Avast WEBforum
Other => Viruses and worms => Topic started by: shinewatch on December 30, 2012, 06:54:42 AM
-
my website is wxw.shinewatch.com and avast is not responding to my emails on why it was blocked.
network shield seems to block it, scanned for viruses but found none.
-
hey and welcome to the forum please make the link non clickable by chancing it to like wxw or something else, so other users does go and click on it,
http://zulu.zscaler.com/submission/show/57351e836c681a8eec6ebff784cccf8a-1350297660
according to the scan above it something suspicious about the link.
-
if you think it is wrong, you can report it here http://www.avast.com/contact-form.php?
-
There are off site connections to stallionw.com (your webdeveloper ?), which redirects to stallioni.com so I don't know if that might have something to do with it or not.
When using the contact form link given ask for a Network Shield review and give a link to this topic might help.
Nothing found at http://sitecheck.sucuri.net/results/www.shinewatch.com/ (http://sitecheck.sucuri.net/results/www.shinewatch.com/) or http://www.urlvoid.com/scan/shinewatch.com/ (http://www.urlvoid.com/scan/shinewatch.com/) or http://urlquery.net/report.php?id=556243 (http://urlquery.net/report.php?id=556243). But WOT (Web Of Trust) doesn't like the site reputation wise.
-
There are some minor issues. Question first: //** Is your rel canonical tag pointing to another domain?
Code anomalies -
1. Code hick-up: line:168: SyntaxError: unterminated string literal:
error: line:168: for(var i=0;i<s><a rel="+ i +" href="">'+ (i+1) +'</a>') *
error: line:168: ......................................................................................^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Transitional/EN" "http:/wXw.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
error: line:3: ...............^
2. I get a Firekeeper triggered alert for *: === Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;) to be used as a cloud attack
=== Request URL ===
////broken by me/////+for%28var+i%3D0%3Bi%3Cs%3E%3Ca+rel%3D%22%2B+i+%2B%22+href%3D%22%22%3E%27%2B+%28i%2B1%29+%2B%27%3C%2Fa%3E%27%29&ie=utf-8&oe=utf-8&aq=t
furthermore:
3. info: [img] wXw.shinewatch.com/includes/templates/pro/jscript/includes/templates/pro/images/blog.png
info: [decodingLevel=0] found JavaScript [obfuscated)
suspicious:
polonus
-
if you think it is wrong, you can report it here http://www.avast.com/contact-form.php?
reported a number of times, but they did not get back to me
-
if you think it is wrong, you can report it here http://www.avast.com/contact-form.php?
reported a number of times, but they did not get back to me
they usually dont...
is the website still blocked?
-
There are some minor issues. Question first: //** Is your rel canonical tag pointing to another domain?
Code anomalies -
1. Code hick-up: line:168: SyntaxError: unterminated string literal:
error: line:168: for(var i=0;i<s><a rel="+ i +" href="">'+ (i+1) +'</a>') *
error: line:168: ......................................................................................^
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Transitional/EN" "http:/wXw.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
error: line:3: ...............^
2. I get a Firekeeper triggered alert for *: === Triggered rule ===
alert(url_content:"%3C"; url_content:"%22"; url_content:"%3E"; msg:"Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like."; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;) to be used as a cloud attack
=== Request URL ===
////broken by me/////+for%28var+i%3D0%3Bi%3Cs%3E%3Ca+rel%3D%22%2B+i+%2B%22+href%3D%22%22%3E%27%2B+%28i%2B1%29+%2B%27%3C%2Fa%3E%27%29&ie=utf-8&oe=utf-8&aq=t
furthermore:
3. info: [img] wXw.shinewatch.com/includes/templates/pro/jscript/includes/templates/pro/images/blog.png
info: [decodingLevel=0] found JavaScript [obfuscated)
suspicious:
polonus
yes currently is pointing to other domain because it is in the midst of editing..
but when i hosted it on another server it had the same problems as well. how do i solve this?
-
if you think it is wrong, you can report it here http://www.avast.com/contact-form.php?
reported a number of times, but they did not get back to me
they usually dont...
is the website still blocked?
yes it is still blocked at the moment.. error 103
-
yes it is still blocked at the moment.. error 103
that does not sound like a avast warning...
is there a avast warning pop up when you go to the site?
if so take a screen shot of it and attach here
-
yes it is still blocked at the moment.. error 103
that does not sound like a avast warning...
is there a avast warning pop up when you go to the site?
if so take a screen shot of it and attach here
there is no avast warning pop up, but i can see it is blocked in the network shield in my avast, when i turn the network and web shield on, i cannot access the website, i have to off these shields to access my website
-
A domain at the same IP had S/Meta.A.1 malware that is now dead: htxp://www.penguinguru.org/wp-content/themes/pixeled/yahoolinksus.html
known as a foxnews dot com, a known PHISH. This might have had a role in the blocking...
But I think it is because this: Application: shopping cart program by Zen Cart®, htxp://www.zen-cart.com eCommerce is open to attack!
Cross site script exploit authentiction bypass.... in combination with WorddPress; see redirects mentioned below...
Avast Webshield flags the site and a gzip file there is flagged by the Network shield, but does not flag this site>: http://www.shinewatches.com/&oe=utf-8&hl=en&spell=1 which domain is at sale now.
What is the relation between this domain and yours? Is there a historic link?
All point now here: http://stallionw.com/shinewatch/includes/templates/cambridge_pro/jscript/jscript_jquery_1-4-4.js etc.
with a redirect - You are now being directed to wXw.stallioni.com -> http://wepawet.iseclab.org/view.php?hash=90b4b924d4444cf35df02ea672c5fef5&t=1356893435&type=js originating here: http://stallioni.com/portfolio-types/oscommerce (same IP as had the S/Meta.A.1 malware) on this Malaysian site.
You probably also have nameserver issues on: ns33 dot domaincontrol dot com. They should be as listed in your account!
polonus
-
i have uploaded this to my server, unfortunately it is still blocked...
-
in fact i delete all the files and put up only a single text , it was also blocked, i am sure its only the domain name that is blocked by avast
-
If the avast alert is MAL:URL then that means that either the domain name or IP address is on the malicious sites list. This can happen for a number of reason, previous domain/s on this IP address which were infected or previous alerts on the site, which after time would escalate and be included in the malicious sites list.
If the site has had this suspect code removed, etc. then you should follow up on the request fro site review as based on the information in Reply #2 & 3 above. So it will take a little time to review but if successful the site should be removed from the list relatively quickly after that.
I think the important thing in requesting site review is to give the link to this topic; not only does it give much more information than can be included in the report, it also gives them something to respond to (which has happened on occasion before).