Avast Blocks Connection to Clean Sites

[Astrit]

Hello,
My Avast Internet Security is blocking access to all sites that are hosted under a specific IP. The sites I am trying to reach are clean (i've personally checked the code, the host with whom I am hosting the site has performed several scans and everything seems to be apparently normal, but yet Avast is blocking connection to those sites).

Here is the error where it links me to when the site gets blocked: http://www.avast.com/it-it/lp-pr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_ise_80_0&utm_medium=prg_systray&utm_content=.%2Fpaid%2Fit-it%2Fvirus-alert-default&p_vir=URL:Mal&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://www.usedlaptopsale.net/feed/&p_var=.%2Fpaid%2Fit-it%2Fvirus-alert-default&p_pro=2&p_vep=8&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=197&p_lng=it&p_lid=it-it&p_elm=7&p_vbd=1483

The IP that is getting affected is: 64.202.120.73 , and any site under that IP seems to be blocked (clean or not clean site, they get blocked, period) (here are some sites that you could also check that are under the same IP: 061.ir 12cideyilem.org 18ktwhitegoldweddingrings.com 1creationsiteweb.com).

This is quiet annoying and I wonder if my sites are infected or not, what could the consequences be and how much I might be losing on profit from this false alarms?

[DavidR]

There appears to be multiple domains hosted on that IP address and some of them are infected, so the Block may be on IP rather than domain name.

See http://urlquery.net/report.php?id=1565592 and http://www.urlvoid.com/scan/usedlaptopsale.net/ showing 5/11 domains on that IP are blacklisted/infected.

But that domain appears to be clean, http://sitecheck.sucuri.net/results/www.usedlaptopsale.net.

####
There is an on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (Network Shield), etc. A link to this topic also wouldn't hurt.

[polonus]

See the problem here: http://sameid.net/ip/64.202.120.73/

polonus

[Astrit]

@DavidR
Thank you very much for checking the issue thoroughly. Indeed I suspected that the IP was being blacklisted because another site that I am hosting under the same IP was being blocked. I've also contacted the web host and we already tracked one infected site, but seems like there are more infected  , tho I am thinking of getting a dedicated IP for my site only to avoid an similar incidents in the future. I will however, also use the form to report a FP (very useful, thanks!).

@polonus, thank you!

I will forward this thread to my webhost so they can check this too.

[DavidR]

You're welcome.

[polonus]

Hi Astrit,

Thank you for reporting this FP here. To see what is being flagged on that IP, look here (recent 6 issues): http://urlquery.net/report.php?id=1363922
It concerns malcious iFrames and malicious Flash data IDS alerts as you can see.
Also a lot of PHISHING goin on there: http://support.clean-mx.de/clean-mx/phishing.php?sort=firstseen%20desc&review=64.202.120.73

polonus

[Astrit]

Hi polonus,
Thank you, i've also updated the host and already searching for a new host provider to move on.

But don't you think that blocking an entire IP is a bit extreme? Or is the threat so extended to block an entire IP really?

[polonus]

Astrit,

This depends on what urged the avast! team to block.
I am a volunteer website code analyst here at these forums.
avast! team members like for instance Milos & F. Chytry decide what IP (IP-range) should be blocked/unblocked...
If there are thousands of domains assigned to one single IP a single IP block could mean frustration ahead for many.
Therefore this should be tested before implementation. If there are three bad domains (according to malware reported)
blocking several thousand domains should not be a first option.
There are 33 websites on that IP: http://myip.ms/info/whois/64.202.120.73
None blocked here: http://www.ipvoid.com/scan/64.202.120.73/
On the other hand the hosting party also has a responsibility towards those that are hosted to keep their services cleansed, take malware down as soon as reported or found, do not leave issues with a LONG OVERDUE status as they are, secure and harden their servers and log and IDS log.

It is a pity there are still hosting parties that care less about security but see their services more as an income model first...

Then also webmasters have a task securing their websites through upgrading and updating their website software and other measures (scanning, PHP security etc. etc.)

polonus