system
1
hxtp://ads.cigarweekly.com/www/delivery/afr.php?zoneid=1_target=_blank is being reported as infected/malware URL
I don’t know why - I scan it with VirusTotal and it comes up clean
Please tell me how to get this unblocked? or what’s causing the detection? because it seems that even people not using Avast are being blocked from this URL - this is a private advertising server that I run that does NOT server ‘open’ ads, only the one we publish for our advertisers.
If you look at the last part it states target=blank… hence a blank page will be displayed
system
3
Nope.
Target=_blank is HTML speak for “open this in a new window”
Well I just get a blank page… Nothing else
system
5
avast seems to be blocking based on this - which for some reason is not written to the logs or anything, but I can see it on the popup when I hightlight the text…
http://www.googlecodehosting.net/openx/js/zone_functions.js?cp=620
But that scans clean at totalvirus too.
https://www.virustotal.com/en/url/2b108d92abd38dc7f19f7c359f66a919ffa6992613eccdc3e9ec52bde43840ad/analysis/1371310357/
Now that I get an alert on… It would be worthwhile looking in depth at that js script
Well that can be done here: http://jsunpack.jeek.org/?report=b226d4d4301a7821a45bb94edd48735caab9b728
(visit with script blocking active and in a VM)
The location line in the header above has redirected the request to: htxp://ads.cigarweekly.com/www/admin/index.php
(conditional redirect)
Content after the < /html> tag should be considered suspicious. line 93 has been cleansed?
This should not be online: htxp://ads.cigarweekly.com/www/admin/index.php because of PHP exploit via iFrame…
Vulnerabilities for the PHP version used: http://www.cvedetails.com/version/136532/PHP-PHP-5.3.17.html
see: http://www.cvedetails.com/cve/CVE-2013-1635/
PHP does not validate the configration directive soap.wsdl_cache_dir
before writing SOAP wsdl cache files to the filesystem. Thus an
attacker is able to write remote wsdl files to arbitrary locations
(CVE-2013-1635).
PHP allows the use of external entities while parsing SOAP wsdl
files which allows an attacker to read arbitrary files. If a web
application unserializes user-supplied data and tries to execute
any method of it, an attacker can send serialized SoapClient
object initialized in non-wsdl mode which will make PHP to parse
automatically remote XML-document specified in the location option
parameter (CVE-2013-1643).
User should update to 5.3.22 version which
is not vulnerable to these issues.
polonus
system
8
Polonus - thanks for that;
The server is running PHP:
PHP Version: 5.3.17
Web Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
WebServer to PHP interface: cgi-fcgi
The software running is OpenX = and I really need that to stay running until I can find a replacement!
This server is only running ads that I post - so how can it be vulnerable? Avast is scanning and warning on a ‘possibility’ rather than a factual infection…
Also, using the JSUNPACK returns:
www.googlecodehosting.net/openx/js/functions.js?cp=620 benign
[nothing detected] www.googlecodehosting.net/openx/js/functions.js?cp=620
status: (referer=http:/ads.cigarweekly.com/www/delivery/afr.php?zoneid=1_target=_blank )saved 2 bytes ebbffb7d7ea5362a22bfa1bab0bfdeb1617cd610
info: [0] no JavaScript
file: ebbffb7d7ea5362a22bfa1bab0bfdeb1617cd610: 2 bytes
system
9
Server software updated – but still getting this report, and worse!
None of the members have reported any issues with malware to me, except to say that they are now getting these warnings before entering the site!
HELP> THIS IS A FALSE POSITIVE!
Milos
10
Hello,
post screenshot of avast!'s alert window, please.
Milos
system
11
Milos
12
Hello,
point mouse pointer on the line with URL to see the whole URL, please.
Milos
system
13
This was the detected URL:
htxp://wxw.googlecodehosting.net/openx/js/zone_functions.js?cp=620
I discovered that, while it was not impacting my ad-server, that this was indeed suspect code that was inserted somehow into my data.
I’ve now removed it.
This code does not appear to be malicious unless you are using OpenX a certain way. Fortunately I was not doing what would be bad. My customers are safe -but please be advised!
system
14
I can’t find original evidence right now, but it smells badly, probably fake AD server. Is there any evidence it’s legit?
Registered on May 31th, uses stolen keyword (google), registered through freedns.ws, hosted in Romania.
system
16
yes. it does seem that the googlecodehosting was somehow injected into one of my ad-zones.
Software has been upgraded and updated (including the PHP on the server itself), and now it’s been re-submitted for review to Google to have the malware alerts removed.