Website false alarm

Avast (version 5.0.507, bases 100421-1) false alarm on _http://tapochek.net iframe.
yes, this site have iframe but it is not malware.
ps: it-would be nice to add a button “report false positives” for webshield as for fileshield.

Site is down, I’m unable to verify it.
OTOH, if there is an iframe to blocked site, we won’t remove it from the block nor stop detecting such iframe as the site is still potentially dangerous.

how other antiviruses work? No signal of danger on this site but security is provided?

Hello,

not a false alarm → please remove iframe tag that points to:

media-plans.ru
  • this works as “malware domain rotator” (redirects to various malware domains).

Regards

where did you find that?

media-plans.ru
i download home page of this site and find nothing. for example drweb report: http://online.us.drweb.com/cache/?i=e8ef655fb6734e1a98ed4266031545ea in russian, but it say its Ok.

Hello,

Iframe tag with the malicious url is located near the end of html code, just search for the string “media-plans”. Following report shows what I am talking about:

http://www.unmaskparasites.com/security-report/?page=http%3A//tapochek.net

(first issue → hidden iframe → it is the iframe we detect).

And again, we see from our logs that this url states as malware domain rotator.

Best Regards

Hi baton,

The script that jsejtko is referring to is at the bottom of the page, a little before the closing html tags.

As a side note, please can you deactivate the link by replacing http with hXXp to prevent others potentially becoming infected, thanks :slight_smile:

-Scott-

EDIT: Oops…oh well at least the image could help somewhat… UnmaskParasites is such a useful tool, first thing I go to :slight_smile:

Yep, Baton,

Make the site url non-clickable by putting in htxp or WxW. Two issues there -malicious:

Erm, Pol?

Live link to the site causing alerts?

thanks for _http://www.unmaskparasites.com link.
Now i see that iframe, dont know why not see its first time.

yeah LOL ;D Polonus, deactivate media… the link is live in your post ( the one where you were asking the OP to deactivate his link :smiley: )

Hi Logos & spgSCOTT,

You’re right, corrected, so two suspicious: hidden iFrame > Malicious software includes 1 exploit.
This site was hosted on 1 network(s) including AS39561 (AGAVA).

Then what is this? Threat report:
Total numer of threats is 1 Drive-bydownload

Name of threat: MSIE ADODB.Stream Object File Installation Weakness, re: http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=50031

Location: htxp://hcvendor.com/pack/i.php?user=admin
This site in Moldovia was infected through our media-plans.ru

polonus