JS:ScriptIP-inf [Trj] on a legit site?

Hello,

I’m new to this site and have a question for you based on other threads I have read.

There is this web site that sells beer paraphernalia that I’ve ordered from in the past. When I checked it out last week to buy some new stuff, Avast 4.8 Home popped up with a virus warning about JS:ScriptIP-inf [trj]. Is that the iframe infection that I’ve read about on here? Any chance my system was infected? The weird thing is the warning will pop up even when I Google the company’s name (Global Beer). I asked some other people to check it out and they didn’t report a similar problem, which makes me nervous that it’s my system.

Thanks

Usually websites like that are frequent targets of iframes and JS:scripts. and avast is accurate in those detections. Wait for an evangeliest. It is very unlikely its a FP though.

Hi raskyred,

Some websites use tag but link a malicious javascript (.js) file. Most probably XSS attack. Well can you give us the link for which you got the alert made non-clickable, like for instance:
hxtp://www.mymaliciouslink.org or wxw.mymaliciouslink.org
Then we can give you a clue what is wrong there or you can inform the webmaster of the site. Is there user input on the site possible, then there a hacker could have had too much access as well.
If avast alerted it also prevented that you were directed to the real malcode downloads, so it has more than likely saved your glorious b…d here,

polonus

hXXp://www.globalbeer.com/

Thanks

There is an obfuscated/suspicious javascript on the site.

Checking: hxxp://www.globalbeer.com/Scripts/AC_RunActiveContent.js File size: 3233 bytes File MD5: db8f4e6949c0fc0fc9cadf85d02e099a

hxxp://www.globalbeer.com/Scripts/AC_RunActiveContent.js - Ok

Hi raskyred,

Yes that code is there but it does not link anywhere, now:
The requested URL /scripts/ac_runactivecontent.js was not found on this server.


^/script^
^script src="Scripts/AC_RunActiveContent.js" type="text/javascript"^^/script^ 

Probably that was the code [modified by me for security reasons] that gives problems is here on that site,
but the following code can also be exploited with an image exploit. if the website input allows enough maneuverability for a hacker to insert this!

^script language="JavaScript" type="text/javascript"^
^!--
  // Hit counter code for Webstat.net
  var data = '&r=' + escape(document.referrer)
	+ '&n=' + escape(navigator.userAgent)
	+ '&p=' + escape(navigator.userAgent)
	+ '&g=' + escape(document.location.href);
  if (navigator.userAgent.substring(0,1)>'3')
    data = data + '&sd=' + screen.colorDepth 
	+ '&sw=' + escape(screen.width+'x'+screen.height);
  document.write('^i[b]mg alt[/b]="Website Counter" width="0" height="0" border="0" hspace="0" '+'vspace="0" src="hxtp://www.webstat.net/basic/counter.php?i=21095' + data + '">');
// --^...........
/script

polonus

The script exists and I have downloaded it, if you tagged it on to the end of the end of the URL posted it works as the src= is a relative address.

Virustotal finds nothing wrong with that script, http://www.virustotal.com/analisis/8445af97896e3f29377863e3d68d4176, so it has to be something else, there is also a swf in the AC_RunActiveContent.js file.

I had a quick look and I cant see anything obvious, so it has to be something else.

Edit: if I remember rightly webstat.net is on the network shields malicious software list. It is just tested wXX.webstat.net and the network shield blocks it, so it looks like that is the issue here, the access to webstat.net.

Hi DavidR,

Using webstat.net_code on a website is putting one at risk,
so that could well be at the core of the problems in this case.

The last time malicious content was found on that site (webstat.net that is), was 2009-05-17.
Malicious software includes 121 scripting exploit(s).

This site was hosted on 1 network(s) including AS21844 (THEPLANET)
This software has infected 59 domains, e.g. lts.ru/, saibabaofindia.com/, homepage.eircom.net/~ranunculaceae/,

Here is another example where malcoders abused webstat counter code:

http://malwaredatabase.net/blog/index.php/2008/09/04/antivirus-2009-brought-to-you-by-motigo/

polonus

Yes if this webstat.net entry was placed there by the owner/webmaster, as a counter then there are many other stats counters, etc. that don’t come with this history.

It could of course be fake posing as a web counter, as who know a web counter that doesn’t (“Website Counter” width=“0” height=“0” border=“0” hspace=“0” '+'vspace=“0”) display anything ???

So is there no threat since the file is missing?

I find it odd that a few of my friends tried visiting the site (with Avast installed) and didn’t receive a warning like mine.

Thanks for all your help.

Hi raskyred,

Well a site can get hacked and can be cleansed again, and can get hacked anew, some malware downloads are downloading secure and insecure items randomly to evade detection. The world wide web is like an ever changing ocean and so are the malcode streams in this ocean, but lately there is a lot of bad malcode weather out there, well I put this a bit poetically, but the reality is harsh enough, and you will certainly understand what I mean to say

polonus

You’re welcome.

Incorrect, it is the fact that the file is missing which is causing the error 404 page to be displayed and triggers the alert as it appears to be that which is infected and not the favicon.ico file.

I don’t know what your friends avast settings are or if there are other factors in the mix, so I can’t say. What I can say is that along with yourself we in this topic have all had alerts.

Your other friends that don’t have avast installed will be blissfully unaware that this fast spreading type of attack is going on as very few AVs even check for it and avast is IMHO the top of the pack.

I was wondering about the present status of this issue on www.globalbeer.com? I received their newsletter today and tried to access the website and got an Avast! warning about JS:ScriptIP-inf [Trj]. I aborted the site access, but am curious if this is a real potential concern or a FP…


The website is still infected with webstat.net as I have just tested it.


I have visited it again and I can see nothing obvious, so it looks like it is the same as reported in Reply #5, the hit counter script that accesses Webstat.net a site that is blocked by the network shield.

I have submitted it again for analysis, but I doubt anything will change unless if the issue is with the blocked webstat.net.

Hi All,

I’m running Avast 4.8 and recently I started getting a warning for the JS:ScriptIP-inf [Trj] virus when I try to access www.techbargains.com Could an Evangelist check this for me and/or notify the website of the trojan? Thanks

Ming

avast is usually very good on these detections and all the ones I have checked I have found to be correct, unfortunately I cant check this one because of the obfuscated/packed script that is being detected. I haven’t got the tools to unpack/de-obfuscate it, Evangelists for the most part are just forum members/avast users like yourself.

Just because it is an alert on a legit site doesn’t mean it isn’t infected. Legit sites are very prone to hacking.

– Every 3.6 seconds a website is infected http://forum.avast.com/index.php?topic=47096.msg396648#msg396648.

www.mindpulse.com/users/lizardlady is considered a trojan too. a subfolder of this site isn’t though? what gives? I just went on the above mentioned sites and they seem to be clean.

Well it is somewhat difficult to check as the page is no longer available, possibly taken down to get cleaned.

  • Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks. Even though in this case the page isn’t there it is best not to post direct links to suspect sites.

I just got the JS:ScriptIP-inf [Trj] message on the Giveawayoftheday site. This site has never been a problem before.