False Positives on Adserver

hxtp://ads.cigarweekly.com/www/delivery/afr.php?zoneid=1_target=_blank is being reported as infected/malware URL
I don’t know why - I scan it with VirusTotal and it comes up clean

Please tell me how to get this unblocked? or what’s causing the detection? because it seems that even people not using Avast are being blocked from this URL - this is a private advertising server that I run that does NOT server ‘open’ ads, only the one we publish for our advertisers.

If you look at the last part it states target=blank… hence a blank page will be displayed

Nope.
Target=_blank is HTML speak for “open this in a new window”

Well I just get a blank page… Nothing else

avast seems to be blocking based on this - which for some reason is not written to the logs or anything, but I can see it on the popup when I hightlight the text…
http://www.googlecodehosting.net/openx/js/zone_functions.js?cp=620
But that scans clean at totalvirus too.
https://www.virustotal.com/en/url/2b108d92abd38dc7f19f7c359f66a919ffa6992613eccdc3e9ec52bde43840ad/analysis/1371310357/

Now that I get an alert on… It would be worthwhile looking in depth at that js script

Well that can be done here: http://jsunpack.jeek.org/?report=b226d4d4301a7821a45bb94edd48735caab9b728
(visit with script blocking active and in a VM)
The location line in the header above has redirected the request to: htxp://ads.cigarweekly.com/www/admin/index.php
(conditional redirect)
Content after the < /html> tag should be considered suspicious. line 93 has been cleansed?
This should not be online: htxp://ads.cigarweekly.com/www/admin/index.php because of PHP exploit via iFrame…
Vulnerabilities for the PHP version used: http://www.cvedetails.com/version/136532/PHP-PHP-5.3.17.html
see: http://www.cvedetails.com/cve/CVE-2013-1635/
PHP does not validate the configration directive soap.wsdl_cache_dir
before writing SOAP wsdl cache files to the filesystem. Thus an
attacker is able to write remote wsdl files to arbitrary locations
(CVE-2013-1635).

PHP allows the use of external entities while parsing SOAP wsdl
files which allows an attacker to read arbitrary files. If a web
application unserializes user-supplied data and tries to execute
any method of it, an attacker can send serialized SoapClient
object initialized in non-wsdl mode which will make PHP to parse
automatically remote XML-document specified in the location option
parameter (CVE-2013-1643).

User should update to 5.3.22 version which
is not vulnerable to these issues.

polonus

Polonus - thanks for that;
The server is running PHP:
PHP Version: 5.3.17
Web Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
WebServer to PHP interface: cgi-fcgi

The software running is OpenX = and I really need that to stay running until I can find a replacement!

This server is only running ads that I post - so how can it be vulnerable? Avast is scanning and warning on a ‘possibility’ rather than a factual infection…

Also, using the JSUNPACK returns:


www.googlecodehosting.net/openx/js/functions.js?cp=620 benign
[nothing detected] www.googlecodehosting.net/openx/js/functions.js?cp=620
     status: (referer=http:/ads.cigarweekly.com/www/delivery/afr.php?zoneid=1_target=_blank )saved 2 bytes ebbffb7d7ea5362a22bfa1bab0bfdeb1617cd610
     info: [0] no JavaScript
     file: ebbffb7d7ea5362a22bfa1bab0bfdeb1617cd610: 2 bytes

Server software updated – but still getting this report, and worse!

None of the members have reported any issues with malware to me, except to say that they are now getting these warnings before entering the site!

HELP> THIS IS A FALSE POSITIVE!

Hello,
post screenshot of avast!'s alert window, please.

Milos

Here it is.

http://www.mybrainhost.com/temp/avast-malicious-url.jpg

Hello,
point mouse pointer on the line with URL to see the whole URL, please.

Milos

This was the detected URL:
htxp://wxw.googlecodehosting.net/openx/js/zone_functions.js?cp=620

I discovered that, while it was not impacting my ad-server, that this was indeed suspect code that was inserted somehow into my data.
I’ve now removed it.

This code does not appear to be malicious unless you are using OpenX a certain way. Fortunately I was not doing what would be bad. My customers are safe -but please be advised!

I can’t find original evidence right now, but it smells badly, probably fake AD server. Is there any evidence it’s legit?

Registered on May 31th, uses stolen keyword (google), registered through freedns.ws, hosted in Romania.

Yes, and it is not only kubecj, that thinks so: http://scanurl.net/?u=www.googlecodehosting.net%2Fopenx%2Fjs%2Fzone_functions.js%3Fcp%3D620&uesb=Check+This+URL#results
IDS alert here: http://urlquery.net/report.php?id=3179221
21 trojans reported there lately: https://www.google.com/safebrowsing/diagnostic?site=googlecodehosting.net
Site is blacklisted… alerted malloc zone code

polonus

yes. it does seem that the googlecodehosting was somehow injected into one of my ad-zones.
Software has been upgraded and updated (including the PHP on the server itself), and now it’s been re-submitted for review to Google to have the malware alerts removed.