Infection on site or local? JS:Iframe-ALO [Trj]

Hello guys,

When I go to the website of a friend of mine (http://ontwerpjeleven.nl/) I get the following notification from Avast Premier:

URL hxxp://ontwerpjeleven.nl/-webkit-gradientlinear, 0% 100%, 0% 0%, fromrgb252, 252, 252, torgb221, 221, 221|{gzip}
Infectie JS:Iframe-ALO [Trj]

I contacted server management (we both use the same server) and they told me the infection must be local (on my laptop), because they could not find an infection on the website.

I did a full virusscan with Avast, but it didn’t find anything. I also did a full malware scan with Malwarebytes and all it found was 3 PUPs. I deleted all unneccesary add-ons in Chrome but it did not help, I still get the Avast message when I visit the website.

If there is an infection on my laptop I can’t find it. The strange thing is that I only get the above message on the website of my friend. Can anybody shed his light on this situation?

Kind regards,
Tim (from the Netherlands)

seems to be something in that website file that avast dont like

http://zulu.zscaler.com/submission/show/c87d636d3c1f02d42d4ccb5e0e0b95a5-1415367067

Thank you Pondus!

http://sitecheck.sucuri.net/results/ontwerpjeleven.nl/

http://urlquery.net/report.php?id=1415457353543

Your site has an exploit kit on it…

Could it be this is being flagged? line : 220: < h2 class=“sectionheader”> Main Sidebar< /h2> < div class=“sidebarwidget”> < div class=“textwidget”> < if​rame src=wXw.youtube.com/embed/ZdC6AF3758M?rel=0;vq=hd720;showinfo=0;modestbranding=1;" width=“280” height=“220” frameborder=“0” allowfullscreen=“allowfullscreen”> < / if​rame >
This is webpoisoning and adblock hacking: http://blog.kotowicz.net/2012/03/chrome-addons-hacking-bye-bye-adblock.html
Look for exploitable document.location.protocol in the code source
There is also a 404 in htxp://ontwerpjeleven.nl/404-error/ htxp://ontwerpjeleven.nl/levensgebied-veranderen/
Analyze here: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fontwerpjeleven.nl&useragent=Fetch+useragent&accept_encoding=
This link is secure :smiley: → htxp://ontwerpjeleven.nl/wp-admin/admin-ajax.php

polonus

When you scan the VT detected uri it redirects: htxp://ontwerpjeleven.nl/omdenken/-webkit-gradientlinear%2C%200%25%20100%25%2C%200%25%200%25%2C%20fromrgb252%2C%20252%2C%20252%2C%20torgb221%2C%20221%2C%20221 redirects to htxp://ontwerpjeleven.nl/404-error/
VT also flags this: htxp://ontwerpjeleven.nl/wp-content/plugins/akismet/_inc/form.js
See: http://jsunpack.jeek.org/?report=45a7bca46d9f8e46af465c9dad8968061703814d
undefined variable js.parentNode
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var js.parentNode = 1;
error: line:1: …^ SEO Spam issues - htxp://downloads.securityfocus.com/vulnerabilities/exploits/23965.html

Exploitable code: attacker couldexploit something like <? echo 'escape("' .$_GET['AttackerString']. '");' ?> by simply bypass the javascript function: &AttackerString="); alert("xss in the case the html output would be: escape(""); alert("xss");
Quote info credits go to: Information Security's Nicolai (document.location.protocol XSS vulnerable?).

polonus

Thanks for the info guys! :slight_smile:

This goes way above my head, so I will ask server management to look at it.

Have a great day!