Author Topic: Avast blocks my web site (goldbody.com.ua) (Read 4571 times)

REDACTED · « **on:** April 07, 2015, 03:10:27 PM »

I dont know why, but AVAST has blocked my website http://goldbody.com.ua/,
I've checked for viruses by lots of online services
http://www.urlvoid.com/scan/goldbody.com.ua/
http://www.urlvoid.com/scan/goldbody.com.ua/

Nothing has been found. Also Google and Yandex web master tools do not see any malware at the hosting.
I've tried to "report false virus alert on website" at https://www.avast.com/contact-us.php?subject=VIRUS-FILE
but I have not gotten any response

Pls advise what can I do?
I really appreciate any help you can provide.

Asyn · « **Reply #1 on:** April 07, 2015, 03:16:30 PM »

-> http://sitecheck.sucuri.net/results/goldbody.com.ua/
-> http://zulu.zscaler.com/submission/show/3f58286bc6bff0bb94cbb7c668d93727-1428412286

Eddy · « **Reply #2 on:** April 07, 2015, 03:43:59 PM »

Site is blacklisted:
http://zulu.zscaler.com/submission/show/3f58286bc6bff0bb94cbb7c668d93727-1428412286
http://multirbl.valli.org/lookup/185.14.29.112.html

Suspicious script and external links:
http://www.web-malware-removal.com/website-malware-virus-scanner/

Problems on the same ASN:
http://urlquery.net/report.php?id=1428413171271
http://urlquery.net/report.php?id=1428413195802

Unable to connect to server:
https://www.ssllabs.com/ssltest/analyze.html?d=goldbody.com.ua

Tor node detected:
http://www.sectoor.de/tor.php

Suspicious files:
http://quttera.com/detailed_report/goldbody.com.ua

polonus · « **Reply #3 on:** April 08, 2015, 05:43:26 PM »

On the potential suspicious code: http://lxr.free-electrons.com/source/scripts/kconfig/zconf.hash.c_shipped?v=3.7
See code-snippet here:

Code: [Select]

static const unsigned char asso_values[] =
 48     {
 49       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 50       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 51       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 52       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 53       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 54       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 55       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 56       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 57       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 58       73, 73, 73, 73, 73, 73, 73, 73, 25, 25,
 59        0,  0,  0,  5,  0,  0, 73, 73,  5,  0,
 60       10,  5, 45, 73, 20, 20,  0, 15, 15, 73,
 61       20, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 62       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 63       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 64       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 65       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 66       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 67       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 68       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 69       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 70       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 71       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 72       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 73       73, 73, 73, 73, 73, 73, 73, 73, 73, 73,
 74       73, 73, 73, 73, 73, 73
 75     };
 76   register int hval = len;

polonus

REDACTED · « **Reply #4 on:** April 16, 2015, 03:33:36 PM »

Quote from: Asyn on April 07, 2015, 03:16:30 PM

-> http://sitecheck.sucuri.net/results/goldbody.com.ua/
-> http://zulu.zscaler.com/submission/show/3f58286bc6bff0bb94cbb7c668d93727-1428412286

-> http://sitecheck.sucuri.net/results/goldbody.com.ua/
Status: No Malware Detected by External Scan.
Web Trust: Not Currently Blacklisted (10 Blacklists Checked)

Milos · « **Reply #5 on:** April 16, 2015, 04:33:11 PM »

Hello,
I don't see it blocked. What alert message do you get from Avast? Screenshot should help.

Milos

Michael (alan1998) · « **Reply #6 on:** April 16, 2015, 10:10:38 PM »

Quote from: goldbody on April 16, 2015, 03:33:36 PM

Quote from: Asyn on April 07, 2015, 03:16:30 PM
-> http://sitecheck.sucuri.net/results/goldbody.com.ua/
-> http://zulu.zscaler.com/submission/show/3f58286bc6bff0bb94cbb7c668d93727-1428412286

-> http://sitecheck.sucuri.net/results/goldbody.com.ua/
Status: No Malware Detected by External Scan.
Web Trust: Not Currently Blacklisted (10 Blacklists Checked)

You have Tor on your Website (a Node). Why? You de know, Tor is used by Malware Vendors to launch programs Like Cryptowall 1.X/2.X/3.X and other Ransomware payloads right?

polonus · « **Reply #7 on:** April 16, 2015, 10:47:47 PM »

What about these results: http://multirbl.valli.org/lookup/185.14.29.112.html
Also consider on this IP:
htxp://whatmyip.co/info/search/1/stxt/steroid-store.com/k/740970123/steroid_store_com.html
Insecure login (1)
Password will be transmited in clear to htxp://whatmyip.co/info/search/1/stxt/steroid-store.com/k/740970123/steroid_store_com.html#logintop (N.B. Alert on above link).
Malware at IP for htxp://forces.uploads-market.ru/get_json? seems down now.
This website is a front for steriod-store.com
http://toolbar.netcraft.com/site_report?url=http://steroid-store.com ERR_NAME_NOT_RESOLVED
see: http://urlquery.net/report.php?id=1429217409108

polonus (volunteer website analyst and website error hunter)

Para-Noid · « **Reply #8 on:** April 16, 2015, 11:35:28 PM »

In the future please make "possible" malicious/infectious websites un-clickable.
This can be accomplished by using hxxp or htxp. Doing this will prevent those who lack
any knowledge about website analysis from getting infected.

polonus, !Donovan, Eddy and myself know how to use online tools safely.
We use a multitude of tools to research a website. We don't use just one or two, we use dozens of online tools.

polonus and !Donovan are the super experts.