Hi,
I am the service provider for hxxp://www.sonstraal.org.za
Recently a client of mine, got the iframe-inf infection message in avast! (in .jpg-files)
Friends of mine has tried to access the site with Norton Security and McAffee and has not found these problems.
Could someone please comment?
Regards,
Adri
What was the exact URL of the reported image?
Sorry the exact url is http://www.sonstraal.org.za
I understood the page URL - but I mean the address of the particular JPG file (that it reported as infected).
I don’t get any warning when I open the main page.
http://www.sonstraal.org.za/images/headerphoto_leraars.jpg
above image is displayed when going to http://www.sonstraal.org.za/blog
I don’t get the messages with http://www.sonstraal.org.za now, but I did get them earlier today on three different workstations - I am sure that nothing has changed on the main page.
i’ve tried it with actual db, found nothing. Was it fixed by someone?
I get the following error (see attached file)
This is very strange, we see nothing (tried multiple times, multiple persons).
Can you let the avast window open and navigate to your temporary directory, there will be avast4 directory and inside would be some file, presumably unp*.*. Copy it somewhere, and dismiss the dialog. In that file there should be the offending html visible.
What is your browser? I assume MSIE. Does this happen when browsing using Firefox/Opera/Chrome?
firstly: THANK YOU for your involvement
I did see an iframe added to the end of the .js-file:
hXXp://%75%73%2E%6C%75%72%65%6E%6A%69%61%2E%6F%72%67/us.html
I have access to the source, and it isn’t in the source. Do you know what is putting it there? Should I scan my PC?
Regards,
Adri
Yep, link to site with malware scripts.
Can you please first try it from another browser/another machine if the iframe is there?
I have tried it on a (virtual) Windows 2000 PC with a clean Avast! installation, and it doesn’t give the iframe-error, but when i updated to the latest signature it did.
Well,
Now we know it isn’t a false positive. Some questions:
Have you got another computer in your local area network? Are you getting same warning on it?
Are you getting same warning while accessing another websites?
Is this website located in your local area network?
Who is your internet provider? Do you know someone else who has the same provider as you? Could you ask him to access that url with avast instaled on his machine? Does he get the warning?
Thanks for answers.
PS: Ops. I missed it - you are service (internet) provider?
The same warnings were given on three other PC’s running avast! Norton Internet Security and McAffee didn’t give the warnings. The warnings were given of .jpg-, .js- and .css-files being infected.
On the site, b2evolution blogging-software are used. I downloaded a copy and installed on my own pc and tested it with avast!, but it didn’t find any infection.
I am not the developer of the website, but should i do something similar to that which is recommended at http://fieldsmarshall.com/htmliframe-inf-wordpress-infection/ ?
Kind Regards,
Adri
I’m not sure. Because if it would be on the server, we should see it, but we don’t.
Either you are looking on different copy (internet x intranet), or something between you and the site is adding the iframe.
Can you use some download manager or downloading tool (wget, curl), to get the script? Is it still with iframe? If so, change the network from which you are currently running and again try to download the script if the iframe is there. You must first isolate the place where it gets added.
I have FTP-access to the source of http://www.sonstraal.org.za/blog, and the iframe (at the end) isn’t in the source, so it must be added by something on the server or on the workstation - but it shows the same warnings on more than one computer, so it must be on the server? Are there any third party (non-avast!) product/method to confirm infection?
I don’t know your setup, I’d try completely different computer on completely different network first.
Now, when I go to http://www.sonstraal.org.za/leraars.php#johann I get the warning in attachment - how can a JPG-file be infected?
I just followed that link and did not get a virus warning!
yours
onlysomeone
These scripts usually attach themselves to every file. And we specifically check the tails of media files, to see if the infection took place.
Onlysomeone does not see the infection either, looks like it’s either on your network or on your computers.