iFrame Trojan questions

A couple of days ago I was getting some Trojan warnings on a few of my company’s sites, all via iFrames.

I don’t believe this is a real malware problem, but rather more likely another one of Facebook’s feature additions that the AV simply didn’t know about yet, and blocked. Today, I can’t get the pop up to appear at all on any of the sites so I believe the definition updates cleared up what was most likely just misinformation.

The problem is, I have been pushing the company to allow me to start redesigning and updating their sites, and they have been dragging their feet. Their current designer is, quite frankly, doing a lousy job. And I used this “trojan” alert to light a fire under management’s behinds to get them more seriously thinking of putting me on the job.

What bothers me is that I may have raised a false alarm over these Trojans. At the very least, whether or not they were or are a real problem, I want to get to the bottom of what they really were. I want to be able to report to management “This is what it was…” not, “Well, it could have been this, or that, I’m not sure what it really was…”

I feel like a noobie asking this, but where can I dig up the logs on what was reported by Avast three days ago? I can’t remember the Trojan name the pop-up showed, and it isn’t showing up at all anymore visiting the sites.

The other designer, I hear, doesn’t want the job anymore anyway, but even so I don’t want to take over and have the first issue I raised make me sound like a total idiot.

Does Avast keep any logs of the pop-up alerts? It’s to late to “view last pop-up.” I can see it in the GUI graph under Real Time Shields, but I need the exact warning message I got at the time.

EDIT: Sorry, I should have added this:

OS: Windows XP SP3
Warnings showed up for all browsers (you name it, I have it installed).

do you have a url we can test ? post it non clickable http as hxxp or www as wxw

I do. The following page contains links to all their sites. Friday, four out of five of them produced the warnings, but now every time they were loaded. I had to refresh them occasionally to produce the pop-ups. Today though, I’m not getting any warnings at all, which leads me to believe the definition updates corrected a probable false positive.

The top three and the last link produced the warnings on Friday. I didn’t get any on the other two.

This link is clickable, but not one of the pages that caused the warning. It just lists the six sites we own.

streamingradioguide.com/licensee-list.php?showall=on&licensee=GREAT+EASTERN+RADIO%2C+LLC

EDIT: I made it un-clickable anyway, but the links on that page, of course, are clickable so…

Report 2011-07-11 17:08:00 (GMT 1)
Website streamingradioguide.com
Domain Hash 5feec427b0cc07ec48287d51eab97002
IP Address 75.102.13.242 [SCAN]
IP Hostname unknown.ord.scnet.net
IP Country US (United States)
AS Number 23352
AS Name SERVERCENTRAL - Server Central Network
Detections 0 / 23 (0 %)
Status CLEAN

Thanks Asyn, but that isn’t the site that posed the problem. It was the sites through the top three links, and the bottom link on that page. The sites owned by Great Eastern. streamingradioguide isn’t our site.

Ok, which site should we test/check then…??

Ste seems offline now,

polonus

@Asyn: It was the top three and the bottom links on the page I posted.

Actually guys, I wasn’t really looking for anyone to test the sites. I was looking for whether there was a log Avast keeps that I could check for the message I got. As it turns out, I just checked the links again myself, and did finally get the pop-up alert again.

The pertinent information was this:

object: http: [break this link!] //www.sitename.com/css.php?t=nouveau

Infection: JS:IFrame-BU[trj]

That’s what I wanted. That information so I can do some research on exactly what it really is. I do know it’s an iFrame injection, but not yet sure if it’s really malicious or not. It doesn’t always show up, as I said. There are Facbook apps loaded on those pages, but there are also some others too, so I’m not sure yet where it’s coming from.

If they decide to have me work on these sites, it won’t matter in the end anyway, because I plan to wipe them all and start from scratch, so whatever infections may or may not be there, they will be NUKED once I get hold of the sites.

Thanks anyway.

If you do know anything about that infection though, please do share. I’m still very curious as to what it is, and would like to be able to report to my people with more than just, “Uh… I don’t know, but I don’t think it’s good.” :wink:

Atm, I get: Domain does not exist or is unaccessible.
So, I can’t investigate further.

yepp
http://www.downforeveryoneorjustme.com/www.sitename.com/css.php?t=nouveau

Guys, this page right here:

http://streamingradioguide.com/licensee-list.php?showall=on&licensee=GREAT+EASTERN+RADIO%2C+LLC

has SIX links on the left side of the grid.

The top three and the bottom out of those six displayed warnings.

It is possible the sites are not accessible internationally. I don’t know. They are local radio stations, but they do stream over the net as well, but that’s through a different domain service.

As I said above, I don’t necessarily need anyone to visit the sites, or test the sites themselves. I just need some information about the reported infection:

JS:IFrame-BU[trj]

If there is any information. There may not be. Google search on it turns up JS:IFrame-KU[trj], but not JS:IFrame-BU[trj], so I haven’t yet found any good information about what it is exactly.

If you don’t know what it is, that’s fine. If you can’t load the sites, it’s no big deal.

I can’t get to streamingradioguide.com at all with firefox (and won’t poke my nose into suspect sites with IE), even though it is meant to be up. I keep getting - The connection to the server was reset while the page was loading.

Personally I wouldn’t even bother googling on the JS:IFrame-BU[trj] as the information even if returned isn’t going to help. The iframe injection is the hacked/injected script tag being blocked. So the remote location could change for different sites (stil the same JS:IFrame-BU[trj]) and the pay load at that remote site is also likely to be a variable.

Effectively all the JS:IFrame-BU[trj] is telling you is that the site appears to have been hacked with an injected iframe tag.

This is the file that contains the information on the webshield detections, C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\WebShield.txt (XP) or C:\ProgramData\AVAST Software\Avast\report\WebShield.txt (Vista, Win7). These folders may be hidden so you will have to change the options in windows explorer.

Thanks DavidR, those file locations are what I was looking for. I always have hidden files and extensions turned on. I don’t like OS’s hiding anything on me.

I’ll take a look there.

Actually, if you Google the file name with quotes, I found only three site results, two of which the webmasters clearly don’t understand what the infection is or that it isn’t coming from their own sites, as they have searched their own sites for it, haven’t found it (of course! What did they really expect to find it? It’s coming through an iFrame, so it’s obviously a cross-site attack), yet they are sadly telling their users not to worry about it. ::slight_smile:

Anywho, as I stated above, if I am given the task, I’ve already planned to nuke the entire site contents and databases, starting from scratch.

I do plan to use some iFrames in the new setup, but not before checking into whether a separate script I will be installing to keep spammers and hackers out, will also help with XSS injections. I’ll have to speak with the developer of the script about that. I would not be surprised if the script doesn’t help at all with it, in which case I will insist on the iFrames not being used at all.

Thanks again.

You’re welcome.