Avast WEBforum
Other => Viruses and worms => Topic started by: drugshater on January 31, 2012, 03:53:12 PM
-
Hello dear Avast Support team,
I checked my website today and my Avast firewall blocked it with reason URL:Mal.
I checked all files, including logs, server is under control and i don't have any viruses on any pages. I checked site with many online checkers and all scans shows that site is clear from any malware. So i think it was blocked by mistake, please help, how i can unblock it from your lists ?
Website url: hxtp://bestporntube.ru
I am using liveinternet.ru counter to count my visitors and i read that liveinternet.ru service is suspicious script and it also blocked by Avast, maybe problem is here ? But it's only counter... not virus..
I carefully watch for the safety on the server, my site had no viruses, no malware, no any suspicious scripts, please tell me how to remove my site from your blocklist?
Already sent ticket with web-form here: http://www.avast.com/contact-form.php?loadStyles
Thanks for your time and for Avast product!
Yours, Igor.
-
TrendMicro doesn't like it either, VirusTotal site check. (https://www.virustotal.com/url/f4f6907d71f2895c6b77731e85b10f51568d6111b2befa871ffa9034733dc31a/analysis/1328023744/).
Same TrendMicro in another scan site http://www.urlvoid.com/scan/bestporntube.ru (http://www.urlvoid.com/scan/bestporntube.ru).
Though Sucuri finds nothing.
Normally the reporting using the form is quick to investigate and correct as required.
EDIT, liveinternet.ru also gets hits, http://www.urlvoid.com/scan/liveinternet.ru (http://www.urlvoid.com/scan/liveinternet.ru)
-
well......pornsites are suspicious ;D
-
Pondus,
Agree these kind of sites always pose an additional risk attracting malcreants,
to add malcious code, especially to perform tracking_click fraud, etc.
Who is going to complain?
Well, I think it is the link to -http://www.liveinternet.ru/click
and on that link the following javascript code is suspicious:
-www.liveinternet.ru/ReActive/js/global/lib/lici.js suspicious
[suspicious:2] (ipaddr:88.212.196.87) (script) -www.liveinternet.ru/ReActive/js/global/lib/lici.js
status: (referer=-www.liveinternet.ru/click)saved 14363 bytes f86c1307ab3dff55cc6d14b520970d2d3c87e2bb
info: [decodingLevel=0] found JavaScript
suspicious: click is infected with JS/Redir.FU :
http://vscan.urlvoid.com/analysis/cbd7e81c6670c720207ec566d41d66b5/Y2xpY2s=/
-http://counter.yadro.ru/hit;li_face?q;r;s1024*768*24;uhttp%3A//-www.liveinternet.ru/;hen;0.75505052332
polonus
-
Hello guys and thanks for your help, still did't receive any answer from Avast support team on email from my ticket..
So i just need to remove liveinternet.ru counter code to get unlisted ?
I am in shock because of most russian webmasters are using this counter and statistics for counting visitors, etc.. really millions of websites using it and all they will be blocked with Avast ?
Don't you think that's absurd? I am sure that the counter code is not malicious, liveinternet.ru working more than 10 years and no one from webmasters or russian Antivirus like AVP complained to malicious code..
-
Hello,
this was a false positive. It will be fixed in the next virus definition update.
Best regards
Alena Varkockova
-
Hello dear Alena, thank you for fast answer! Waiting for next virus definition update.
-
Hi drugshater,
The flag on the counter code was just a possibly suspicious via a jsunpack check on that particular site's code. Does not mean anything to be out of order, just mentioned by me as an issue to check up, as we do not take anything for granted. Got word from DrWeb's that that counter code is OK,
polonus
-
I have the same issue while browsing http://mixsms.com and having issue an error message appeared again and again however when I browsed same site on other computer having NORTON SECURITY I didn't got any error.
Please guide how to fix it?
-
First, when posting links to suspect sites please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.
I have been able to connect to that site without alert using avast and firefox 16.0.2 - You will have to be more specific on the alert, either full text of alert window or attach a screenshot of the alert window.
