Reporting A False-Positive Website

Discussion in 'Other ESET Home Products' started by loyukfai, Sep 26, 2011.

Thread Status:
Not open for further replies.
  1. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
    Greetings.

    There's a website (hxxp://www.cm2g.org) which I believe has been marked as a false positive by ESET. Tried using http://kb.eset.com/esetkb/index?page=content&id=SOLN141 and also wrote to them (samples at eset.com) a few days before, but no response thus far.

    What do you think I could do to get ESET's attention?

    Thanks in advance.

    Note: urlvoid.com and AVG says the site is clean. But NOD32 says there is a JS/Kryptik.BN trojan

    Snipped: URL obfuscated to prevent infection when clicking on it unwittingly.
     
    Last edited by a moderator: Sep 27, 2011
  2. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Are you sure it's clean? There's a very suspicious, obfuscated piece of JavaScript at the bottom of the HTML, and it does some weird active X things..
     

    Attached Files:

  3. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
  4. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Well i'm pretty sure that code isn't doing anything to help the site. I'd contact the site's admin.
     
  5. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Check this out: -http://vscan.urlvoid.com/analysis/84f1eb67e4de67183ec1325d8ed08589/Y20yZy1vcmc=/
     
  6. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    I suggest you try VT again. :blink:

    Make a search on Virustotal with this MD5: 84f1eb67e4de67183ec1325d8ed08589

    And you will see this result 25/44!
    So I really doubt that this is an FP!
     
    Last edited: Sep 27, 2011
  7. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
    Ahhh.... Thanks for the heads-up, I'll contact the site admin about it...

    But how come it showed up clean before...? Did I do something wrong...?
     
    Last edited: Sep 28, 2011
  8. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    :thumb:

    Not sure. Idk how you did it though ;)
     
  9. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
    The site admin told me he re-uploaded the index page, which doesn't have that obfuscated piece of code, but NOD32 is still giving me the prompt.

    Could it be a transparent proxy? Or the webserver itself was compromised?

    It's strange that the prompt only shows up on the index page, for the rest it seems to be fine. Maybe it's because the rest have .php suffix?

    Cheers.
     
  10. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Never knew that was separate. Why didn't they integrate the 2 services?
     
  11. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
    @J_L: What 2 services are you talking about...?

    BTW, used Bing IP search to look for other hosts on the same server, but they seem to be fine, can I rule out compromised server as a possibility...?

    Cheers.
     
  12. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Not sure what he did, but the JS is still there. It sounds like someone has access to the server, or someone is able to use something like XSS to modify files.
     
  13. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    FYI. Here's an IP Scan: -http://www.ipvoid.com/scan/64.29.151.221

    Detections: 3/26
    Status: Dangerous
     
    Last edited: Oct 2, 2011
  14. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    That and urlvoid.com of course.
     
  15. loyukfai

    loyukfai Registered Member

    Joined:
    May 10, 2008
    Posts:
    105
    Oh you meant urlvoid.com and virus.urlvoid.com?

    P.S. Got rid of the virus at last, it's in the webpage.
     
Thread Status:
Not open for further replies.