For the past week or so every time I go to visit my message board I get the following avast message.
http://i303.photobucket.com/albums/nn122/gabrielawilson/Untitled-1-2.jpg
I have multiple message boards using the same host, yet this is the only one it appears on.
Given that this is in the admin area of your site I doubt we can actually investigate it from outside.
Check your php templates, as that is a common way for paged to get infected/hacked, ensure that you have the latest version running on your host/board software.
Thanks, I will post in their support forum and see what they say.
Object: -http://www.find-how.com/web-stats/admin/setup.php
well seems i got access to it
Jotti 14/20 http://virusscan.jotti.org/en/scanresult/7b6370aa4d13848b54063cc571ed5a891a3527c7
Metascan 13/18 http://www.metascan-online.com/results.cgi?uid=r73ofee5cohes6zazzok3kos084hc4aw
Sucuri also say infected…see attached screen shot (click to enlarge)
Sucuri malware info: http://sucuri.net/malware/malware-entry-mwjs444
[b]Description[/b]:This encoded javascript loads malware (the fake AV)
Malware found here
-http://www.find-how.com/web-stats/admin/setup.php -http://www.find-how.com/web-stats/admin/setup.php/404testpage4525d2fdc -http://www.find-how.com/Top-Categories.html -http://www.find-how.com/web-stats/admin/setup.php/find-relationship.com -http://www.find-how.com
I got help over at Jcink support. Removed a piece of code. They say sometimes you can get a false report. Anyway, after removing the code, I no longer get avast freaking out on me. Thank you.
Sucuri and virustotal is still reporting infected…you should give them a link to this topic
this is not false positive…
scanning the 5 URLs that sucuri report with malware will all give tha same 23/42 infected score at VT
http://www.virustotal.com/file-scan/report.html?id=1bfe0caa320d36853072fbc64df46f5c44bfcbd37c53e25afc3e234acf78be87-1321569153
http://www.virustotal.com/file-scan/report.html?id=92dbdbe20658088a0f2270e1aa85bcc226881258eb03679e246a882aebd91df5-1321569032
http://www.virustotal.com/file-scan/report.html?id=052d01a5a2559e73e73e9dd146555e84cb26e0b9c13a7e2ae6038740308bb83d-1321569004
http://www.virustotal.com/file-scan/report.html?id=92dbdbe20658088a0f2270e1aa85bcc226881258eb03679e246a882aebd91df5-1321568968
http://www.virustotal.com/file-scan/report.html?id=92dbdbe20658088a0f2270e1aa85bcc226881258eb03679e246a882aebd91df5-1321568937
URLQUERY - Detected Blackhole exploit kit v1.1 HTTP GET request
http://urlquery.net/report.php?id=8874
Wepawet
http://wepawet.iseclab.org/view.php?hash=63f318e3d67ddd30a043d836757f52a0&t=1321569904&type=js
Hi Pondus,
I also get avast webshield alerts for JS:ScriptSH-if[Trj] for a.o. -http://www.find-how.com/web-stats/admin/setup.php
And avast is not alone here: http://siteinspector.comodo.com/public/reports/639219 (details: dangerous script found by av engine on that page)
DrWeb URL scanner gives -http://www.find-how.com/web-stats/admin/setup.php/Script.0 infected with JS.IFrame.143
polonus
So how is it after removing the code I no longer get the avast warning?
Sucuri say it is still there…
you may try here http://sitecheck.sucuri.net/scanner/
I got a clean bill of health from Sucuri Site Check.
strange…and what url do give to sucuri scanner ?
Hi Pondus,
Going through the code there I see: (iframe) from -www.find-how.com/web-stats/xx.php to
-http://www.bidvertiser.com and further down a window open to -http://agrino.org/st397/
Here you have the iFrame check:
(Level: 0) Url checked:
-http://www.find-how.com/rwebstatistics.js given clean OK
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (iframe source)
-http://www.find-how.com/web-stats/xx.php given clean OK
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (iframe source)
-http://www.find-how.com/web-stats/xxx.php given clean OK
Zeroiframes detected on this site: 0
No ad codes identified
So the malware is in -http://www.find-how.com/web-stats/admin/setup.php
-http://www.find-how.com/web-stats/admin/ip.php/Script.0
Here is the block report from AVG: http://forums.avg.com/us-en/avg-forums?sec=thread&act=show&id=181540
polonus
OK…got some more info from the OP
The URL from the avast warning…is not the URL in question here…
this is the one -http://skinsandmore.b1.jcink.com so i guess there must have been a redirect to the one that show in the avast warning
this comes up clean at Sucuri / VirusTotal /
urlQuery:
http://urlquery.net/report.php?id=8980
Wepawet:
http://wepawet.iseclab.org/view.php?hash=68213ce54b0e4b0d62118832f046da70&t=1321651123&type=js
Hi Pondus,
What we have here is visitor counter malware.
Malcreants use a.o. following techniques to deter and confuse analysis. Obfuscation and/or the hiding of codes and scripts; insertion of useless junkcode; compression and encryption methods and this also for data (use of packers); malware checksum and protection routines to prevent tampering and patching of malcreations; malware may react differently when analysis tools are being found (different reaction to VM, monitoring and debugging tools when met by certain malcode).
Again that is why binairy analyzers should be overhauled from time to time, as Anubis did recently.
polonus