Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: Matthew_Wai on April 26, 2014, 01:58:36 PM

Title: Why is the website harmful?
Post by: Matthew_Wai on April 26, 2014, 01:58:36 PM: http://60.210.11.231/
The Web Shield deems it harmful, do you know what it is?
Title: Re: Why is the website harmful?
Post by: essexboy on April 26, 2014, 02:05:37 PM: http://myip.ms/view/ip_addresses/1020398336/60.210.11.0_60.210.11.255

http://cnc-noc.net/mail/login.action

Not sure
Title: Re: Why is the website harmful?
Post by: Pondus on April 26, 2014, 02:08:44 PM: https://www.virustotal.com/en/url/6cb04a97832f2a70ab34451991168078dd7e6ae747d4e369f98dd8485c917bb5/analysis/1398513971/

IP is blacklisted by dev.null.dk and spamsources.fabel.dk

seems to be an empty site now...click picture. http://www.urlquery.net/report.php?id=1398514275777
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on April 26, 2014, 02:20:04 PM: http://60.210.11.231/lvs/banner_1.jpg quoted from the Web Shield report
Perhaps this file exists.
Title: Re: Why is the website harmful?
Post by: Pondus on April 26, 2014, 02:23:03 PM: it does....pic of a nice girl. ;) http://www.urlquery.net/report.php?id=1398515062630
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on April 26, 2014, 02:24:41 PM: But it is not a banner at all!
Title: Re: Why is the website harmful?
Post by: Pondus on April 26, 2014, 02:27:42 PM: Quote from: Matthew_Wai on April 26, 2014, 02:24:41 PM
But it is not a banner at all!
?
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on April 26, 2014, 02:31:59 PM: It is an advertisement for express delivery of documents, the words are in Chinese.
Do you think it is false positive?
Title: Re: Why is the website harmful?
Post by: Pondus on April 26, 2014, 02:41:50 PM: see my first post... from the IP ban blacklist, it seem it may have to do with spam
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on April 26, 2014, 02:44:40 PM: What do you think will happen if I visit the URL after disabling the Web Shield?
Title: Re: Why is the website harmful?
Post by: Pondus on April 26, 2014, 02:55:01 PM: Quote from: Matthew_Wai on April 26, 2014, 02:44:40 PM
What do you think will happen if I visit the URL after disabling the Web Shield?
nada i guess.... and the pic file is clean according to VT.... 5 month old scan
but dont come back complaining if i am wrong.

https://www.virustotal.com/en/url/7426cdaf3b4e6b40da0504bb800af974cf7918f233c256d5f6d0eb6177de85d1/analysis/

https://www.virustotal.com/en/file/2bb3608eab1a013999a13b80e704606bc7793b56669354380989b66232ac5aa1/analysis/1385649338/
Title: Re: Why is the website harmful?
Post by: polonus on April 26, 2014, 03:35:32 PM: See all threats here: http://threatstop.com/checkip -> 23 minutes ago threats MODIFIED ITAR, ITAR, CHINA threat level 1.
See: Up(nil): APNIC CN 60.210.11.231 to 60.210.11.231 60.210.11.231
See: http://toolbar.netcraft.com/site_report?url=60.210.11.231%2Flvs%2Fbanner_1.jpg (Risk rate 10 out of 10 RED)
htxp://60.210.11.231/file/MDAwMDAwMDGSJcByiJiZn3rq0LglSSlmpMcl_EJPHghyPvUhjxW-2w../209c2a443f46eb26807ff78378f7ad8d17d786cd/10958773-vxd-UG& -> https://www.virustotal.com/nl/url/486f4c473bf280bd41c5cc62f02f4272e424f7c7211f583249061b3fe93e2668/analysis/1398518686/
url after redirect: htxp://60.210.11.231/lvs/redirect.html?kne=&d=0823C937 (flagged by avast! Webshield as URL:Mal).
-> http://urlquery.net/report.php?id=1398515062630
Trying to redirects to: htxp://www.dbank.com/ping.php?js=all?v=1.26.23"%3B -> htxp://www.dbank.com/ping.php?js=base
Emisoft is the only one to flag next to avast! shield.

pol

P.S. Everybody should be aware of the banner abuse by Zeus: http://www.gfi.com/blog/beware-malware-banner/
link article author = Mohammed Ali (actually old info from 2011, then new but now still actual)

