National Cencorship Institution

Dear All,

Today we found one of Indonesia Institution website was infected by HTML:i-frame.

But according to google safe browsing summary and Unmask Parasites that this website is safe.

The link :
hxxp://www.google.com/safebrowsing/diagnostic?site=www.lsf.go.id

Which part of source coding that has infected?


http://img7.imageshack.us/img7/3595/lembagasensorfilmwebsit.jpg

Uploaded with ImageShack.us

But according to robtex.com this website hosted on suspicious web server AS45287 (VARNION).

source :
hxxp://www.robtex.com/dns/lsf.go.id.html#records
hxxp://www.google.com/safebrowsing/diagnostic?site=www.lsf.go.id
hxxp://www.google.com/safebrowsing/diagnostic?site=AS:45287

But i am still can’t found where is exactly the i-frame script which triggered avast antivirus.

Hi Yanto :slight_smile:

A rather simple one to find here…

The iframe is located in the homepage, before the redirection takes place.

So before loading (being redirected to) film.php?module=home, the page serves an iframe, that is probably what is causing the alert.

Scott

EDIT: Just for info, that iframe in a text file, sent to VT:
http://www.virustotal.com/file-scan/report.html?id=b527e08976b88c70a0372d38ba4b426825b8877b492267fcda7c30e70840b702-1309864405

iFrame validation:

(Level: 0) Url checked:
-http://www.lsf.go.id/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lsf.go.id/config/validasi.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
-http://www.lsf.go.id/jscripts/clock.js
Zeroiframes detected on this site: 0
No ad codes identified HTML:iFrame-inf

Site starts to redirect immediately to: -http://www.lsf.go.id/film.php?module=home
Avast alerts HTML:Iframe-inf and deconnects…
The redirect-site that has been given in spg SCOTTS’s image is now been taken offline, see http://www.netirk.com/s/description2011.ru (it had PUA.PDF embedded malware & and unknown google_malware and Riskware:W32/WindowsPack.A on it, now all dead…)
According to what I can see, site is being cleansed now, but avast still alerts,
correct me if I am wrong here,

polonus

Something is still there…iframe loads a page, which then loads another, which i think goes on…

1.gif is the iframe location
2.gif is the next page

Hi spg SCOTT,

Thank you very much for that analysis, so good avast keeps blocking it, and I hope Yanto.Chiang will inform the webmasters at that site that they have still some work to do…

polonus

Hi Scott and Polonus,

Thank you very much for both of you details information,

Let me informed to the webmaster, just for additional information WOT has been detected this website as a poor website.

Link : http://www.mywot.com/en/scorecard/www.lsf.go.id

cheers,