Hi there everyone, yesterday I got stuck with this one; AvastFree started warning me about my site with that Trojan popup.
I made a reverse DNS lookup and other sites of my webhosting provider also had that so I think it’s something in the hosting. But, is it real or just a false positive? I scanned my url ( XXX.fuajedrez.com ) with the sites some guys mentioned before, so here are the results and I look forward to hearing from you about this issue I’m having:
UrlVoid
URL analysis tool Result
Avira Clean site
BitDefender Clean site
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Malc0de Database Clean site
MalwareDomainList Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
TrendMicro Unrated site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Additional informationShow all
Normalized URL: http://www.fuajedrez.com/
URL MD5: 86b01c4eee9c223b7c2d27499eae704d
Content-Type: text/html
0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is goodware. 0 VT Community user(s) with a total of 0 reputation credit(s) say(s) this sample is malware.
File name: index.html
Submission date: 2011-05-15 12:55:18 (UTC)
Current status: finished
Result: 3 /41 (7.3%)
Thank you Scott.
I don’t get the warning only for this file; take a look on the report of the Web Shield, seems like every file is infected, when I know those weren’t (at least on my computer, before uploading them):
No, they are not! Where is that code at? How do I clean the site?
edit: Is it possible that all the sites of my hosting provider, were “injected” with this ?
Reverse Whois: "FUA" owns about 3 other domains
Email Search: is associated with about 557 domains
Registrar History: 1 registrar NS History: 7 changes on 5 unique name servers over 5 years.
IP History: 8 changes on 6 unique name servers over 5 years.
Whois History: 33 records have been archived since 2007-11-03 .
[b]Reverse IP: 129 other sites hosted on this server.[/b]
[b]Registration Service Provided By: INETSUR Network Solutions[/b]
Reverse IP Lookup Results—130 domains hosted on IP address 74.53.249.242
Web Site:
acuarelistasuruguayos.com
alejandrokeller.com
talleressolidarios.org
AND 127 other domains…
You must Log In, Open an Account or Buy a Report to access all 130 results of your search
Try to open one of those, to check if you see the same suspicious code you mentioned above
I made a search on the index.html but I can’t find those codes and links you are showing me.
Where did you find them? Can I clean it somehow? Do you have a clue of how this could happen? Thank you.
That is the contents of the whole page...
Scripts and LOADS of links for torrents/keygens and the like...
It is the other items that are on the page that have been compromised, I got 10 alerts (image1) basically on the stuff in the image on Reply #2.
They all have identical content, two very long (rows) strings of obfuscated script (image2) and loading various dubious keygen and software sales sites, etc. etc.
I have broken down the two lines to make it easier to see what that content is, image3.
Where did you get all those *.tmp files? I don’t understand how to proceed to clean the stuff… I downloaded the infected images and css avast reported but when I open for eg. the css i dont find anything wrong inside, I also opened the *.js files and nothing’s wrong with them (I just downloaded the original ones, to replace the bad ones, but I get the same story) … Do I miss something? Thx
Avast creates these temp files of the content coming down on the http stream so it can scan them in its localhost proxy (it doesn’t use the original file names) if they are clean then they would be passed on to the browser cache and displayed on the browser page. I just harvest them to be able to look inside.
They are essentially what you showed in your image, just renamed in the avast localhost proxy.
I don’t know if you use any form of content management software as that if out of date could be vulnerable to exploit, injecting the code into pages/files.