HTML Script Infection - False Positive?

I’ve encountered issues with my tumblr blog today. When I try to access some blogs, I get this notification:

http://i46.tinypic.com/md1ocy.jpg

In another topic on here ( http://forum.avast.com/index.php?topic=7779.15 ) I saw someone posted with the same problem and I’ve checked the status of my blog on the sites given there and it said it was clean, but there was no solution offered.

I was wondering if someone could help me out with this, I would appreciate it greatly?

I checked with a few of my friends, and those who use Avast faced the same problems, with only certain blogs, not all - just like I am, and those who use other anti-virus programs did not have any difficulties accessing the page, so I am inclined to believe it’s avast that is doing this and I would like to have it fixed if possible.

I tried updating everything - but it was already up to date and I don’t know what else to do anymore. Anyway, thank you in advance. :slight_smile:

Oh, and the URL to the problematic blog is: http://st-vladimir-academy.tumblr.com/

Well the conventional scanners, Sucuri, and URLVoid, don’t find anything. But there is something suspect going on a compressed script file (the {gzip} bit at the end of the Object name, see image extract of the content of the loaded file. Only avast (and QData, uses avast as one of its two scanners) detects anything in that file, but that in itself isn’t unusual, yet still be a good detection, https://www.virustotal.com/file/1cc323296ea499423b47017209511944c150f26b83684b1fa47df0ee8014e8f0/analysis/1345225148/.

The URLQuery check does find something which is a little out of the ordinary http://urlquery.net/report.php?id=135742. If you look at the URLVoid information there are an enormous amount of sites on that IP address and a very high number of them considered suspect/infected, http://www.urlvoid.com/scan/st-vladimir-academy.tumblr.com/.

Now I don’t know if those conventional scanners are able to detect that being loaded much less scan it.

I have no idea how tumbler works, e.g. what control software is used or if that is vulnerable so as to be able to load this compressed file when the site loads.

Hah yeah, I have no clue about any of this or how to fix anything :expressionless:

All I can suggest is that you contact tumbler support and ask about a compressed file being loaded on blog.

Whilst you can use the on-line contact form, http://www.avast.com/contact-form.php?loadStyles for: * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

  • If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for web shield review, etc. A link to this topic also wouldn’t hurt.

Though in the past these kind of detections have a high accuracy rate.

EDIT
@@@@
That said check this other topic with a very similar problem, http://forum.avast.com/index.php?topic=103346.0 and it appears that his site was hacked

EDIT2
Also see https://badwarebusters.org/main/itemview/26412 it is about a number of tumbler sites being hacked because of the utilities they use.

Further analysis

Anubis Analysis Report
[#############################################################################]
Analysis Report for hXXp://st-vladimir-academy.tumblr.com
[#############################################################################]

Summary:
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.

- Performs File Modification and Destruction:
    The executable modifies and destructs files which are not temporary.

- Performs Registry Activities:
    The executable creates and/or modifies registry entries.

Information from the other topic that might help you:

Hi DavidR,

Remote File Inclusion (RFI) is the best ever technique to hack websites and more than 60% websites on the internet using PHP are vulnerable to this attack.
Unknown_html_RFI_shell attack has been reported for that IP 50.97.143.30, but apparently the malware has been closed. The longest time a domain on this IP had that malcode was for a total of 11 hrs,

polonus

Yes, no doubt that is another IP for tumbler, but the one that st-vladimir-academy.tumblr.com/ is on is 50.97.151.201 (according to URLVoid, looking deeper into that urlvoid report there are many sites on that IP considered suspect.