I just sent the following message to the contact addy of the Grand Canyon Skywalk. Does anyone else get the warning I mention?
When I visit any page at hxxp://www.grandcanyonskywalk.com, my anti-virus program, Avast, gives me a pop-up with the following warning
Network Shield: Blocked access to malicious site 78.110.175.21:1421/cp/?O
The line appears 10 times in the pop-up with the 4 digit number near the end being one number higher for each line. If the number near the end of the last line is 1430, for example, the number in the first line in the next pop-up when I go to another page is 1431.
Apparently, there is something really wrong with your site.
The site ‘is’ infected, there is a block of obfuscated code at the bottom of the page, just before the closing Body tag. It is trying to look like a counter but there is no need for a counter to hide what it is doing in this way.
This script is different to all the other scripts on the page mostly on a single very long line (I have broken that down to make it easier to see in my image), so I believe that the site has been hacked. I would guess that this code has been inserted into most pages on the site certainly the ones you tried, so their webmaster has some work on their hands.
The 4 digit number at the end of the IP after the : (colon) is the port number it is trying to use
Sorry, no special tool, just a working knowledge of how avast works in creating temporary files to scan content (for the alert) and using a text editor to view that temporary file. I won’t go into any more detail as a) I don’t know your experience level or what back-up and recovery strategy you have in place, should it all go pear shaped and b) this is a public forum so other ‘curious’ users might well try the same and get into trouble.
Firefox, running under DropMyRights, with NoScript, the network shield, web shield and a good firewall are the start point but most importantly a means of recovering for any possible disaster (drive imaging software), so as you can see this isn’t just for the ‘curious’ (it killed the cat) but for those prepared for any eventuality and they would from the above general information be able to work out how to do it.
@ kubecj
My detection on testing was on the web shield, redirector-d, see image
I checked it here:
Exploit Prevention Lab LinkScanner
There was 1 threat found.
Stop DANGEROUS: LinkScanner Online has found
[link to known exploit site (type 610)]
Detail: Exploit: Link To Known Exploit Site
This page contains a link to a known exploit site. This link may or may not be active. It may or may not require you to click it to be infected. Some pages with such links automatically download the malicious code without any action on your part. Because of this we automatically block access to such pages.
Risk Category: Exploit
Description: XPL’s Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends not visiting this web site regardless if your computer has been patched for the vulnerability.
Scanned:
Tuesday, February 24, 2009
Our Advice:
This page contains at least one exploit. You should not click on this link without appropriate anti-exploit protection on your PC,
All other link scanners failed on this one, even Norton Safe Web’s…
I rarely check the other link scanners as they simply aren’t up to this task, whilst the Exploit Prevention Lab LinkScanner picked up this one it misses lots too.
Yes I believe he did as you reported it as the network shield blocking rather than the web shield blocking, as in my image showing it being detected by the web shield. So did you get an alert the same as the image I posted ?
Well I didn’t get any network shield alert as the web shield stops the iframe tag from attempting to go/going to the site. This could be because a) you don’t have the latest version of the VPS, which you didn’t mention, b) the web shield isn’t scanning the content (disabled, OS doesn’t support transparent proxy, or unsupported browser), c) the web shield has been tweaked/customised and as such doesn’t function correctly.
What is your Operating System ?
What is your Browser ?
Have you made any changes to the web shield default settings ?
Check and see if the web shield is actually scanning content, by left clicking on the avast ‘a’ icon, click the Details… >> button. Now select the Web Shield provider and you should see some stats, Last scanned: and Scanned total: these should be constantly updated as you browse different sites, are they ?
Do you use a proxy to connect to the internet (usually ISP or web accelerator, etc.) ?
You shouldn’t see the first image as that was created by me from the code of the page, but you should have seen the second if you had the latest VPS version and the web shield was working correctly.
OK with IE7 and the latest VPS you accessed the site and got what effectively is the standard shield alert. Did you not retry it with Opera ?
You haven’t confirmed if the web shield is in fact scanning http content, did you not check those fields I suggested ?
You didn’t answer the question about do you use any proxy to connect to the internet ?
Now the problem with some browsers is that when the web shield alerts, the only option given is abort connection, that even though avast aborts the connection the browser completes the download. That is how the html page got into the browser cache, but still if you didn’t get the web shield alert there is something wrong and why the questions I asked are very important to trying to resolve the problem.
I retried it in Opera and got the same warning seen in the clipboard01 screenshot I posted.
I looked through your other posts, but I’m missing something. What fields are you referring to? In Web Shield, nothing shows in Last Scanned, though smething does show in that line n Standard Shield. Does that mean that the Web Shield isn’t scanning http content?
I don’t know if I’m using a proxy or not. I know nothing about proxies other than that they exist.
That certainly means that the web shield isn’t scanning http traffic on port 80. See image for the fields that indicate if content is being scanned.
Why it isn’t scanning is the question, check the Internet Explorer, Tools, Internet Options, Connections tab, Settings… button. If you were using a proxy this is where it would be indicated. Then if nothing is there there is no requirement by your ISP to use a proxy, the other possibility is if you use any other software which uses a proxy, web accelerator, etc. I can’t help you find that as there are too many of them, you have to know what is running on your system as I don’t know that.
Other possibilities are remnants of another AV or security application/firewall.
Have (or did) you another AV installed in this system, if so what was it and how did you get rid of it ?
What other security based software do you have that might have an impact ?
What is your firewall ?
You could try to manually set the browsers to use the web shield proxy (the IE settings are for IE6 I believe, you would have to find the IE7 equivalent:
The directions for IE7 are apparently the same for IE7. Nothing was different and WebShield immediately scanned anything I went to. When I tried grandcanyonskywalk.com, the nly difference was that the only option in the trojan warning box was “abort connection” and after selecting that, the page’s opening flash continued normrally. When I tried it with Opera after following your instructions, I got the exact same results I did in IE7.
Overall, much thanx for your help! I realy do appreciate it!
That is correct the only option on the web shield alert is abort connection, which just drops that items connection and not your internet connection. So you would have to close that pages tab as nothing is going to load since that connection was dropped.