Torjan Horse, or "false positive"?

Hello there,

I’ve been trying to enter a furniture website here in the UK, but I keep receiving a message from Avast telling me there is a Trojan horse file attached to the shopping cart, thus I always have to abort the connection.

Website address: wXw.riversidefurniture.co.uk

I’ve telephoned the company and they admit that someone had hacked into their computer recently. However, they think their computer is now clean and that my anti-virus software is over-reacting. They use Norton to protect their computer, which says it all. I’ve recently uninstalled Norton and switched to Avast Professional due to a number of issues experienced with Norton.

Any way, whenever I try to enter the furniture site, Avast continues to warn of a Trojan horse.

I’ve now contacted technical support at Avast and await their response, as I’m wondering if this is a ‘false positive’?

If anyone here is brave enough to visit the aforementioned site, I’d be interested to know if Avast sends you the same Trojan horse warning.

yes I checked page that page - its css - its www home page

  • looks messy to me - but no malware as far as I can see - wait for second opinion

I will check shopping cart

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.riversidefurniture.co.uk

Wepawet
http://wepawet.iseclab.org/view.php?hash=c75b9bc82841381355327fb64b4aa37a&t=1270999328&type=js

Anubis
http://anubis.iseclab.org/?action=result&task_id=1c873c1275cdca424a955d944e8c3346d

yes i also got virus alert while opening http://riversidefurniture.co.uk/shoppingcart/

trojan horse virus

The whole point of asking The original poster to modify the link is to avoid accidental exposure to an infected site.

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

No virus (or trojan) alert while opening hxxp://riversidefurniture.co.uk/shoppingcart/.

I guess Opera is blocking the malware before avast! 5 can detect it. :slight_smile: 8)

problem most likely very messy html

script outside main body of page - that is, google tracker script (see screenshot)

they need to talk to or change their webmaster (pardon my impudence)

  • in fact page is worse this, I’ve edited it for easier reading - there was a ton of blank space amongst this lot (very untidy)
    [s]
    okay I edited again with Picture Manager so I think you have to download screenshot now
  • sorry I loaded Office 2003 today - I’ll see what I can do wit Faststone as page is good example of incorrect html[/s]

The index page of the shopping cart has been hacked and is still not clean.

See image 1, this script is hanging around isolated from other code on the page, so it is hidden from casual checks.

See image 2, where it shows the intent to run a javascript file on googie-anaiytics.net, note the i where the l would be in the legit google-analytics url. So it is trying to appear legit, see http://www.google.com/support/forum/p/Google+Analytics/thread?tid=3d83e46dc03910ad&hl=en

This script is in a two places in that page, the second about 50 blank lines below the closing HTML tag (and once again way out to the right of the screen to try and hide), a standards no, no and highly suspect.

The the company needs to get cleaning again.

Thanks David - I guess just waiting to be hacked again anytime now - I’ll edit my post

No problem, they fooled the people supposed to be the web master/designer who reportedly said it was clean also ;D

David, is that script still active like that, or have they just made a mess of cleaning it up?
oh yes I see the analysis - interesting

Thanks everyone for confirming that the site is still infected. It’s a great pity as I need to buy some particular pieces of furniture for my own business (their prices are lower than average), but the owner doesn’t want to hear that he needs a professional to come in and tidy up his computer and website. Ah well, if he can’t be persuaded, I will have to shop elsewhere.

What baffles me is how on earth he’s getting any customers at all with that dire Trojan horse warning - or is Avast the only anti-virus software picking up the problem on the furniture site? When my son uninstalled Norton from my computer and installed Avast (because the computer was running at a snail’s pace), he discovered a number of viruses had slipped by Norton.

When my son uninstalled Norton from my computer and installed Avast (because the computer was running at a snail's pace), he discovered a number of viruses had slipped by Norton.
No security program have 100% detection. Here you can see one that slipped past avast and Norton http://forum.avast.com/index.php?topic=58394.0 But avast is very god at detecting infected websites

Recomended to use with avast www.malwarebytes.org

These are the novirusthanks scan results
http://scanner.novirusthanks.org/analysis/e03f3b7767710bfd9b53c4d22d18677c/c2hvcHBpbmdjYXJ0/

polonus

Yes it is still active as the script tag is intact and would run, attempting to run a javascript file on googie-anaiytics.net, which avast also has on its malicious sites list, image1.

Perhaps you want to point them to this topic, though that really shouldn’t be your responsibility. You have already gone further than most would do by reporting it to them.

Unfortunately many AVs aren’t even looking for this problem (hacked sites, inserted scripts, etc.) much less detect them. So many visitors will be blissfully unaware that they are at risk by visiting the site. The script at googie-anaiytics.net could change at any time so the potential payload isn’t something that can be determined.

However, one piece of good news, it looks like the googie-anaiytics.net site has been taken down, so at the moment although the inserted script is active, the site at the end is down, again that is subject to change and shouldn’t be relied on.

Hi DavidR,

This is a cross site scripting attack used for ecommerce, read about the security issue here:
http://forums.oscommerce.com/topic/286360-security-issue/
index.html hacked through PHP,
good write-up here: http://www.whitefirdesign.com/resources/query-google-malware.html

polonus

Yes but it doesn’t make any difference how it was set, the owner thinks his site is clean.

Until they accept they have a problem I guess they aren’t going to address the cause if they don’t accept the symptom. Only then will they seek help.

Avast catches HTML:IFrame-DB[Trj] in the Shopping Cart of this website and fortunately it was caugfht by Avast! But I am already browsing with Sandboxie so that already reduces the chance for infection.

Strange, on my 7 64bit computer gets a virus warning from hxxp://riversidefurniture.co.uk/shoppingcart/, but not my XP sp3 box. ???

The only difference is the firewalls and on my XP I have Zemana (Zemana won’t install on 64bit).