Malicious URL Blocked: floranimal.ru

[naive]

Hi there.

I'm in charge of floranimal.ru.
Some of our visitors have problems with using our site, that caused by blocking it by Avast.

According to this: http://sitecheck.sucuri.net/results/floranimal.ru
just only McAfee does the same.

While I was reading responses on McAfee's site I realized that could be because of some attacks, happend in 2009-2010.

I've already send them a message, asking to exclude our site from blacklist, because we had nothing dangerous for last 2 years for sure( actually, I dont know if something could be before, because I wasn't working on it at that time).

In that case I'm asking to exclude our site from your blacklist database too.

Thanks.

[Asyn]

-> http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1345670629

[polonus]

Hi naive,

First try to get your site off of this list: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
and this one: http://www.dshield.org/feeds/suspiciousdomains_High.txt
This is used also to get bad web rep here: http://www.mywot.com/en/scorecard/floranimal.ru
You had malware running from there for nearly 40 hrs: htxp://floranimal.ru/pages/animal/g/1533.html (now being closed)
Still unknown html malware is active your domain since 2012-08-22 23:04:52 and still alive...
see: http://www.malwaredomainlist.com/mdl.php?search=floranimal.ru&colsearch=All&quantity=50
listing  floranimal dot ru/articles/mashrooms/zh/cfg.bin & floranimal dot ru/articles/mashrooms/zh/ldr.exe (config.file and trojan)
VT results: https://www.virustotal.com/file/de05467bff40413cfd7bdce8808a47a76f039f7cd2a2f50c3e5a8e3b4ae7d343/analysis/1345216049/
Are these closed since 2010?  As avast still detects this as URL:Mal but it has been closed since 2010-12-12 21:24:07 after being on for 4946.5 hrs,

polonus
   

[naive]

Hi naive,

First try to get your site off of this list: https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
and this one: http://www.dshield.org/feeds/suspiciousdomains_High.txt
This is used also to get bad web rep here: http://www.mywot.com/en/scorecard/floranimal.ru
You had malware running from there for nearly 40 hrs: htxp://floranimal.ru/pages/animal/g/1533.html (now being closed)
Still unknown html malware is active your domain since 2012-08-22 23:04:52 and still alive...
see: http://www.malwaredomainlist.com/mdl.php?search=floranimal.ru&colsearch=All&quantity=50
listing  floranimal dot ru/articles/mashrooms/zh/cfg.bin & floranimal dot ru/articles/mashrooms/zh/ldr.exe (config.file and trojan)
VT results: https://www.virustotal.com/file/de05467bff40413cfd7bdce8808a47a76f039f7cd2a2f50c3e5a8e3b4ae7d343/analysis/1345216049/
Are these closed since 2010?  As avast still detects this as URL:Mal but it has been closed since 2010-12-12 21:24:07 after being on for 4946.5 hrs,

polonus

hi, polonus,

thank you for your answer.
First of all - I see now, that some results of 2009-2010 hack attacks are still on server. I've been told that everything was cleaned those days.
I se files you've mentioned:

listing  floranimal dot ru/articles/mashrooms/zh/cfg.bin & floranimal dot ru/articles/mashrooms/zh/ldr.exe (config.file and trojan)

Thats why I gonna ask guys to check everything up.

But nevertheless I see nothing suspicious in html and other scripts. As for me - they all are clean.
I dont understand what you've meant here:

Still unknown html malware is active your domain since 2012-08-22 23:04:52 and still alive...
see: http://www.malwaredomainlist.com/mdl.php?search=floranimal.ru&colsearch=All&quantity=50

caus' the link u gave is talking just about 2 files, that definitely must be deleted, but there is nothing that could harm your system while browsing the site.

I still gonna check everything once again, but would you be so kind, if you see something dangerous on the site - show me please where exactly you've seen it.

Thanx.

[naive]

-> http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1345670629

so what?
as for me - it's nothing (or maybe u'd be so kind to try to explain me?)

for example, this scanner gives me:

http://floranimal.ru/inc/styles.css    link    Malicious

so what?

whats wrong with that CSS file? O_o

[Pondus]

URLVoid   http://www.urlvoid.com/scan/floranimal.ru/

virustotal
https://www.virustotal.com/url/f23c38e54d0dfa9a02f73299f4643b1df575aee71621e2dbe2c9b1e462146bbc/analysis/1346019396/
 

[!Donovan]

-> http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1345670629

so what?
as for me - it's nothing (or maybe u'd be so kind to try to explain me?)

for example, this scanner gives me:

http://floranimal.ru/inc/styles.css    link    Malicious

so what?

whats wrong with that CSS file? O_o

The URL is blacklisted via Zulu, thus all links to your site are counted as malicious, whether they are actually malicious or not.

[polonus]

Naive,

There is still something there

What about JavaScript" src="htxp://engine.adnet.ru/code?pid=8484&gid=8&oin=0&rid=' + random +'"
See: http://www.mywot.com/en/scorecard/engine.medialand.ru?utm_source=addon&utm_content=warn-viewsc
Bad wep rep for all 4 categories
Reanalyzed the site: http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1346019417
As SiteSecurity and Quttera see no issues, you could file a FP report here:
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
Then you have to wait for the avast analysts to lift the block if they find the site is no longer suspicious/malicious.
Mind you that PHP 5.2.8. has many listed vulnerabilities:
http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-67434/PHP-PHP-5.2.8.html
69 listed alone via that link....

polonus

[naive]

Polonus,

What about JavaScript" src="htxp://engine.adnet.ru/code?pid=8484&gid=8&oin=0&rid=' + random +'"
See: http://www.mywot.com/en/scorecard/engine.medialand.ru?utm_source=addon&utm_content=warn-viewsc
Bad wep rep for all 4 categories

adnet is an advert network, nothing more. As I could see all those "site trust-o-meters" suppose that any links or sites that connected to seo links selling platforms or advert networks -- are malicious.
So what we have to do? Remove our advert just because someone thinks it's suspicious?

Reanalyzed the site: http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1346019417

Ok. I see this 100/100 Malicious, but can anyone explain WHAT exactly does this stupid scanner see? As I've told before - I see noothing suspicious in links it gives - at all.

You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles

Isn't it enough to post it here?
Ok, If so - I'll try to do it by filling one more form.

Thx.

[naive]

-> http://zulu.zscaler.com/submission/show/bf3df065756e0ad7bc7301f5ac9eebc9-1345670629

so what?
as for me - it's nothing (or maybe u'd be so kind to try to explain me?)

for example, this scanner gives me:

http://floranimal.ru/inc/styles.css    link    Malicious

so what?

whats wrong with that CSS file? O_o

The URL is blacklisted via Zulu, thus all links to your site are counted as malicious, whether they are actually malicious or not.

Strange scanner logic, btw...

[polonus]

Hi naive,

It is has nothing to do with that scanner, because part of what it flags is also taken from blacklisting by other sources. And according to me your site has not as yet regained it's crystal clear web reputation. Some blacklists are a bit slow in renewal when malware is no longer responding (so-called dead malware), closed, and so the blocks sometimes go on a bit longer than the infection lasted. With infections that were on there for weeks and weeks, I can imagine that to be the case. ParetoLogic is known to have an outdated list and also Russian http://www.mwis.ru/ has a lot of alerts for what really is "water under the bridge"...history so to say....
Just wait what your reported FP  brings,

polonus