D
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 07, 2014, 01:35:45 PM: After disabling "Block malware URLs" I could download and save the banner on http://60.210.11.231/lvs/banner_1.jpg
It read "NO THREAT FOUND" after manual scanning
The URL might have been blacklisted mistakenly.
Title: Re: Why is the website harmful?
Post by: HonzaZ on May 07, 2014, 01:54:51 PM: Hi,
This IP was blocked 21. June 2013, 11:38 because of this file we spotted:
hxxp://60.210.11.231/file/mdawmdawmdhmzntt3gw_6vm8w34pwr1wsbqbat_3thhkqpgcslagnq../ba97b7fbf4ab948d7ceb62df1626d016fbc97/%e9%97%ae%e9%97%ae%e5%ad%a6%e5%a0%82%e8%87%aa%e5%8a%a8%e7%ad%94%e9%a2%98%e5%99%a8beta%203.85.rar?key=aaabqfhcyxi8vv6i&p=&a=4022865-af11
I hope the infection has been cleared already, so I am unblocking the IP now;-).
Honza
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 07, 2014, 01:58:39 PM: Do you mean avast will block a whole site just because a single file is infected?
Title: Re: Why is the website harmful?
Post by: bob3160 on May 08, 2014, 02:22:00 AM: Quote from: Matthew_Wai on May 07, 2014, 01:58:39 PM
Do you mean avast will block a whole site just because a single file is infected?
I certainly hope so. I know I don't want to wind up with the infected file on my system. :)
I personally can't think of any site that is so important that I need to visit it if it contains infections of any kind.
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 06:28:12 AM: Quote from: bob3160 on May 08, 2014, 02:22:00 AM
wind up with the infected file
Do you mean "wind up the computer with the infected file"?
Title: Re: Why is the website harmful?
Post by: polonus on May 08, 2014, 10:50:04 AM: Hi Matthew_Wai,

One file on a site means an infested site that could then infest users that come to visit that site. Do we want to infest visitors of our site. No, we do not. So we have to cleanse the files first, yes even when there is one infested file, and then the site can become unblocked and visitors can come again to the site.
Is that so hard to imagine? 是這樣的，很難想像？

polonus
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 11:04:34 AM: Hi polonus,

It is not hard to imagine zero tolerance when it comes to infection.
But I can't imagine why you could 寫中文字，你是中國人嗎？
Title: Re: Why is the website harmful?
Post by: Eddy on May 08, 2014, 11:29:46 AM: Psstt, there are online translators. ;D
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 11:36:20 AM: But machine translation sucks.
Title: Re: Why is the website harmful?
Post by: Pondus on May 08, 2014, 11:40:44 AM: Quote from: Matthew_Wai on May 07, 2014, 01:58:39 PM
Do you mean avast will block a whole site just because a single file is infected?
if the infected file is part of the website html, yes ofcourse
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 11:43:29 AM: Do you mean the infected file exists on all pages of the site?
Title: Re: Why is the website harmful?
Post by: Pondus on May 08, 2014, 11:50:17 AM: see reply nr #13
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 11:52:15 AM: Sorry, which one is #13? I saw no number.
Title: Re: Why is the website harmful?
Post by: Pondus on May 08, 2014, 11:54:27 AM: evry post have a number..... the one you just posted

Quote
Re: Why is the website harmful?
« Reply #24 on: Today at 11:52:15 »
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 12:04:44 PM: Sorry for having overlooked the post number.

The infected file was
hxxp://60.210.11.231/file/mdawmdawmdhmzntt3gw_6vm8w34pwr1wsbqbat_3thhkqpgcslagnq../ba97b7fbf4ab948d7ceb62df1626d016fbc97/%e9%97%ae%e9%97%ae%e5%ad%a6%e5%a0%82%e8%87%aa%e5%8a%a8%e7%ad%94%e9%a2%98%e5%99%a8beta%203.85.rar?key=aaabqfhcyxi8vv6i&p=&a=4022865-af11

This file was not part of http://60.210.11.231/lvs/banner_1.jpg which was a safe file but blocked, why?
Title: Re: Why is the website harmful?
Post by: Pondus on May 08, 2014, 12:10:18 PM: start reading this topic from the beginning again.....
Title: Re: Why is the website harmful?
Post by: Eddy on May 08, 2014, 12:23:48 PM: Not the .jpg is blocked, but the entire website.
The reason for it that there is that .rar file.
It redirects to dbank which is not trustfull.

http://urlquery.net/report.php?id=1399544492415 (http://urlquery.net/report.php?id=1399544492415)
Title: Re: Why is the website harmful?
Post by: bob3160 on May 08, 2014, 02:54:47 PM: We seem to be going around in a circle.
Question asked and answered.
Title: Re: Why is the website harmful?
Post by: polonus on May 08, 2014, 03:21:05 PM: Hi bob3160,

Doesn't the victim really understand this explanation from the example that one rotten apple can ruin a whole can of apple sauce or is he just pretending he does not understand how this works. By the way that IP was abused on 2008-01-04 through CASE: C-1375 - Spambots/zombies within CIDR (info APEWS dot ORG).

polonus
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 08, 2014, 03:30:57 PM: No users fell victim to the website being blocked. Perhaps the website owner is the victim.
I posted this topic just out of curiosity.
I don't think anyone is pretending here, there is no need and no fun.
Not all newbies can fully understand how a piece of complicated software works.
Title: Re: Why is the website harmful?
Post by: Matthew_Wai on May 09, 2014, 05:02:13 AM: Quote from: bob3160 on May 08, 2014, 02:54:47 PM
We seem to be going around in a circle.
Question asked and answered.
We seem to be discovering new questions while receiving answers.
Questions being asked and answered is normal on any forums.