avast is flagging the hXXp://www.isestorino.it webpage… i have attached a screenshot of the avast-alert…
can someone (polonus) check out the webpage and see if there actually is anything malicious there…
the avast-alert said something about “gzip” and “PHP” but i couldn’t tell what it was flagging…
Eddy
2
I ran several scans and the site is clean.
This is a false positive by the webshield.
Pondus
3
You can upload files and report cases to avast here: http://www.avast.com/contact-form.php (change subject to suite Your case)
you can also use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected
or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21
Milos
4
Hello,
in the attached image you can see why avast! detects it.
Milos
thanks milos…
where is the malicious code located on the webpage?
what did you use to find the malicious code?
Milos
6
The whole green part in comments. I used notepad++ 
Milos
Pondus
7
milos, i see it, now… the very last line when looking at the webpage’s “page source”…
thanks 
Hi redwolfe_98,
Next to what Milos is reporting there (php.index hack via PHP script text) there is also a code hick-up here:
wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js benign
[nothing detected] (script) wXw.isestorino.it/view/js/lib/jquery.fancybox-1.2.1.js
status: (referer=wXw.isestorino.it/)saved 14813 bytes 3b0c8a1aca2c185dc659f659a832369fef9fbffa
info: [iframe] wXw.isestorino.it/view/js/lib/
info: [img] wXw.isestorino.it/view/js/lib/
info: [decodingLevel=0] found JavaScript
suspicious:
Furthermore too excessive header info given to the world and attackers:
* Sitecheck Results
* Website details
* Blacklisting status
Web server details
Scan for: http://wXw.isestorino.it
Hostname: wXw.isestorino.it
IP address: 2.113.128.142
System Details:
Running on: Apache/2.2.16
System info: (Win32) mod_ssl/2.2.16 OpenSSL/0.9.8o PHP/5.3.2 mod_jk/1.2.30
Powered by: PHP/5.3.2
Web application details:
Google Analytics installed: UA-931122-11
They just have to look up exploits/vuln to attack your site.
Then consider this: https://www.virustotal.com/en/ip-address/2.113.128.142/information/
as the IP is shared by 49 domains: http://sameid.net/ip/2.113.128.142/ (greater risk on a general IP ban that way)
The message has already reached users here: http://forum.avira.com/wbb/index.php?page=Thread&threadID=156185
Detection of this backdoor reported here: http://v.virscan.org/PHP:Agent-PU%20[Trj].html
polonus
polonus
10
According to some latest report I get the script outside HTML is not malicious as such, detection should be therefore reconsidered.
Thanks Pondus for this evaluation report. We will see what will be the definite position on this by the avast analysts…
polonus
system
11
Thanks to all
The manager of the CMS has taken steps to remove the fouling of the page that gave problems.
John Rossati