Hello,
Web-shield is screaming if I go to certain page at SecuriTeam web-site… ???
What can I do about it? First of all is this the right place to report it? I’m very much confused ??? ???
Hello,
Web-shield is screaming if I go to certain page at SecuriTeam web-site… ???
What can I do about it? First of all is this the right place to report it? I’m very much confused ??? ???
Hi playwin2,
There is a good chance that this is a good detection
This kind of detection is very common these days, with many ‘legitimate sites’ becoming hacked to distribute malware:
Every 3.6 seconds a website is infected
You can post the link here, to let someone check, BUT please modify it to de-activate it
For example, change http to hXXP, similar to this: hXXp://www.somesite.com
-Scott-
Hello Scott,
thanks for reply.
here is the link : (DO NOT CLICK, MIGHT BE REAL) hXXp://www.securiteam.com/exploits/6X00E2AN5M.html
Well, most of the pages they list, seem to be okay, but this one, as said, seems to be infected. But with the nature of their site, it may be that the page contains the code in plaintext form or something (my guess…I could be completely wrong though) .
I have emailed them to ask, and also reported it to avast!
12/7/2009 3:54:11 PM 1260201251 SYSTEM 1404 Sign of "JS:ShellCode-A [Expl]" has been found in "hXXp://www.securiteam.com/exploits/6X00E2AN5M.html" file.
-Scott-
I don’t know, but I believe it might be that some dumb ass posted the exploit script on the page and didn’t break it up in any way to avoid it being detected or post the script as an image. As in my image example of the partial script.
The web shield just sees this as it does any live script as the page is essentially just a text file, so it isn’t to know that this may just be an example of the exploit script.
Whilst there are other script tags in the page source I don’t think they are what avast is alerting on, given it is a specific exploit signature:
Sign of “JS:ShellCode-A [Expl]” has been found in “hXXp://wXw.securiteam.com/exploits/6X00E2AN5M.html” file.
hmm! I haven’t thought about that! very good point DavidR
You’re welcome.
I missed your first comment if this is the right place to report it, short answer is no. The slightly longer answer, there is a forum “viruses and worms” which deals with all detections/alerts like this, etc.
Hi guys,
I am Noam Rathaus from SecuriTeam and I noticed your post in regard to our article:
http://www.securiteam.com/exploits/6X00E2AN5M.html
There is no malware, or harm, to come from that site
The code that Avast is screaming about doesn’t work and would require quite a few changes to make it to work on our site - it has been HTML escaped and JS “disabled”.
Avast, unfortunately don’t care about that and sides with detection of benign rather than “miss”, so it screams murder on our site where in fact there is nothing to scream about.
Hope this clears up things.
If you have any other questions contact me at noamr[a]beyondsecurity.com or to support[a]beyondsecurity.com
Hello thanks for the information.
@davidR
I’ve now book-mered “viruses and worms” forum. thanks.
Hi rathaus,
Whilst I agree with the fact that is is benign, I hope you can see the point of view of the user.
As has been said, it exists as is, in the source code, so avast! will alert to it. It may have been de-activated, by what ever means, but I think that avast! still catches on what is left…
My question to you is, would it not be better to post that whole script as an image in future?
I can see two advantages:
-Scott-
Basically, we’re not doing full html parse.
Pros: Speed
Cons: Minor inaccuracies when somebody has the bright idea of putting that stuff unmodified on the web.