HTML: Script-inf

Hi all, looking for some help, getting a notice of a HTML: script-inf infection when trying to access this site

hxxp://sonsofanarchyforever.com/forum/index.php

the virus scan at work doesn’t pick it up, people seem to be browsing the site with no problem, so is this just a problem with avast ; are my setting too sensitive, any help would be very much appreciated

Thank You!!

Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Maybe you could contact its webmaster.

Please, edit the links to not-live ones (change http for hxxp, for instance or add spaces between the url).

Check here how to clean and make a website secure.

Thanks Tech, I contacted the webmaster, had to turn off my avast to get onto the site and contact them. Guess I’ll wait for an answer ???

I wouldn’t do that… I mean disabled avast…
Check if your system is really clean.

VirusTotal - unp192864113.tmp - 4/41
http://www.virustotal.com/analisis/787d0b075ed28499e83047f4fbacdf6cfe35f9788e3e320375125b6575b16c27-1275117470

VirusTotal - unp122401198.tmp - 4/41
http://www.virustotal.com/analisis/d3481a1ea83e2c5d9d4ea473ea7b247d0de793c057a91c38a37fdc3f6aeb9542-1275117497

Pondus, that was temporary files of avast… Are they related?

They are when captured from the detection.

Hi

Report for this site: Norton Safe Web gives it as clean: sonsofanarchyforever.com/forum/index.php
Web server details
Scan for: htxp://sonsofanarchyforever.com/forum/index.php
Hostname: sonsofanarchyforever.com
IP Address: 97.74.215.38 (p3nlh199.shr.prod.phx3.secureserver.net)
Date: 29-05-2010 06:51

Running on: Apache

Remote Javascript included: htxp://holasionweb.com/oo.php

Local or adserver Javascript included: ./styles/prosilver_sesons/template/styleswitcher.js

Local or adserver Javascript included: ./styles/prosilver_sesons/template/forum_fn.js

Local or adserver Javascript included: ./styles/prosilver_sesons/theme/jquery-1.3.2.js

Local or adserver Javascript included: ./styles/prosilver_sesons/theme/images/loader.gif

holasionweb is suspicious and maybe malicious: the last time suspicious content was found on this site was on 2010-05-20.

Malicious software includes 109 scripting exploit(s), 1 trojan(s).

This site was hosted on 3 network(s) including AS50108 (KALUGANET), AS16276 (OVH), AS2588 (LATNETSERVISS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, holasionweb.com appeared to function as an intermediary for the infection of 3 site(s) including ffl.org/, cosmicbooknews.com/, 365dailynews.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 35 domain(s), including moomha.com/, venciclopedia.com/, pattonwebz.com/, WOT flags it as a malware distribution site: http://www.mywot.com/en/scorecard/holasionweb.com

Malware there: http://tintation.com/2010/05/13/remove-holasionweb-com-virus-malware/

IFrame check:
No zeroiframes detected!
Check took 5.51 seconds

(Level: 0) Url checked:
htxp://sonsofanarchyforever.com/forum/index.php
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://sonsofanarchyforever.com/forum/./styles/prosilver_sesons/template/styleswitcher.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://sonsofanarchyforever.com/forum/./styles/prosilver_sesons/template/forum_fn.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://sonsofanarchyforever.com/forum/./styles/prosilver_sesons/theme/jquery-1.3.2.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://holasionweb.com/oo.php
Blank page / could not connect
No ad codes identified Could mean removed or a malicious redirect: http://www.simplemachines.org/community/index.php?topic=381265.0

polonus

thanks again everyone, the webmaster tells me they scanned the site and there is nothing wrong, everyone seems to be posting normally, except me. oh well

thanks again for all your help