URL false positive?

Hello,

The link :

hxxp://concursosnobrasil.com.br/concurso-publico/unirio

is being detected as JS:Blacole-CY [Expl]

However everything seems to be ok when checking by sucuri :

http://sitecheck.sucuri.net/results/concursosnobrasil.com.br/concurso-publico/unirio

Maybe its a false positive?

Thanks for your time!

Elminster

Hello,
I don’t see any detection. Post the screenshot of avast!'s alert window, please.

Milos

No IDS alerts here either: http://urlquery.net/report.php?id=202892

polonus

There is if you run the short URL http://urlquery.net/report.php?id=202896

no detection on VT
https://www.virustotal.com/file/306192ee2e2346113f5927fc65d086083bc0b018be64f2f97d1f03430f151f55/analysis/1353497581/
https://www.virustotal.com/file/f259197bb9656432106f7a505c80739cb2141f97713210bf0e873680f6d0eada/analysis/1353497605/

Hi Pondus,

That alert is for another IP 173.194.69.156, the site mitigated to another IP without these IDS alerts,

polonus

Hello!

Thanks for your reply.

Actually it didnt happened in my computer (So I cant make a screenshot), but in a computer that is reporting to my avast account.

The full information displayed is:

20.11.2012 13:05 WebShield http://concursosnobrasil.com.br/concurso-publico/unirio/|>{gzip} JS:Blacole-CY [Expl]

Maybe was a false positive for yesterday, that was fixed today?
Or the site was indeed infected, but has been fixed by now?

Thanks for your time!

Elminster

No, nothing was fixed on our side, the detection is still in VPS.

Milos

Hello!

So problaby the site was infected when the mom of my wife visited it and some hours later when I was checking it, the site owners had already fixed it.

Thanks for your time!

Elminster

Hello!

The site seems to be infected again.
Now, avast alerted again just now this same exploit, but in the laptop (the first time was in a PC).
Now the person tried to access from the laptop and it got the alert.

I re scan with sucuri net and now it says that is infected:

http://sitecheck.sucuri.net/results/concursosnobrasil.com.br/concurso-publico/unirio

Thanks!

Elminster

now the html is detected
https://www.virustotal.com/file/05b997d2ffa23c1bd341b0e3c9238986db69bee0faf14b73f10f77e82030f3e6/analysis/1353516203/

Malware entry: MW:EXPLOITKIT:BLACKHOLE1
http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1?v22