Today, my tumblr blog suddenly got blocked by avast on my computer with a malware threat in the firefox.exe process. It says the threat level is high and the status marks it as HTML:Script-inf. The blog’s URL shows up with an extra “|<{gzip}” script for some reason. I’ve run the website through online virus/malware checks and it doesn’t register as a threat.
Could anyone help me figure this out? The url is deadened at tumblr.
Yes there appears to be a compressed file loaded when the page opens, there might well be a legit reason for it (if you know what that might be), but it is also suspect and could be an indication of a site hack.
Do you have any idea what I could do to unblock the site? And is it just on my computer or is access to the blog being restricted by avast to everyone? I currently have access to my blog (I’m logged in) but I don’t see anything suspicious on the script I have access to. Other people can access the site fine. URL query doesn’t report anything suspicious http://urlquery.net/report.php?id=135737 so I’m really clueless what to do about this. Please help?
Firefox: blocked by avast. Oh wait, now I get “connection was reset”.
IE: cannot open
Safebrowser (Chrome): opens a cadaver room (B/W photos, “Fuck, guys help! Anyone having problems accessing my tumblr?”).
Yeah, I get the same responses: on Firefox “connection was reset” and IE won’t load it Gah, I really have no idea how to fix this! I changed my password in case there was a hacker and the theme in case there was a hidden script somewhere, but I still can’t access the blog.
Anubis analysis:
[#############################################################################]
Analysis Report for hXXp://deadened.tumblr.com/
[#############################################################################]
Summary:
- Changes security settings of Internet Explorer:
This system alteration could seriously affect safety surfing the World
Wide Web.
- Performs File Modification and Destruction:
The executable modifies and destructs files which are not temporary.
- Performs Registry Activities:
The executable creates and/or modifies registry entries.
And much more that I really don’t know how to interpret.
EDIT: And now Safebrowser says
Not found. We couldn’t find the page you were looking for.
Feel free to contact support if there’s anything we can help you find.
Email Support
Seems the page has been taken offline, tumblr support would probably know why.
Ha, you changed the address just before I tried to reopen it with Safebrowser (see reply #6)
I changed the url and can suddenly access it again Seems it was a hack of some kind operating from my url, damn it. Thank you guys for trying to figure it out with me.
You’re welcome, in the past these kind of detections by the web shield have a high accuracy rate. When other scanners aren’t able to find anything.
You say you changed the url and you have access again, how did you do that as there is the other guy in the topic I referenced who might benefit from this ?
Yes, I never lost access to my account log-in, so I went to the settings of my blog and changed the url name. With the new url in place, my blog was displayed on firefox and IE with no problems. As a precaution, I also got rid of my counter code, which might have triggered the whole thing; it was the only 3rd party script running on the blog at the time, so that might have been the domain that was hacked.
The instances of unknown_html_RFI_shell malcode were closed on that tumblr IP50.97.143.30. The longest time before being closed was 11 hrs.
Remote File Inclusion is a method of hacking websites and getting the admin rights of the server by inserting a remote file usually called as SHELL (a shell is graphical user interface file which is used to browsing the remote files and running your own code on the web servers) into a website, whose inclusion allows the hackers to execute the server side commands as a current user logged on, and have the access to all the server files. With these rights we can continue to use local exploits to escalate our privileges and get control over the whole server.
Note: Remote File Inclusion (RFI) is the best ever technique to hack websites and more than 60% websites on the internet using PHP are vulnerable to this attack.
Quote taken from article author = suraj bhosale, on his blog -http://computerexperts4u.blogspot.nl/2011/03/hacking-website-by-remote-file.html