Author Topic: Website blocked. (Read 10103 times)

uSmerfaAdm · « **on:** April 07, 2013, 02:25:03 AM »

Hello,

I am owner of site http://usmerfa.pl (sorry if You will take it as advertising but its not - read all post) and as i can see Avast! is blocking my website i have scanned all storage of my VPS by few other anti-viruses like just to be sure even those for which I had to pay for full license and result was one website is clear as tear, the only anti-virus i know that is blocking my website is Avast! at the moment. So I would like to know if its only dropped on blacklist or there are really some dangerous files and if there are i would like which one exactly (avast don't show me nothing specially:P).

I would be greatfull for help.

Cheers Patryk.

Pondus · « **Reply #1 on:** April 07, 2013, 02:55:38 AM »

sucuri http://sitecheck.sucuri.net/results/usmerfa.pl

jefferson sant · « **Reply #2 on:** April 07, 2013, 03:20:14 AM »

The website is detected by 1 blacklist engine the Mywot

https://www.virustotal.com/pt/url/48ca06f655d9bc064b9d9f0a6e1c9a36b39710c83de1b7512424b96046ce7010/analysis/1365296926/

http://quttera.com/detailed_report/usmerfa.pl

http://wepawet.iseclab.org/view.php?hash=a4cd0385cf462221239d218c0abc748d&t=1365295263&type=js

http://zulu.zscaler.com/submission/show/019cd4aa1e6ca97f8717d83ae0a72acf-1365296918

http://www.mywot.com/en/scorecard/usmerfa.pl

http://www.urlvoid.com/scan/usmerfa.pl/

http://urlquery.net/report.php?id=1864318

jefferson sant · « **Reply #3 on:** April 07, 2013, 03:21:53 AM »

Quote from: uSmerfaAdm on April 07, 2013, 02:25:03 AM

Hello,

I am owner of site http://usmerfa.pl (sorry if You will take it as advertising but its not - read all post) and as i can see Avast! is blocking my website i have scanned all storage of my VPS by few other anti-viruses like just to be sure even those for which I had to pay for full license and result was one website is clear as tear, the only anti-virus i know that is blocking my website is Avast! at the moment. So I would like to know if its only dropped on blacklist or there are really some dangerous files and if there are i would like which one exactly (avast don't show me nothing specially:P).

I would be greatfull for help.

Cheers Patryk.

if you think this is wrong, you can report it here.http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply..

uSmerfaAdm · « **Reply #4 on:** April 07, 2013, 11:53:07 AM »

This makes me really sick as even when my VPS was empty i had those sille blocks... so i beliv they are simply false like.

Pondus · « **Reply #5 on:** April 07, 2013, 12:01:00 PM »

Quote

even when my VPS was empty i had those sille blocks

uSmerfaAdm · « **Reply #6 on:** April 07, 2013, 06:07:50 PM »

Yea.. my face was just like that when i saw it i hoped thats only some misunderstandings and it will pass after few hours / days but as we can see its still as it was....

Pondus · « **Reply #7 on:** April 07, 2013, 06:39:44 PM »

Quote

Yea.. my face was just like that when i saw i

that was my reaction to...what do you mean by...my VPS was empty?

polonus · « **Reply #8 on:** April 07, 2013, 06:42:49 PM »

Bitdefender TrafficLight also blocks the site: https://trafficlight.bitdefender.com/info?url=http://www.usmerfa.pl/
Stop this website is not safe. