Author Topic: URL:Mal for my site  (Read 13473 times)

0 Members and 1 Guest are viewing this topic.

zloyrusskiy

  • Guest
URL:Mal for my site
« on: January 22, 2013, 12:01:17 PM »
Please help, my site has detected as malware (and all pics, css, icons =) ).
sp63.ru


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: URL:Mal for my site
« Reply #1 on: January 22, 2013, 12:06:45 PM »
URL:mal is not malware, but means the url is on a block list....for whatever reason

urlQuer.  http://urlquery.net/report.php?id=799476


if you think this is wrong you can report it here. http://www.avast.com/contact-form.php
« Last Edit: January 22, 2013, 12:11:52 PM by Pondus »

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #2 on: January 22, 2013, 12:11:27 PM »
URL:mal is not malware, but means the url is on a block list....for whatever reason
But avast blocks our pages (look at attachment).
What is "avast block list" and how i can get out of this black list?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: URL:Mal for my site
« Reply #3 on: January 22, 2013, 12:12:31 PM »
see my post above.... where to report it

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #4 on: January 22, 2013, 12:22:41 PM »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal for my site
« Reply #5 on: January 22, 2013, 03:49:59 PM »
I see a flavicon.ico related code being flagged here:  JS:ScriptPE-inf[Trj]
Given clean here: http://quttera.com/detailed_report/sp63.ru

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #6 on: January 22, 2013, 05:40:36 PM »
I see a flavicon.ico related code being flagged here:  JS:ScriptPE-inf[Trj]
Given clean here: http://quttera.com/detailed_report/sp63.ru

polonus
I followed your link and see nothing:

0 Malicious
0 Suspicious
0 Potentially suspicious

I don't understand you.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal for my site
« Reply #7 on: January 22, 2013, 05:43:31 PM »
I mean to say the results are all clean (sucuri's, quttera's, urlquery.net etc. etc.), the alert from avast is something related to flavicon related malcode. I guess it is a FP, and good you have reported it to avast,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #8 on: January 22, 2013, 05:48:24 PM »
You don't understand me, avast alerts on every page of my site on dynamic pages, static htmls, images, javascripts( and css too  :) ), not only favicon.ico.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: URL:Mal for my site
« Reply #9 on: January 22, 2013, 06:24:59 PM »
I mean to say the results are all clean (sucuri's, quttera's, urlquery.net etc. etc.), the alert from avast is something related to flavicon related malcode. I guess it is a FP, and good you have reported it to avast,

polonus

No, the alert is the network shield, it would fire on any link within the domain. The fact that the favicon.ico file is one of the first that is loaded into the address bar, but isn't specifically related to that file but the domain.

@   zloyrusskiy
When reporting this (using the contact form link given by Pondus), request a network shield review and give a link to this topic as it gives more information.

Other checks reporting clean:
http://sitecheck.sucuri.net/results/www.sp63.ru/ and http://www.urlvoid.com/scan/sp63.ru/.
You already have the link for urlquery reporting clear.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: URL:Mal for my site
« Reply #10 on: January 22, 2013, 06:39:44 PM »
This malware, jsscriptip-inf-trj.html, is also flagged for that site, for instance avast Web Shield flags this for http://wXw.sp63.ru/index.php!{gzip}.
see: http://www.im-infected.com/trojan/jsscriptip-inf-trj.html

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: URL:Mal for my site
« Reply #11 on: January 22, 2013, 06:49:01 PM »
That is what escalation is about enough hits by the web shield and it gets added to the network shield malicious sites list. Now if that has been cleared as all of these scans appear to indicate then it is the network shield review that is required.

No alert by avast on the index page or favicon.ico when the network shield isn't running.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #12 on: January 22, 2013, 11:04:49 PM »
I installed avast antivirus, disabled network shield and avast webshield is alerting on login page, with HTML:RedirME-inf [Trj]. It's phpbb forum engine and it's normal when page redirecting after successful login. WTF?

P.S. where can i see full description of your antivirus threats? There is no information to understand what he did not like at my site at all!   >:(

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: URL:Mal for my site
« Reply #13 on: January 22, 2013, 11:13:54 PM »
You should have all the information in the web shield alert (use screenshot and attach) or from the web shield, details, Shield log. Or from the raw data file, C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report\WebShield.txt (XP) or C:\ProgramData\AVAST Software\Avast\report\WebShield.txt (Vista, win7), these folders may be hidden, you may need to change explorer settings to view hidden files and folders.

The malware name and full URL (modified to prevent active link, hXXp) of the alert gives us a good indication of what the issue is ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

zloyrusskiy

  • Guest
Re: URL:Mal for my site
« Reply #14 on: January 23, 2013, 08:43:45 AM »
From webreport.txt (with disabled network shield)
23.01.2013 1:50:16      hxtp://www.sp63.ru/ucp.php?mode=login|>{gzip} [L] HTML:RedirME-inf [Trj] (0)

From NetworkShield.txt:
23.01.2013 1:43:02      hxtp://sp63.ru/ [L] URL:Mal (0)

How this information helps me to understand which virus it is?

What is "HTML:RedirME-inf [Trj]" or "URL:Mal"?
it's looks like heuristic filter common names.

Where i can find full description of this threats?
Where information about details of threat?
Which file on site is dangerous?

I can't find answers on my questions.

P.S. after today's morning update of virus bases, antivirus doesn't alerts anymore yet... no files was changed on my site :(
« Last Edit: January 23, 2013, 09:39:10 AM by Milos »