Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: another532 on August 16, 2013, 01:00:04 AM
-
Hi, I would like to get some info on this.
Avast free is blocking microelectronicash dot com but doesn't provide any details about why.
Scanned the URL with a lot of tools and only Avast report it as malicious.
Thanks in advance.
-
Whoa!
Caution: visiting the site will give 13 consecutive network shield blocks Do not attempt to visit.
Are you sure? Because Googling gives a site out of country here and in Spanish? maybe?
http://zulu.zscaler.com/submission/show/f5a6460ab0cb8547ea919d4b96342134-1376608308 (http://zulu.zscaler.com/submission/show/f5a6460ab0cb8547ea919d4b96342134-1376608308)
http://urlquery.net/report.php?id=4580428 (http://urlquery.net/report.php?id=4580428)
http://www.urlvoid.com/scan/microelectronicash.com/ (http://www.urlvoid.com/scan/microelectronicash.com/) Note that MyWOT is unrated for this site.
http://sitecheck.sucuri.net/results/www.microelectronicash.com (http://sitecheck.sucuri.net/results/www.microelectronicash.com)
Wouldn't be the first time avast! has detected and blocked new emerging malware at a website, nor will it be the last.
Are you the site's owner?
See attached:
-
if you click details on that popup.... do you then see the full url?
-
yea, ends in (site name) .../CSS/lightbox.css That's the malicious agent being flagged. What the other 12 were, do not know atm.
[EDIT:] Oops, assumed show last popup would show same as attached above, but no...
New attached below:
-
Hi, I don't get any related URL, I'm not the site owner either.
-
if you think this is wrong.....
You can report a possible FP here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply
-
That's the point, how can I know if it's for real or a false positive when there is no information at all?
I was expecting someone from avast to explain it.
-
Contacted another forum member here who is very good at investigating such anomalies as this.
-
A little more info from avast! user account:
Attached below:
-
Can images even contain malware?
-
Can images even contain malware?
Yes.
~!Donovan
-
The whole server got blocked because Darkleech infection was detected. Please contact your host and ask them for resolving this situation - there must be some vulnerability (usually CPanel or Plesk) which lets bad guys upload malicious httpd server or httpd server module.
-
Well, here is more info thanks to kubecj above: http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922 (http://www.informationweek.com/security/attacks/darkleech-apache-attacks-intensify/240153922)
Walked right into it, too! *sigh* Failure to install security updates in place when they come out, is what it is. You can look to sys admins for that timely lapse.
-
Excessive header information:
HTTP/1.1 302 Moved Temporarily
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection: close
Date: Fri, 16 Aug 2013 07:50:56 GMT
Pragma: no-cache
Location: /index.php?secc=contacto
Server: Apache/2.2.25 (Unix) mod_ssl/2.2.25 OpenSSL/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635
Content-Length: 0
Content-Type: text/html
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: PHPSESSID=12c718f0d171a39f0fa0c6deb26300d0; path=/
X-Powered-By: PHP/5.2.17
3 security warnings here: https://asafaweb.com/Scan?Url=www.microelectronicash.com
Previous compromise of domain on same IP via /.sys?getexe=v2webserver.exe or /.sys?getexe=v2prx.exe or /.sys?getexe=ms.26.exe
reported here: http://www.malwaredomainlist.com/forums/index.php?topic=3190.2615
see: http://exploitsdownload.com/search/dork%20sql%20injection%202013/90
Flagged </div>
<div class="coldos">
<div class="modulo">
<a href="index.php?keyword=PELTIER&secc=catalogo">
<div id="imghome03">
</div>
IP 1 appearance(s) in spam e-mail or spam post url
<embed width="340" height="50" src="images/banner-logos.swf" quality="high"
pluginspage="htxp://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash"
type="application/x-shockwave-flash">
</embed> source of malcode ? catalog/view/javascript/DD_belatedPNG_0.0.8a-min.js
polonus
-
Thank you.
-
Guys, I know this is not related but by chance, does someone know how to freeze a VMware VM in a way it delete any changes after reboot?
I really need to browse this site for ordering some electronics.
-
Should be a way, but with this sort of thing, who knows what else is infected over there? Willing to, for example, risk a financial transation where it is set up to possibly clean you out? Reason I say that, is because the sys admin(s) running the infected server no longer control it; the bad guys do. Hence the malware that is present.
Your call.
It's called a hacked site.
-
Yeah I know but there is no online payment, I just need to access their catalog.
-
It's possible sys admins have no idea there is a problem because the root infection is DarkLeech. Care to notify them (best by phone)? Should be a phone listing somewhere.
Always are alternative sites, btw.