Avast WEBforum
Other => Viruses and worms => Topic started by: bachviet 23 on June 05, 2023, 09:51:22 AM
-
The avast software is saying that our URL https://vneid.gov.vn/favicon.ico is blocked because of URL in Blacklist.
This has caused huge concerns among our customers. Can we understand what happened here and what had triggered the false positive??
Thank you in advance for clarification.
Kind regards
Bachviet
Support ID: 6797230ec213/2023-06-05T03:10:07.469Z
Popup: https://postimg.cc/21FRpDL4
-
The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.
The requested URL was rejected. Please consult with your administrator.
Your support ID is: 7248055357218949195
Wait for a final verdict from avast team, as such are their definitions.
polonus
-
The normal website address is not infested, flagged is that flavico.ico
which may contain malicious PHP-code.
<snip quote>
polonus
This used to be a very common/old way to infect as the favico.ico is ordinarily run and loaded (to display the site icon) into the browser tab.
-
DavidR is right, read here:
https://blog.sucuri.net/2022/09/how-are-favicon-ico-files-used-in-website-malware.html
But Sucuri as such does not flag this.
I scan this there: {
"ip": "-51.83.59.99",
"ports": [
22,
80,
443,
500
],
"cpes": [
"cpe:/a:igor_sysoev:nginx",
"cpe:/a:openbsd:openssh:7.4"
],
"hostnames": [
"wXw.sampleresponse.fr"
],
"tags": [
"vpn"
],
"vulns": [
"CVE-2017-15906"
]
}
Vulnerability involved, see : https://nvd.nist.gov/vuln/detail/CVE-2017-15906
polonus