Infection: HTML:Script-inf

Hello,

We recently build out a website for www.painless processing.com and just got a Malware Blocked message popup.

The site was built and uploaded about a week ago. Is there an error within the code that triggered an automatic reaction from avast ? If it was hacked, any and all details are appreciated.

Thanks,

William

  1. http://www.virustotal.com/url-scan/report.html?id=11a222a35e8369660c3a803fc338b1b6-1285684762

  2. http://online.us.drweb.com/cache/?i=db5658f0017acbffc0732900250b51fc

  3. https://anubis.iseclab.org/?action=result&task_id=190d706b788dcf34449c0631b447476e2&format=html

May be a false alarm…, wait for what analysts say.

Hi William, welcome to the forum :slight_smile:

Unfortunately, the page contains a script tag to a malicious site, outside of the html block. This shouldn’t be there.
The script is in the image below, click to expand. (it is right at the end of the code for the page.)

See:

http://www.UnmaskParasites.com/security-report/?page=www.painlessprocessing.com

http://www.virustotal.com/file-scan/report.html?id=c72cdc9554e7738be8db51d677ae4aab7ca9bb0a79442e31cf18b8ee345db634-1285692367

http://www.virustotal.com/url-scan/report.html?id=29438f8e2075a3313154cc1ae5ec9bb5-1285685209

Scott

EDIT: image… ::slight_smile:

Hi spg SCOTT,

Good analysis: http://www.urlvoid.com/scan/addonrock.ru
Malicious software includes 82 exploits, 26 trojans,

pol

Hey guys,

Thanks for you speedy replies.

Should I just remove it from the original source code and that’s it ?

How can I avoid this from happening again.

Thanks,

Will

Removal of the inserted script isn’t the end of the job. Unless you find what the reason of the exploit it is likely to be back.

  • This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Hi William,

Also welcome to these forums here, mind what DavidR says update all the website software to get rid of vulnerabilikties that could lead to re-infection, DavidR is right there,

polonus

Infection Details
URL: http://zaycev.net/|{gzip}
Process: C:\Program Files (x86)\Mozilla Firefox\f…
Infection: HTML:Script-inf
May be this site is clear from viruses?

first …you are posting in a topic that is 2 years old

and the url you posted http://sitecheck.sucuri.net/results/zaycev.net

sucuricata and snort filter also alarms on it http://urlquery.net/report.php?id=149674

Hi Pondus,

And then there was this topic on the Russian subforum: http://forum.avast.com/index.php?topic=103683.0

polonus