Author Topic: Why does SacAreaHomes.com get URL:Mal?  (Read 2426 times)

0 Members and 1 Guest are viewing this topic.

brianlewisdesign

  • Guest
Why does SacAreaHomes.com get URL:Mal?
« on: October 24, 2012, 11:08:26 PM »
I am a web developer. My client's site SacAreaHomes.com get's blocked by Avast Network Shield as URL:Mal. I can't figure out why.

It's not on any unsafe or black lists. I virus/malware scanned it with online scanners, and downloaded all the site files and scanned them with Avast and Malwarebytes. No viruses. I can't figure out why it's getting blocked. Big problem.

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76115
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Why does SacAreaHomes.com get URL:Mal?
« Reply #1 on: October 24, 2012, 11:23:41 PM »
You can report a possible FP here: http://www.avast.com/contact-form.php?loadStyles
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87057
  • No support PMs thanks
Re: Why does SacAreaHomes.com get URL:Mal?
« Reply #2 on: October 24, 2012, 11:35:17 PM »
Didn't find anything on http://sitecheck.sucuri.net/results/www.sacareahomes.com/ or http://www.urlvoid.com/scan/sacareahomes.com/, though this shows there are other domains on this IP address, possibly it is a block by IP address and not the domain.

Also clean on this http://urlquery.net/report.php?id=254961, but that too shows multiple domains on that IP/server one of which has had prior infections.

But this looks a somewhat strange javascript file name /sites/default/files/js/js_a6d24340d6739dd389170a72a8f0cc63.js I trust it is legit ?

- There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, click Browse button and navigate to the file or enter the web URL for the site you wish to submit for review, etc. A link to this topic also wouldn't hurt.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Nesivos

  • Guest
Re: Why does SacAreaHomes.com get URL:Mal?
« Reply #3 on: October 24, 2012, 11:56:56 PM »
If you go to http://urlquery.net and scan SacAreaHomes.com you will find

xxxx://tech2bs2011.itsmyiq.com/redirecting.htm

http://urlquery.net/report.php?id=254981


If you run a scan on Sucuri of that website it shows the website i..e   xxxx://tech2bs2011.itsmyiq.com/  has been blacklisted

Quote
web site:    tech2bs2011.itsmyiq.com/
status:    Site blacklisted, malware not identified
web trust:          Site blacklisted.

http://sitecheck.sucuri.net/results/tech2bs2011.itsmyiq.com/


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33572
  • malware fighter
Re: Why does SacAreaHomes.com get URL:Mal?
« Reply #4 on: October 25, 2012, 12:25:54 AM »
Well done, Nesivos, good analysis. The IDS alert there is INDICATOR-OBFUSCATION Javascript obfuscation - eval\
Avast Web Shield detects this as JS:iframe-TJ[Trj]
Other site with instances of this same javascript malware are still up and active here:
malware status OVERDUE and active at :
 htxp://www.notteroy.kulturhus.no/index.php/program  (cleansed?)
 htxp://customer.ibratro.com/redirecting.htm -> http://sitecheck.sucuri.net/results/customer.ibratro.com/redirecting.htm  blacklisted and infected
 htxp://dawsonrussellphotography.com/  -> http://sitecheck.sucuri.net/results/dawsonrussellphotography.com (more instances of various malcode)
 hxtp://www.bydesignseminars.com/ -> http://sitecheck.sucuri.net/results/www.bydesignseminars.com/  JS-malware instances
 htxp://www.formacionengestion.com/  form of blackhole: http://sitecheck.sucuri.net/results/www.formacionengestion.com/

polonus
« Last Edit: October 25, 2012, 12:35:40 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

brianlewisdesign

  • Guest
Re: Why does SacAreaHomes.com get URL:Mal?
« Reply #5 on: November 16, 2012, 07:12:11 AM »
Thanks guys. I did the steps recommended. Still waiting to see if the problem gets resolved.

I looked through and scanned with Avast the js file /sites/default/files/js/js_a6d24340d6739dd389170a72a8f0cc63.js
I reported the virus false-positive to avast. http://www.avast.com/contact-form.php?loadStyles
And I requested dreamhost move the hosting to a different ip address. In case another site on the shared ip caused the virus warning.