Has this site been hacked? (HTML:Iframe-inf)

When I try to go to hXXp://forum.burninthespotlight.com

Avast says it has detected and blocked a threat - HTML:Iframe-inf. Sometimes the page manages to continue loading and I get a further URL:Mal warning.

I scanned it with a number of online scanners and they return suspicious:

http://www.UnmaskParasites.com/security-report/?page=forum.burninthespotlight.com

http://www.virustotal.com/file-scan/report.html?id=d0a65eb3f0d905fe6060aaa3a1bacb5cc240a43ce6bb43379f6262738935571b-1282153524 (this is when I click on View downloaded file analysis, at first it says it’s clean: http://www.virustotal.com/url-scan/report.html?id=4588e095deb40e0596c99120133e1219-1282146320)

http://www.novirusthanks.org/services/scan-websites-for-iframes/ iFrames found

So is this a real threat or a false positive? Thanks in advance!

generally avast is very hot on these detections. This site on opening loads a packed javascript file and it is in that (unreadable for humans) file that avast alerts.

Whilst there are very few detections, very few AVs are actually looking for this or capable of detecting it.

My VT results have a different MD5 so it looks like there are different versions of this packed javascript file, but the same number of detections…
http://www.virustotal.com/file-scan/report.html?id=a365e828418a69305b60bae69c6100811dc1ec468f126fc0d6d5951aceab0379-1282155917

Hi neo24 and DavidR,

While investigating the site I got a similar warning as I describe here: http://forum.avast.com/index.php?topic=46089.0;prev_next=next e.g.: Sign of “JS:ScriptPE-inf [Trj]” has been found in “C:\Users\Polonus\App Data\Roaming\Flock\Profiles\67^^zqs.default\sessionstore-1.js”

polonus

Now that I have checked my webshield report log, it seems I have also gotten a few of these warnings:

hxxp://tererariymgmail.phpnet.us/index.php?s=a31ae2b0ec52e0ebcb546983ef61997b|>{gzip} [L] JS:Downloader-AAY [Trj] (0)

^that’s the site the iFrame refers to, right?

Should I contact the webmaster?

Hi neo24,

Yes you could contact them referring to this thread
Here I checked the iFrames there for you:
Check took 7.61 seconds

(Level: 0) Url checked:
htxp://forum.burninthespotlight.com
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 1) Url checked: (iframe source) This is the iFrame re-direct we talk about
This URL is currently listed as malicious by Trend-Micro,
with the gif image I give this decoded done with GreyMagic…
Susoicious is

<frameset rows="100%,*" frameborder="no" border="0" framespacing="0">

htxp://tererariymgmail.phpnet.us/index.php?s=a31ae2b0ec52e0ebcb546983ef61997b
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://yui.yahooapis.com/2.7.0/build/yuiloader-dom-event/yuiloader-dom-event.js?v=401
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://yui.yahooapis.com/2.7.0/build/connection/connection-min.js?v=401
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://forum.burninthespotlight.com/clientscript/vbulletin-core.js?v=401
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://forum.burninthespotlight.com/clientscript/vbulletin_md5.js?v=401
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://forum.burninthespotlight.com/clientscript/vbulletin_read_marker.js?v=401
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

polonus