Reporting A False-Positive Website

[loyukfai]

Greetings.

There's a website (hxxp://www.cm2g.org) which I believe has been marked as a false positive by ESET. Tried using http://kb.eset.com/esetkb/index?page=content&id=SOLN141 and also wrote to them (samples at eset.com) a few days before, but no response thus far.

What do you think I could do to get ESET's attention?

Thanks in advance.

Note: urlvoid.com and AVG says the site is clean. But NOD32 says there is a JS/Kryptik.BN trojan

Snipped: URL obfuscated to prevent infection when clicking on it unwittingly.

[dmaasland]

Are you sure it's clean? There's a very suspicious, obfuscated piece of JavaScript at the bottom of the HTML, and it does some weird active X things..

[loyukfai]

No. Other than the fact that urlvold.com and AVG say so.

Do you have a better idea to make sure of it...?

Cheers.

P.S. Just tried http://www.virustotal.com/ and http://siteinspector.comodo.com/, no suspicious things reported.

[dmaasland]

Well i'm pretty sure that code isn't doing anything to help the site. I'd contact the site's admin.

[SweX]

Check this out: -http://vscan.urlvoid.com/analysis/84f1eb67e4de67183ec1325d8ed08589/Y20yZy1vcmc=/

[SweX]

Quote:

Originally Posted by loyukfai

P.S. Just tried http://www.virustotal.com/ and http://siteinspector.comodo.com/, no suspicious things reported.

I suggest you try VT again.

Make a search on Virustotal with this MD5: 84f1eb67e4de67183ec1325d8ed08589

And you will see this result 25/44!
So I really doubt that this is an FP!

[loyukfai]

Ahhh.... Thanks for the heads-up, I'll contact the site admin about it...

But how come it showed up clean before...? Did I do something wrong...?

[SweX]

Quote:

Originally Posted by loyukfai

Ahhh.... Thanks for the heads-up, I'll contact the site admin about it...

Quote:

But how come it showed up clean before...? Did I do something wrong...?

Not sure. Idk how you did it though

[loyukfai]

The site admin told me he re-uploaded the index page, which doesn't have that obfuscated piece of code, but NOD32 is still giving me the prompt.

Could it be a transparent proxy? Or the webserver itself was compromised?

It's strange that the prompt only shows up on the index page, for the rest it seems to be fine. Maybe it's because the rest have .php suffix?

Cheers.

[J_L]

Quote:

Originally Posted by SweX

Check this out: -http://vscan.urlvoid.com/analysis/84f1eb67e4de67183ec1325d8ed08589/Y20yZy1vcmc=/

Never knew that was separate. Why didn't they integrate the 2 services?

[loyukfai]

@J_L: What 2 services are you talking about...?

BTW, used Bing IP search to look for other hosts on the same server, but they seem to be fine, can I rule out compromised server as a possibility...?

Cheers.

[dmaasland]

Quote:

Originally Posted by loyukfai

The site admin told me he re-uploaded the index page, which doesn't have that obfuscated piece of code, but NOD32 is still giving me the prompt.

Could it be a transparent proxy? Or the webserver itself was compromised?

It's strange that the prompt only shows up on the index page, for the rest it seems to be fine. Maybe it's because the rest have .php suffix?

Cheers.

Not sure what he did, but the JS is still there. It sounds like someone has access to the server, or someone is able to use something like XSS to modify files.

[SweX]

FYI. Here's an IP Scan: -http://www.ipvoid.com/scan/64.29.151.221

Detections: 3/26
Status: Dangerous

[J_L]

Quote:

Originally Posted by loyukfai

@J_L: What 2 services are you talking about...?

That and urlvoid.com of course.

[loyukfai]

Oh you meant urlvoid.com and virus.urlvoid.com?

P.S. Got rid of the virus at last, it's in the webpage.