-
hello, my site www.lombardi.com.ar has also been listed on avast by error. Please let us know how to fix it asap
Thanks
-
Hi,
I unblocked the domain.
-
Please unblock DuxburyNews.com.
Thanks!
-
Please unblock www.telos.de and www.telos.info
There are no harmful things there. We have testet it with a bunch of software packages.
Thank you
-
Sites are opening without a problem for me.
-
Please unblock www.telos.de and www.telos.info
There are no harmful things there. We have testet it with a bunch of software packages.
Thank you
Avast sees that there is something else loading with the page the /|>{gzip} bit at the end of the URL in my attached image. The same alert is occurring at both links that you gave.
Having seen this type of alert before, the indication is that it is loading a compressed script file. Is there anything like that loading intentionally at your site ?
-
Address is could be redirecting to banner malcode?
Issues with telos dot de.
OpenSSH 5.5p1 Debian 6+squeeze7 (protocol 2.0) PHP/5.3.3-7+squeeze1
PHP vulnerable to arbitrary PHP code execution.
Site risk status 1 red out of 10: http://toolbar.netcraft.com/site_report?url=http://satellit.telos.de
For wxw.telos.de -> Overview
Cookies not flagged as "HttpOnly" may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the "HttpOnly" flag is missing it is due to oversight rather than by design.
Result
It looks like 2 cookies are being set without the "HttpOnly" flag being set (name : value):
PHPSESSID : mk16r3l8l278mpqh8oc7uhjul0
nf_wp_session : 69eb2731a4e2578d600b0d0f57a9bb46%7C%7C1444863977%7C%7C1444863917
This is what is flagged: Requested URL: -http://www.telos.de/ | Response URL: -http://www.telos.de/ | Page title: telos Systementwicklung GmbH | telos | HTTP status code: 200 (OK) | Response size: 31,367 bytes (gzip'd) | Duration: 1,625 ms Clickjacking...
polonus
-
Hi,
Avast was complaining about including link to zero-creatives.de, which we blocked since February 2012. I am now unblocking zero-creatives.de, so you should not see any warnings on telos.de or telos.info domains.
Thanks for reporting!
-
Confirmed no alerts on those domains now.
-
Dear Avast,
It seems one of our website is blocked by mistake from Avast Antivirus.
The website url is http://kidsingreece.com.
Some Avast users reported that http://merinannies.com is blacklisted as well, but my latest version of avast antivirus marks it as safe.
Please remove them both from your blacklists.
Thank you in advance.
Best regards,
Yannis
-
IP history https://www.virustotal.com/en/ip-address/85.25.207.150/information/
IP history https://www.virustotal.com/en/ip-address/104.28.25.36/information/
scroll down to support ticket and report it https://support.avast.com/support/home
-
The IP is blacklisted :
http://urlquery.net/report.php?id=1449683723199
http://urlquery.net/report.php?id=1449683724523
http://zulu.zscaler.com/submission/show/413f0b69cc91b558b8793d1dbaeff673-1449683557
http://multirbl.valli.org/lookup/85.25.207.150.html
-
IP history https://www.virustotal.com/en/ip-address/85.25.207.150/information/
IP history https://www.virustotal.com/en/ip-address/104.28.25.36/information/
scroll down to support ticket and report it https://support.avast.com/support/home
We reanalyzed the kidsingreece.com website in virustotal. It says its absolutely safe. You can see the results, here:
https://www.virustotal.com/en/url/3e6d387821a2fc7a86e78f1a537e74a160b902552290f62183a69143a618a90e/analysis/1449685491/
The other website runs through cloudflare, and its ip is from cloudlfare.
-
Your website may not have actual malware being spread, there are insecurities like jQuery libraries that should be retired asap:
-http://kidsingreece.com
Detected libraries:
swfobject - 2.2 : -http://kidsingreece.com/components/com_imageshow/assets/js/swfobject.js
jquery - 1.4.2 : (active1) -http://kidsingreece.com/templates/gk_the_real_design/js/jquery-1.4.2.min.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.7.2 : -http://kidsingreece.com/templates/gk_the_real_design/js/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery-ui-dialog - 1.8.23 : -http://kidsingreece.com/templates/gk_the_real_design/js/jquery-ui.min.js
Info: Severity: medium
http://bugs.jqueryui.com/ticket/6016
jquery-ui-autocomplete - 1.8.23 : http://kidsingreece.com/templates/gk_the_real_design/js/jquery-ui.min.js
jquery-ui-dialog - 1.8.4 : http://kidsingreece.com/templates/gk_the_real_design/js/jquery-ui-1.8.4.custom.min.js
jquery-ui-autocomplete - 1.8.4 : http://kidsingreece.com/templates/gk_the_real_design/js/jquery-ui-1.8.4.custom.min.js
(active) - the library was also found to be active by running code
3 vulnerable libraries detected
Check SPF record
WARNING: Domain doesn't have SPF record. SPF (Sender Policy Framework) record is designed to prevent e-mail SPAM. Typical SPF record would be:
v=spf1 a mx ~all or v=spf1 a mx include:_spf.google.com ~all if you are using Google Apps.
When website is blocked, it is because it shares the same IP with malware spreading domains on that IP: https://www.virustotal.com/nl/ip-address/85.25.207.150/information/
This is the morst likely scenario. Ask for an exclusion via https://www.avast.com/nl-nl/contact-form.php
Remember unblocking can only be performed by an Avast Team Member, and we here are not, we are just volunteers with relevant knowledge,
polonus (volunteer website security analyst and website error-hunter)
-
I unblocked kidsingreece.com now ;)
merinannies.com does not seem to be blocked now.
-
Frist of all, I want to thank you all for volunteeringly helping in the issue.
We made an extented search and we are facing also the same problem for the following domains:
1) medical-shop.gr
2) kakaounakis.gr
3) chamonix-nannies.com
4) courchevelnannies.com
5) courchevelnannies.com
6) chamonix-nannies.com
4 of them, are practicaly the same website.
Can you please unblock them as well?
-
Yup, I unblocked them just now ;)
-
Brookvillebands.org
is being blocked. I've run several URL scans and all say it is clean. Any suggestions?
FYI, it is a Go Daddy site and they say it is clean.
-
Next time also do a IP check.
URL:MAL = IP is blacklisted
https://www.avast.com/contact-form.php?subject=VIRUS-FILE
-
@Eddy: URL:Mal means either blacklisted domain or IP (or both). There is no easy way of finding out (you can connect to the IP directly and see if it is blocked).
@jjswope: The domain was blocked due to suspicion to Angler exploit kit a month ago. I do not see anything malicious coming from it now, so I unblocked it ;)
-
HonzaZ,
what about the URL:MAL2 that we see lately.
Any difference from URL:MAL ?
If so, what is the difference ?
-
I think it had something to do with which shield blocks it - if it was network shield (Mal) or webshield (Mal2). Since the merge of the two shields, I think you should only be seeing URL:Mal.
So anyway, for you or me, it should be the same, it is only an implementation detail.
-
Hello,
I am having the same issue with one of my websites. www.bikerathome.com had a malware attack but was cleaned and cleared by Google yet some of our suppliers are not able to get my emails because of the association with a "malicious" site. They sent me the message from Avast. Can you please remove our site from your blocked list? Anything associated with www.ahastores.com should be clear and no malware messages.
Thank you, David
Aha Stores
-
Neither sites are blocked by avast.
-
Though both say:
--2016-02-02 09:57:04-- http://bikerathome.com/
Resolving bikerathome.com... 104.239.136.18
Connecting to bikerathome.com|104.239.136.18|:80... failed: Connection refused.
-
The first one does now, not when I checked earlier ???
It also does now resolve to 104.207.236.98
Blacklisted :
http://www.web-malware-removal.com/website-malware-virus-scanner/?url=www.bikerathome.com
https://www.virustotal.com/en/url/3ac2f82e5638d897e573d6617b3f30ed9cea80eda18b40f5d95d74d12df5bf2b/analysis/1454426042/
http://urlquery.net/report.php?id=1454426328642
http://urlquery.net/report.php?id=1454426382763
http://zulu.zscaler.com/submission/show/84a129bb6eede9d9be0d76282b32b14a-1454375735
Vulnerable and possibly the cause of the infections :
http://retire.insecurity.today/#!/scan/0ec66034341560afcca2459a44664aeae1a63ce59dfb09cc65504bb853dc0983
-
For the specific vulnerabilities with jquery.min.js -> read: https://ttmm.io/tech/jquery-xss/
Re:
2 errors and 7 warnings here: https://mxtoolbox.com/domain/www.bikerathome.com/
and see where this lands: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.bikerathome.com%2Fjs%2Fjquery%2Fjquery-ui.min.js
70% of the trackers on this site could be protecting you from NSA snooping. Tell bikerathome.com to fix it.
Unique IDs about your web browsing habits have been insecurely sent to third parties.
d9ff818778eabdxxxxxxxxxxxxxxxec147b71450263598 -pastebin.com __cfduid
-seal.alphassl.com __cfduid
-local.adguard.com __cfduid
At least 10 third parties know you are on this webpage.
-www.bikerathome.com -www.bikerathome.com
-pastebin.com
-Facebook (Tracker)
-Google
-bikerathome.com
-www.paypal.com
-seal.alphassl.com
-Google
-local.adguard.com
-www.mustbebuilt.co.uk
polonus
-
Thanks for your help, I will send the details you provided to my developer. He assured me the malware was removed and we also got the ok from Google but obviously there still seems to be some warning errors out there. Explains why we are not getting any orders on that particular website. I know two of our suppliers that use Avast were not even getting my emails because bikerathome.com was in my signature line, and that's what brought me here. Thanks again.
David
Aha Stores
-
If you run a business, get dedicated hosting and stay away from shared hosting.
It will prevent a lot of problems already.
-
Please unblock keximvlc[.]com[.]vn. My website hacked and they injected the virus on my website that's why avast detect and blocked my domain. It's completely update and remove the virus, please check and unblock my domain.
Thanks!
-
I removed keximvlc[.]com[.]vn from our blacklist ;)
-
Hi,
naijawapaz[.]ng was removed from blacklist.
Lukas
-
Hello,
Kindly remove https://healthhub[.]ng from avast blocklist
I have checked it and everything is ok, no malware, no virus.
Thanks.
-
Hello,
Kindly remove hxxps://healthhub[.]ng from avast blocklist
I have checked it and everything is ok, no malware, no virus.
Thanks.
-> https://sitecheck.sucuri.net/results/healthhub.ng
-
Could have been a genaral IP block, because of -http://cybercrime-tracker.net/index.php?s=0&m=40&search=Tesla
We have to wait and see what an avast team member will say on the matrer, as they are the ones that can come and unblock.
Seems now the site is not responding (turns up a 301).
Re: -https://healthhub.ng request timed out (5 sec) No content
polonus
-
I have removed healthhub[.]ng from our blacklist
-
Hello,
Kindly remove https://shrinkearn.com from avast blocklist
I have checked it and everything is ok, no malware, no virus.
https://sitecheck.sucuri.net/results/https/shrinkearn.com
Thanks.
-
-> https://www.virustotal.com/gui/url/0c9329fae64654b1343084b40dc1f51b038cec126b41396bb9449b5960ac33c5/detection
-
@ shivagowda0206
Use the - Reporting Possible False Positive File or Website - https://www.avast.com/false-positive-file-form.php (https://www.avast.com/false-positive-file-form.php). This goes directly to the virus labs team.
You might also wish to take a look at the points raised here https://webhint.io/scanner/76ab37c6-34e9-48cf-ab6e-9bada8d1e9c1
-
Website is no longer being blocked by avast's, checked on avast protected system. ;D
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)