Other > Viruses and worms

Avast is blocking our website

<< < (2/3) > >>

ericzz:
I know it is the table_tooltip.js file that triggers this, but that file does not contain anything like "newportalse.com" or "var _0x4de4=["x64x20x35x28x29x7B..." We have no idea no how to change the code to avoid that. Any hints? Thanks

We do have obfuscated code for code safety purpose, but I am surprised if that is considered as virus.

Eric



--- Quote from: Asyn on October 25, 2012, 08:06:40 PM ---
--- Quote from: ericzz on October 25, 2012, 07:51:09 PM ---I checked http://labs.sucuri.net/db/malware/malware-entry-mwjs2368 and found it is very strange. Our javascript code does not include anything like "newportalse.com<br />" and the sample code like "var _0x4de4=["x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33x22x29..."

I am very confused and do not know what to do. Please you please give me more help on this. Thanks!

--- End quote ---

Sucuri found it here: hxxp://www.schoolandhousing.com//js_pack/table_tooltip.js?sensor=1351186869601

--- End quote ---

Pondus:
Norman lab


--- Quote ---There is no mailicious activity found. Wepawet also says it clean now. there is no redirect link or any other malicious content found.

table_tooltip.js: Not Detected
--- End quote ---

polonus:
Quttera gives another result: http://www.quttera.com/detailed_report/www.schoolandhousing.com
Potentially Suspicious
Details:    Detected procedure that is commonly used in suspicious activity.
Reason 1.:    Too low entropy detected in string '<tr><td><span style='text-decoration:underline;cursor:hand;cursor:pointer;' onclick='openNewWindow(\' of length 22951 which may points to obfuscation or shellcode.
2. Potentially Suspicious
Details:    Detected hidden reference to external web resource.
Reason:    Detected generation of hidden DOM element [iframe],

polonus

ericzz:
Hi polonus,

Thanks for your help. We fixed some code and now it is clean on http://sitecheck.sucuri.net/results/schoolandhousing.com. However, our customer is still reporting avast alert. Now you mentioned another link http://www.quttera.com/detailed_report/www.schoolandhousing.com.

I have a few questions, please help us.

1) Does avast use both sucuri and quttera to verify the code cleanliness? Any other more websites that are used? The problems is that even if we fix one, we do not know how many other verification websites avast is using and if we can pass the others.

2) In the quttera link, there are two types of warnings: The first one is "   Detected abnormal use of [iframe] elements. Treat it as suspicious.". What does that mean? What is considered as an abnormal use of iframe?

The second is "Too low entropy detected in string '<tr><td><span style='text-decoration:underline;cursor:hand;cursor:pointer;' onclick='openNewWindow(\' of length 22951 which may points to obfuscation or shellcode.". We guess this is because we remove all newline characters in javascript for code safety purpose. Any hints on this one?

Thanks,

Eric

DavidR:
Avast uses its own functions to determine if a site is infected, etc. It is just that we avast users use other tools to visit suspect sites to investigate.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version