www.isestorino.it FP?

redwolfe_98 · October 1, 2013, 2:23pm

avast is flagging the hXXp://www.isestorino.it webpage… i have attached a screenshot of the avast-alert…

can someone (polonus) check out the webpage and see if there actually is anything malicious there…

the avast-alert said something about “gzip” and “PHP” but i couldn’t tell what it was flagging…

Eddy · October 1, 2013, 2:37pm

I ran several scans and the site is clean.
This is a false positive by the webshield.

Pondus · October 1, 2013, 3:51pm

You can upload files and report cases to avast here: http://www.avast.com/contact-form.php (change subject to suite Your case)

you can also use mail

send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21

Milos · October 1, 2013, 3:53pm

Hello,
in the attached image you can see why avast! detects it.

Milos

redwolfe_98 · October 1, 2013, 4:40pm

thanks milos…

where is the malicious code located on the webpage?

what did you use to find the malicious code?

Milos · October 1, 2013, 4:46pm

The whole green part in comments. I used notepad++

Milos

Pondus · October 1, 2013, 4:52pm

and only detected by avast
https://www.virustotal.com/nb/file/b8202073e97cea103f649fb7f284625a6f9e825fa404582050100c2657b841e5/analysis/1380644165/

redwolfe_98 · October 1, 2013, 5:37pm

milos, i see it, now… the very last line when looking at the webpage’s “page source”…

thanks

polonus · October 1, 2013, 8:34pm

Hi redwolfe_98,

Next to what Milos is reporting there (php.index hack via PHP script text) there is also a code hick-up here:
wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js benign
[nothing detected] (script) wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js
status: (referer=wXw.isestorino.it/)saved 14813 bytes 3b0c8a1aca2c185dc659f659a832369fef9fbffa
info: [iframe] wXw.isestorino.it/view/js/lib/
info: [img] wXw.isestorino.it/view/js/lib/
info: [decodingLevel=0] found JavaScript
suspicious:

Furthermore too excessive header info given to the world and attackers:

* Sitecheck Results
* Website details
* Blacklisting status

Web server details
Scan for: http://wXw.isestorino.it
Hostname: wXw.isestorino.it
IP address: 2.113.128.142

System Details:
Running on: Apache/2.2.16
System info: (Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.2 mod_jk/1.2.30
Powered by: PHP/5.3.2

Web application details:
Google Analytics installed: UA-931122-11
They just have to look up exploits/vuln to attack your site.

Then consider this: https://www.virustotal.com/en/ip-address/2.113.128.142/information/
as the IP is shared by 49 domains: http://sameid.net/ip/2.113.128.142/ (greater risk on a general IP ban that way)
The message has already reached users here: http://forum.avira.com/wbb/index.php?page=Thread&threadID=156185
Detection of this backdoor reported here: http://v.virscan.org/PHP:Agent-PU%20[Trj].html

polonus

polonus · October 2, 2013, 11:03am

According to some latest report I get the script outside HTML is not malicious as such, detection should be therefore reconsidered.
Thanks Pondus for this evaluation report. We will see what will be the definite position on this by the avast analysts…

polonus

system · October 3, 2013, 12:59pm

Thanks to all

The manager of the CMS has taken steps to remove the fouling of the page that gave problems.

John Rossati

www.isestorino.it FP?

Announcements