[Resolved] HTML:Script-inf

Viruses and worms
1

Hi All,

I’m the webmaster for hxxp://www.lingerieshopping.be and since a few days Avast has been reporting it as a suspect url with HTML:Script-inf.
The logfile says :

24/11/2010 10:41:44 hXXp://www.lingerieshopping.be/images/search.jpg [L] HTML:Script-inf (0)
24/11/2010 10:41:46 hXXp://www.lingerieshopping.be/favicon.ico [L] HTML:Script-inf (0)
24/11/2010 10:41:49 hXXp://www.lingerieshopping.be/favicon.ico [L] HTML:Script-inf (0)

Other AV-software and Google don’t mention any problems.
The funny part is that those two images ‘search.jpg’ and ‘favicon.ico’ are not in the website

Anyone have any other ideas? Thanks in advance.

2

Have you submitted your website and these images to Virus Total (VT) http://www.virustotal.com/?

You may also want to try Unmask Parasites: http://www.unmaskparasites.com/security-report/?page=servepics.com and Anubis: http://anubis.iseclab.org/?action=home.

Are you saying that these images do not belong to your website?

Could you please change your 3 links from http to hXXp so they are non-linkable for now? Thank you.

3

Hi there,

I’ve done the checks on the 3 sites you proposed and all reports are clean.
Concerning the images. They aren’t part of the website and they aren’t on the webserver either !

False-positive ?

Kind regards

4

Question: How did these images get there?

5

You can send files to virus@avast.com in password protected zip.file with a mail subject: undetected sample – password: infected.

You may also add a link to this topic in the mail.

6

Hi,

This is not a false positive. Your website has been infected with the Kroxxu botnet. Your 404 error message currently contains redirection into one of the Kroxxu web zombies (please look at the attached image). You should remove the injected script tag and change all the passwords used for FTP access as these has been stolen.

Regards

7

Hello jsejtko,

You were right.
Problem fixed :slight_smile:

Many thanks !

8

When I clicked on Unmask Parasites link I got this

http://3.bp.blogspot.com/_Zjv3kvRUqYA/TO1sxnLTDuI/AAAAAAAAAD4/Nw2nrSD8f0U/s1600/ScreenHunter_01+Nov.+24+11.50+-+Unmask+Parasites.gif

9

Report 2010-11-24 21:22:43 (GMT 1)
Website lingerieshopping.be
Domain Hash 45e1073cb0b9588b48faa04188cad9c7
IP Address 83.137.144.25 [SCAN]
IP Hostname terrahosting.duocast.net
IP Country NL (Netherlands)
AS Number 31477
AS Name DUOCAST-AS Duocast B.V.
Detections 0 / 17 (0 %)
Status CLEAN

10

@nesivos : you need to fill in the URL that you want to test. The page you see is a default-testpage for ‘servepics.com’.

Greetz

11

@ jsejtko, Thank you for your feedback. :wink:

@ drwebbe,

Please feel free to continue with your posts if you have any further questions.

When you feel that your issue is resolved/fixed, please go back to the first open post in this topic, click the modify button in that Post and change the title/subject, add [Resolved] to the beginning of the title so this thread can be closed.

Feel free to come back any time you need help, to learn something new, or just to ask questions. We are here 24/7 for your convenience. Thank you for allowing us to assist you.

12

That is what I kind of thought but I didn’t want to take a chance without a confirmation.

Can’t be too careful. :slight_smile:

I just checked it on a clean site and it that is what the website check returned.

Now, I will bookmark the website.

Thanks :slight_smile: :slight_smile: