Author Topic: False Positive on want2race.co.uk (Read 3739 times)

brainstormdesign · « **on:** April 25, 2014, 04:37:18 PM »

Hi,

Can you please check to see if there is a false positive on the following URL / Server:
http://www.want2race.co.uk / 185.17.181.14

We don't seem to have issues with some of our other domains on the same server.

Thanks

Eddy · « **Reply #1 on:** April 25, 2014, 04:58:04 PM »

The problem seems to be with cutwel-tools.co.uk

jefferson sant · « **Reply #2 on:** April 25, 2014, 05:48:59 PM »

Mcafee This link is suspicious

http://www.siteadvisor.com/sites/want2race.co.uk

ip in blacklist

http://www.ipvoid.com/scan/78.129.250.40/

http://support.clean-mx.de/clean-mx/viruses.php

it seems like"hxxp://want2race.co.uk/ebaca1bbdbc21f3da9e1cda26c0b83fb/q.php" blackhole exploit kit

can you confirm that this clean ?

brainstormdesign · « **Reply #3 on:** April 25, 2014, 06:05:52 PM »

Quote from: Eddy on April 25, 2014, 04:58:04 PM

The problem seems to be with cutwel-tools.co.uk

Sorry, I'm not sure what this means?

brainstormdesign · « **Reply #4 on:** April 25, 2014, 06:15:34 PM »

Quote from: jefferson santiag on April 25, 2014, 05:48:59 PM

Mcafee This link is suspicious

http://www.siteadvisor.com/sites/want2race.co.uk

ip in blacklist

http://www.ipvoid.com/scan/78.129.250.40/

http://support.clean-mx.de/clean-mx/viruses.php

it seems like"hxxp://want2race.co.uk/ebaca1bbdbc21f3da9e1cda26c0b83fb/q.php" blackhole exploit kit

can you confirm that this clean ?

The /q.php definitely doesn't exist.
The IP Address on ipvoid is also wrong, the IP is:
Address lookup
canonical name    want2race.co.uk.
aliases
addresses    185.17.181.14

I'll check the McAfee thing and get that sorted.

jefferson sant · « **Reply #5 on:** April 25, 2014, 06:35:03 PM »

Hello.
please

use http://www.avast.com/contact-form.php

jefferson sant · « **Reply #6 on:** April 26, 2014, 04:09:27 PM »

Quote from: brainstormdesign on April 25, 2014, 04:37:18 PM

Hi,

Can you please check to see if there is a false positive on the following URL / Server:
http://www.want2race.co.uk / 185.17.181.14

We don't seem to have issues with some of our other domains on the same server.

Thanks

~~The URL was unblocked in update VPS 140426-0.~~

polonus · « **Reply #7 on:** April 26, 2014, 04:34:25 PM »

Hi 185.17.181.14 is not flagged at urlquery dot net -> http://urlquery.net/report.php?id=1398521749908
Badness history of IP: https://www.virustotal.com/nl/ip-address/185.17.181.14/information/
When I scan the site I get a server redirect status: Code: 404, Content cannot be read!
Extensive header ifo spread: apache/2.2.25 (unix) mod_ssl/2.2.25 openssl/1.0.0-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635
-> Unable to properly scan your site. Site returning error (40x): HTTP/1.1 404 Not Found

pol

jefferson sant · « **Reply #8 on:** April 28, 2014, 12:28:34 AM »

Looks like it was not cleaned not is clean server
will remain blocked until you solve

Reporting for vírus analyst

polonus · « **Reply #9 on:** April 28, 2014, 01:16:56 AM »

This was the vulnerability that was exploited on mentioned site: http://security.stackexchange.com/questions/44705/is-requestid-vulnerable-to-sql-injection
info credits go to zer0fl4g, bobnince & HamZa,
I gave the vulnerable script as an attached image.

pol

Author Topic: False Positive on want2race.co.uk (Read 3739 times)

brainstormdesign

False Positive on want2race.co.uk

Eddy

Re: False Positive on want2race.co.uk

jefferson sant

Re: False Positive on want2race.co.uk

brainstormdesign

Re: False Positive on want2race.co.uk

brainstormdesign

Re: False Positive on want2race.co.uk

jefferson sant

Re: False Positive on want2race.co.uk

jefferson sant

Re: False Positive on want2race.co.uk

polonus

Re: False Positive on want2race.co.uk

jefferson sant

Re: False Positive on want2race.co.uk

polonus

Re: False Positive on want2race.co.uk