Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on October 20, 2016, 03:46:10 PM
-
Hi,
I have a website builder tool at www.sitepx.com, after the new Avast update, all users using Avast can't access any site in my plataform.
We are trying to figure out what the problem is, but we just can't understand the following erros:
HTML:Script-inf on object:
http://adm.sitepx.com/login|{gzip}
I know what HTML:Script is, that http call returns 200 on a machine without Avast.
Another error:
URL:Mal on object:
http://119.syscall.ws/img/119/guiavila-cases-5573.jpg
And the same case here, that http call returns 200.
We can't find any problem or virus in several tools, like:
virustotal.com, multirbl.valli.org, pcthreatskiller.com, zulu.zscaler.com and others.
Anybody can help me?
Thanks!
-
There was a problem with the detection of things, but they have been solved in the latest update.
Make sure you have the latest update and check if avast still is flagging the site.
-
We have two machines with this error on both we updated the virus definitions.
The problem can be on my domain: syscall.ws, Looks like Avast started blocking this domain.
And the domain and IP is not blacklisted, what i'm missing?
-
I've just checked and avast is not blocking or flagging www.sitepx.com
-
Ok, and the domain http://syscall.ws and subdomains (*.syscall.ws)
All images on the site builder are served on this domain, like this image:
http://119.syscall.ws/img/119/guiavila-cases-5573.jpg
If i try to access that image on a machine with Avast i get the error URL:Mal.
-
Flagged as a phising site.
https://www.virustotal.com/en/url/2ea84c0308e5f480b101c6be70dfba27fe3d745f1fdb0c2d0e826ff1cad041cf/analysis/1476972547/
http://www.siteadvisor.com/sites/syscall.ws
There is also a detectiong from sucuri :
https://sitecheck.sucuri.net/results/syscall.ws
Malicious (or at least suspicious) :
https://quttera.com/detailed_report/syscall.ws
Insecure library used :
http://retire.insecurity.today/#!/scan/83e8f94692db0c58de3d325b7b05304b9079d94d0f6509c4a04571147bb594bc
cc-staging.net is on the same IP.
Are you familiar with that domain ?
-
We don't know this domain: cc-staging.net
All images are served from syscall.ws that is under a load balance on AWS Webservices, for that reason we don't control the IPs.
We fixed a redirect when syscall.ws is access on path "/", he was redirecting to AWS, where there is 2 malicious files.
It's not happening anymore.
-
Hi,
I manage to remove the domain syscall.ws on all sites.
Now i got another error, when i try do loggin on http://adm.sitepx.com i got:
JS:ScriptIP-inf[Trj]
Object: http://adm.sitepx.com/core
All my customers are complaining, they can't edit their sites.
-
No alerts with the latest updates installed when I try to access the site.
-
No problems except for http://adm.sitepx.com/core
Greetz, Red.
-
I think the problem is when the user access with his credentials, i made a single sign-on (it's a test account for testing purpose)
Please, try access this url:
http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Here we always get the error:
JS:ScriptIP-inf[Trj]
Object: http://adm.sitepx.com/core
-
wget "http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4"
--2016-10-21 09:31:52-- http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Resolving adm.sitepx.com... 52.203.64.224, 52.204.166.252
Connecting to adm.sitepx.com|52.203.64.224|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /core/#sys/_inc_site-menu,id:NDcyZGUx [following]
--2016-10-21 09:31:52-- http://adm.sitepx.com/core/
Reusing existing connection to adm.sitepx.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'
2016-10-21 09:31:53 (199 MB/s) - `index.html' saved [9703]
The file I am getting still contains reference to syscall[.]ws.
-
True,
There was a reference in javascript variable, but not anymore:
$ wget "http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4"
--2016-10-21 09:15:57-- http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Resolving adm.sitepx.com (adm.sitepx.com)... 52.204.166.252, 52.203.64.224
Connecting to adm.sitepx.com (adm.sitepx.com)|52.204.166.252|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /core/#sys/_inc_site-menu,id:NDcyZGUx [following]
--2016-10-21 09:15:58-- http://adm.sitepx.com/core/
Reusing existing connection to adm.sitepx.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4’
TmpnJTNEXy5weC5fTWpFMUxqT [ <=> ] 9,43K --.-KB/s in 0s
2016-10-21 09:15:59 (37,9 MB/s) - ‘TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4’ saved [9657]
$ cat TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4 | grep syscall.ws
$
-
What I mean is if you get "JS:ScriptIP-inf [Trj]" detection, it means there is a blocked URL in a JS. No mention of a blocked URL -> no Avast popup. :)
-
The "URL-Mal" on object link you gave is also given at Sucuri's as blacklisted by McAfee's. On an IP blacklist?
Could there be JFIF dd header malware - a trojan of sorts maybe?
Also AmazonS3 SSL Certificate listed here: https://www.threatminer.org/ssls.php?q=thawte%20sha256%20ssl%20ca&t=16
while it is creating an internal server error.
Only find this GradeSaver image to reside there: DOMAIN##119 dot syscall dot ws AmazonS3 Fri, 21 Oct 2016 11:45:31 GMT 2 80 52.4.30.251 1 0
FOLDER##/ 200 0 0 0 0 0
FILE##_index_defaultpage.html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1
FOLDER##/img/ 200 0 0 0 0 0
FILE##_index_defaultpage.html 0 0 0 1 1 0 0 0 -1 0 0 0 0 0 1
FOLDER##/img/119/ 200 0 0 0 0 0
FILE##_index_defaultpage.html 339 application/xml 301 429 1 0 0 1 1 -1 429 0 0 0 0 1
FILE##guiavila-cases-5573.jpg 451 image/jpg 200 Thu, 10 Oct 2013 03:35:11 GMT 0 0 0 0 1 0 -1 0 0 0 0 0 0
polonus
-
Tks!
Now everything is ok, i just remove all references of syscall.ws.
-
Hi, lateley I receive this message from avast every time I log in my yahoo mail account:
the threat was shielded
we safely declined the connection to
el.tripsandtricks.com
because he was infected with
HTML:Script-inf [Susp]
how can I fix that?
Thank you!
-
-> https://sitecheck.sucuri.net/results/el.tripsandtricks.com
-
Hi, lateley I receive this message from avast every time I log in my yahoo mail account:
the threat was shielded
we safely declined the connection to
el.tripsandtricks.com
because he was infected with
HTML:Script-inf [Susp]
how can I fix that?
Thank you!
Hi,
Please report it via https://www.avast.com/false-positive-file-form.php