I’m new to this site and have a question for you based on other threads I have read.
There is this web site that sells beer paraphernalia that I’ve ordered from in the past. When I checked it out last week to buy some new stuff, Avast 4.8 Home popped up with a virus warning about JS:ScriptIP-inf [trj]. Is that the iframe infection that I’ve read about on here? Any chance my system was infected? The weird thing is the warning will pop up even when I Google the company’s name (Global Beer). I asked some other people to check it out and they didn’t report a similar problem, which makes me nervous that it’s my system.
Usually websites like that are frequent targets of iframes and JS:scripts. and avast is accurate in those detections. Wait for an evangeliest. It is very unlikely its a FP though.
Some websites use tag but link a malicious javascript (.js) file. Most probably XSS attack. Well can you give us the link for which you got the alert made non-clickable, like for instance:
hxtp://www.mymaliciouslink.org or wxw.mymaliciouslink.org
Then we can give you a clue what is wrong there or you can inform the webmaster of the site. Is there user input on the site possible, then there a hacker could have had too much access as well.
If avast alerted it also prevented that you were directed to the real malcode downloads, so it has more than likely saved your glorious b…d here,
Probably that was the code [modified by me for security reasons] that gives problems is here on that site,
but the following code can also be exploited with an image exploit. if the website input allows enough maneuverability for a hacker to insert this!
^script language="JavaScript" type="text/javascript"^
^!--
// Hit counter code for Webstat.net
var data = '&r=' + escape(document.referrer)
+ '&n=' + escape(navigator.userAgent)
+ '&p=' + escape(navigator.userAgent)
+ '&g=' + escape(document.location.href);
if (navigator.userAgent.substring(0,1)>'3')
data = data + '&sd=' + screen.colorDepth
+ '&sw=' + escape(screen.width+'x'+screen.height);
document.write('^i[b]mg alt[/b]="Website Counter" width="0" height="0" border="0" hspace="0" '+'vspace="0" src="hxtp://www.webstat.net/basic/counter.php?i=21095' + data + '">');
// --^...........
/script
I had a quick look and I cant see anything obvious, so it has to be something else.
Edit: if I remember rightly webstat.net is on the network shields malicious software list. It is just tested wXX.webstat.net and the network shield blocks it, so it looks like that is the issue here, the access to webstat.net.
Yes if this webstat.net entry was placed there by the owner/webmaster, as a counter then there are many other stats counters, etc. that don’t come with this history.
It could of course be fake posing as a web counter, as who know a web counter that doesn’t (“Website Counter” width=“0” height=“0” border=“0” hspace=“0” '+'vspace=“0”) display anything ???
Well a site can get hacked and can be cleansed again, and can get hacked anew, some malware downloads are downloading secure and insecure items randomly to evade detection. The world wide web is like an ever changing ocean and so are the malcode streams in this ocean, but lately there is a lot of bad malcode weather out there, well I put this a bit poetically, but the reality is harsh enough, and you will certainly understand what I mean to say
Incorrect, it is the fact that the file is missing which is causing the error 404 page to be displayed and triggers the alert as it appears to be that which is infected and not the favicon.ico file.
I don’t know what your friends avast settings are or if there are other factors in the mix, so I can’t say. What I can say is that along with yourself we in this topic have all had alerts.
Your other friends that don’t have avast installed will be blissfully unaware that this fast spreading type of attack is going on as very few AVs even check for it and avast is IMHO the top of the pack.
I was wondering about the present status of this issue on www.globalbeer.com? I received their newsletter today and tried to access the website and got an Avast! warning about JS:ScriptIP-inf [Trj]. I aborted the site access, but am curious if this is a real potential concern or a FP…
I have visited it again and I can see nothing obvious, so it looks like it is the same as reported in Reply #5, the hit counter script that accesses Webstat.net a site that is blocked by the network shield.
I have submitted it again for analysis, but I doubt anything will change unless if the issue is with the blocked webstat.net.
I’m running Avast 4.8 and recently I started getting a warning for the JS:ScriptIP-inf [Trj] virus when I try to access www.techbargains.com Could an Evangelist check this for me and/or notify the website of the trojan? Thanks
avast is usually very good on these detections and all the ones I have checked I have found to be correct, unfortunately I cant check this one because of the obfuscated/packed script that is being detected. I haven’t got the tools to unpack/de-obfuscate it, Evangelists for the most part are just forum members/avast users like yourself.
Just because it is an alert on a legit site doesn’t mean it isn’t infected. Legit sites are very prone to hacking.
www.mindpulse.com/users/lizardlady is considered a trojan too. a subfolder of this site isn’t though? what gives? I just went on the above mentioned sites and they seem to be clean.
Well it is somewhat difficult to check as the page is no longer available, possibly taken down to get cleaned.
Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks. Even though in this case the page isn’t there it is best not to post direct links to suspect sites.