:
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string

[['=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26async=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%260=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%260=%26=%26']] 

of length 551 which may point to obfuscation or shellcode. (ad malvertiser malcode- vulnerable through bad Joomla configuration)

File size[byte]: 93637
File type: ASCII
MD5: 24BD97B1DE158C4F1A162336EECA4AA6
Scan duration[sec]: 78.746000

polonus

P.S. Also see my posting for similar issue here: http://forum.avast.com/index.php?topic=116107.0

D

Hi and thank you for your hints. I have changed the URL in my first post.

I have tried to inform the site owner about the problem, but there has not been any reaction yet.

fl

and avast is always warning me of a [b]JS:HideMe-I [/b] (tr)infection on this site.

Website Malware – SPAM Injections – HideMe – KickeMe
blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html

HideMeBetter – SPAM injection Variant
blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html

ahh, mhhm, and now? what does that mean?

fl

info about what avast detect … JS:HideMe-I (tr)

By the way this javascript malware is two times in there. :smiley: (Screenshots)

Hi Pondus,

Make this link non-click-through as avast! Web Shield blocks PHP:Backdoor-BG[Trj] there
http://blog.sucuri.net/2012/11/website-malware-spam-injections-hideme-kickeme.html

Damian

Hello,
Avast complains about using certain extensions (such as “sharethis”), which use bad practice (hidden links). Either disable them, or delete the code that hides the links (function dnnViewState() { var a=0,m,v,t,z,x=new Array(‘9091968376’…)

More info can be found here: http://forum.joomla.org/viewtopic.php?t=795946

Milos