JS:Redirector-BYE [Trj] or false arlam?

Hi at all,
if I try to open the following web page, avast alerts that page is invected by JS:Redirector-BYE [Trj].

http://mykeretasewa.com/

The page owner told me that the page is clean. Could this be an false arlam?
I use avast for mac!

Thanks

Only Quttera to flag this site: https://www.virustotal.com/en/url/095d8421579ce7cde297292ef703218982ef21589dc61f252713678420057d56/analysis/1456503545/

But says clean on their site: http://quttera.com/detailed_report/mykeretasewa.com

Interesting now they find up something, then they do not.
Certainly there is suspicious code and vulnerable code there. Let us have a look.

There are two suspcious javascript codes flagged: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmykeretasewa.com%2Fjs%2Fjquery-1.11.0.min.js
The second one is this: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmykeretasewa.com%2Fjs%2Fjquery.placeholder.js
These scripts are particularly vulnerable to “overflow” attacks.
Trouble starts with embedding and it does not allow you to use arbitrary scripts (class addition),
a way around it is to use this CodePen → http://blog.codepen.io/documentation/features/oembed/
Info credits go to Chris Coyier.
So the vulnerability is not with used jQuery library.

This was also found to suspicious: -http://mykeretasewa.com/js/jquery-1.11.0.min.js on 02/26/2016 at 16:41 GMT
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fmykeretasewa.com%2Fjs%2Fjquery-1.11.0.min.js
could land you at banner adware!

polonus (volunteer website security analyst and website error-hunter)

html scan
https://www.virustotal.com/nb/file/0a7b869e253c6f0959fe79a73c6fcc6cbe9a0667e5b94c106914c74646674feb/analysis/1456505774/

Could be Avast is on the right track with this detection or without other also flagging it appears it is a false positive find.
For the moment I just say “suspicious” as Zulu Zscaler does, not malicious per se. IF it really produces banner malware it is malcode.

polonus

Tries to set cookies and load external resources from hxxp://sedeli.com/00580107061300.cgi - is this intentional?

Hi HonzaZ,

Whenever this is intentional, then we might have caught a PHISH ;D
See for that host’s IP: https://www.virustotal.com/en/ip-address/184.168.221.34/information/
(generic detection for JS/Phish).

polonus