Whan I try to look at the following web-page : hXtp://lanke.historielag.org/
I get this message from AVAST :
Infection: JS:Iframe-CSU [Trj]
But only on my PC running AVAST. Not on my PC running McAfee.
And the administrator of the website insist there is nothing wrong at the web-server.
So could this be a false warning ???
Norton: http://safeweb.norton.com/report/show?url=lanke.historielag.org
Sucuri: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Flanke.historielag.org%2F
Virustotal: https://www.virustotal.com/en/url/def2bd0ea6652830334f9ad642dda580b754dfdd53f4f43d601dce3012075279/analysis/1376409774/
Comodo: http://app.webinspector.com/public/reports/16323454
URLQuery: http://urlquery.net/report.php?id=4532857
Looks clean. You can report a false positive here: http://www.avast.com/contact-form.php
You may add a link to this topic in case they reply.
Yes - it shure looks clean !
So - how do I stop AVAST from blocking me from looking at the site ??
And thanks for your reply with all the reports !
If you want you can report it to Avast cause many other Avast Users are having this issue too i think.
attaching a screenshot of the avast warning popup would give info about what exactly avast see
Hi Steven Winderlich,
avast! Web Shield flags and blocks access to JS:iframe-CSU[Trj]
Why would you lift webshield for a valid detection. Besides Joomla version for this site is outdated.
Until avast! whitelists that domain for shield detection or unblocks I would not treat it as FP.
Alive malware on same IP: http://support.clean-mx.de/clean-mx/viruses.php?ip=81.21.75.87&sort=first%20desc
See: http://zulu.zscaler.com/submission/show/537f7f26cc2c45f4920f654dbb78bec3-1376420758
→ A/V detection: Security Risk 100/100% malicious
See: http://quttera.com/detailed_report/lanke.historielag.org
What one could do is file a FP report to avast here: http://www.avast.com/contact-form.php
then it is up to avast team members to react…
polonus
Lets see what happens with the URL.
from the urlquery link you posted, there is 6 websites on same IP, all with IDS alerts and one have a malicious iframe detection
the first one is a pornsite that have 10 IDS alerts…
if this has anything to do with the avast alert, i do not know…
Hi Pondus,
You are probably right, but there is more to it also for which issue avast is alerting, see further down in my posting *
Just why I posted this sameIP results.
But also consider this http://quttera.com/detailed_report/lanke.historielag.org
and then
List of external links: 15
htxp://joomla.org
htxp://vywuwix.com/count11.php ** flagged by avast webshield as infected with JS:ScriptPE-inf[Trj] webhpsource search malcode
htxp://fonts.googleapis.com/css?family
htxp://www.rsjoomla.com
htxp://www.facebook.com/stjordalmuseum
htxp://upload.wikimedia.org/wikipedia/commons/8/87/bekkekvern_%c3%85sa_ringerike.jpg
hxtp://c.statcounter.com/6606717/0/68a31387/0/
hxtp://software.albonico.ch/
htxp://www.w3.org/1999/xhtml
htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
htxp://www.w3.org/2005/atom
htxp://www.rsjoomla.com/joomla-extensions/joomla-gallery.html
htxp://www.joomspirit.com
htxp://statcounter.com/joomla/
htxp://www.statcounter.com/counter/counter.js
List of iframes: 1
Hi all,
I can confirm malicious.
Furthering the research done by Polonus, htxp://vywuwix.com/count11.php is a newly registered domain and is surely not safe due to the history of malicious count.php.
@Steven Winderlich Based on your urlQuery report, the 1st level site returned a 404. That would seem suspicious, no?
Also See: http://www.urlvoid.com/scan/vywuwix.com/
~!Donovan
Thanks for confirming this. !Donovan. Sometimes website scanners just do not go deep enough to come up with this.
Zscaler was right in the analysis, but thanks to one of the reports of Quttera’s scan and checking on those external links this could be established.
The historic iFrame malware entry dates back to 2012 and is a variant of a known type: http://labs.sucuri.net/?malware&entry=2012-06-05
And again there is another scanner to confirm the status: “infected”
DrWeb’s url scanner: giving a JSTAG infection with JS.IFrame.462 (by Blackhole malcreants):
Checking:htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js
File size:70.48 KB
File MD5:10092eee563dec2dca82b77d2cf5a1ae
htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js - archive JS-HTML
htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js/JSTag_1[aded][6c01] - Ok
htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js/JSTag_2[d2f4][46fa] - Ok
htxp://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js - Ok
Checking:htxp://lanke.historielag.org//media/system/js/caption.js
File size:1963 bytes
File MD5:38ba23053bea8a521cd624b6ad88e475
htxp://lanke.historielag.org//media/system/js/caption.js - Ok
Checking:htxp://lanke.historielag.org//templates/pure_white/lib/js/moomenuv.js
File size:4964 bytes
File MD5:0890e9f73dd752ac180d04173c061899
hxtp://lanke.historielag.org//templates/pure_white/lib/js/moomenuv.js - Ok
Checking:htxp://lanke.historielag.org//media/system/js/mootools.js
File size:72.69 KB
File MD5:f6490edc31bf9c25ba507f41ce614def
htxp://lanke.historielag.org//media/system/js/mootools.js - Ok
Checking:htxp://lanke.historielag.org//templates/pure_white/lib/js/tooltips.js
File size:310 bytes
File MD5:7376a0ee3a38fbee84a33d690fe9d236
htxp://lanke.historielag.org//templates/pure_white/lib/js/tooltips.js - archive JS-HTML
htxp://lanke.historielag.org//templates/pure_white/lib/js/tooltips.js/JSFile_1[0][136] - Ok
htxp://lanke.historielag.org//templates/pure_white/lib/js/tooltips.js - Ok
Checking:htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.nivo.slider.js
File size:6503 bytes
File MD5:34f13466e069c37e59845a0257b38f57
htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.nivo.slider.js - archive JS-HTML
htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.nivo.slider.js/JSFile_1[0][1967] - Ok
htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.nivo.slider.js - Ok
Checking:htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.noconflict.js
File size:81 bytes
File MD5:5acebfebdced7e7dc4a937989533549a
htxp://lanke.historielag.org//modules/mod_ariimageslider/mod_ariimageslider/js/jquery.noconflict.js - Ok
Checking:htxp://www.statcounter.com/counter/counter.js
File size:9028 bytes
File MD5:389f1acf246618ba207b9122dfbc57a8
htxp://www.statcounter.com/counter/counter.js - Ok
Checking:htxp://lanke.historielag.org/
Engine version:7.0.5.6250
Total virus-finding records:4380605
File size:15.08 KB
File MD5:7225edc8484edbbe97a8104f340b76e9
htxp://lanke.historielag.org/ - archive JS-HTML
htxp://lanke.historielag.org//JSTAG_1[780][ae] - Ok
htxp://lanke.historielag.org//JSTAG_2[de4][521] infected with JS.IFrame.462
htxp://lanke.historielag.org//JSTAG_3[3993][61] - Ok
pol
the url in question also get one detection by Scumware at urlvoid.com
searching scumware on the IP address give this. from 2010 - 2013 there is listed 24 malware detections
but search IP here and see result. http://www.scumware.org/search.scumware
2013-08-13 17:30:15 htxp://lanke.historielag.org/ 8E135A1BF7888D3AE5E4EAEE9D2B036B 81.21.75.87 GB [b]HTML/Framer[/b]i removed the rest bc of all the live links… to much to edit
To the posters in this thread,
Quite some interesting survey we have made here.
Think we can sum it all up now.
Until website is being cleansed from this or alerted malware is dead,
this site is found to be infected and is rightly blocked by the avast! Web Shield.
Pondus & !Donovan, thank you both for your assistance, confirmations and additional info.
polonus
Ah … so now I have to convince the administrator of the site that they have a problem … not an easy task …
Thank you all for helping me !
Hei Jan
vi kan vel trygt si at den IP adressen har en dårlig historie og er very suspicious. ???
Hi jan_setnan,
A link to this thread will certainly help your case.
but also the hoster has serious issues to be addressed.
Blacklisted URLs: 40
Hosts…
…malicious URLs? Yes
…badware? Yes
…exploit servers? Yes
…Current Events? Yes
…spam activity? Yes
Site security needs to be hardened. Excessive header exposure, System Details:
Running on: Apache/1.3.41
System info: (Unix) mod_ssl/2.8.31 OpenSSL/0.9.7e-p1 (vuln. to Exploit Blackhat SEO (type 1703).)
Powered by: PHP/5.2.10
Web application version:
Joomla Version 1.5.18 - 1.5.26 for: -http://lanke.historielag.org//media/system/js/caption.js
Joomla Version 1.5.18 to 1.5.26 for: -http://lanke.historielag.org//language/en-GB/en-GB.ini
This info should not be spread by response headers globally and so also ready for attackers to base their attacks on…
http cookie warning (XSS attacks) and
clickjacking vulnerability.
polonus
… og at AVAST er bedre enn McAfee
and better than a lot of others also especially with avast! Shields ;D
polonus
And with that being said, please change the http:// in your original post to hXtp:// to avoid accidental clicks.
Thanks,
~!Donovan
Done