is johnquiggin.com infected?

Hello

Intermittently I get the network scanner telling me it has blocked johnquiggin.com, and I have a record in my log file (sample below)

13.06.2009 07:49:29 Network Shield: blocked access to malicious site dns://johnquiggin.com [ C:\Windows\system32\svchost.exe ]

Is there a virus on the website (if so, I will email the owner) or is it something happening on my PC?

Regards

huh - and this is new

my copy of avast was a little old (just the program! I keep the db up to date…) so I updated, restarted and now I get

13.06.2009 08:36:15 Network Shield: blocked access to malicious site www.johnquiggin.com/ [ C:\Program Files\Mozilla Firefox 3.5 Beta 4\firefox.exe ( 3556 ) ]

So I assume the reference to svchost (see above) was because it was that piece of software doing a DNS lookup, yes?

The only thing I still don’t see is a reason from avast explaining why it is blocking the website, which I thought it did. It would be handy info to pass along to the site’s owner.

I too got the alert trying to visit, I paused the network shield to investigate further (not advisable) and the site is down at the moment, so I guess they are trying to clean house, see image.

When they do eventually get cleaned out, it will take a little time to be removed from the malicious software list.

If you click a link in your browser then your browser would be the parent of the DNS call, if you initiated it from outside your browser then svchost is normally the parent for the DNS request.

Because it is on the malicious site list avast is able to check its list before the dns request gets through.

Thanks for your time, I appreciate it - and hopefully they are scrubbing things down as we, uh, type.

Hi DavidR,

Site in question, and Klen in the thread please change www with wXw to make the link non-clickable for the curious of heart, was compromised through their version of Wordpress apparently. For checking for Wordpress vulnerabilities or exploits: http://ocaoimh.ie/exploit-scanner/

http://www.blacklistdoctor.com/bld/diagnose.php?URL=wXw.johnquiggin.com/&scan_id=14805 gives it clean now,

polonus

If the site is still down I would imagine it isn’t scanning infected content.

OK, site is back up but reporting server issues and with the network shield paused the web shield alerts three times, all of it related to packed and encrypted content on the home page and twice relating to the favicon.ico file also packed, see images.

So it looks like blacklist doctor can’t cope with packed encrypted.

Though VT only has GData and avast detecting on the temp file scanned by avast, http://www.virustotal.com/analisis/644c810cfae0504c30ab1496d3cba989b255e270f1d72d8ed3f8768ecade812c-1244854192.

So this may require more analysis by avast.

Update:

I have sent the home page off for further analysis, though these detections have tended to be very accurate.

Hi malware fighters,

The site is still being blocked by the shield: link - hxtp://johnquiggin.com/wp-content/themes/inove/js/base.js

link - hxtp://johnquiggin.com/wp-content/themes/inove/js/menu.js link - hxtp://johnquiggin.com/wp-includes/js/swfobject.js?ver=2.1 John Quiggin - hxtp://johnquiggin.com/ polonus

Hi malware fighters,

While I tried to make the above links non-click-able I got the following alert:
Sign of “JS:ScriptPE-inf [Trj]” has been found in “C:\Documents and Settings\Polonus\Application Data\Mozilla\Firefox\Profiles\67^^zqs.default\sessionstore-1.js” file.
I cleansed that out and removen the session and cache to get rid of it, so even remotely linking to the site can wreak havoc. One can also make a test profile for firefox go to start - run and give in firefox.exe p
also a new profile can be made as Default.user,

polonus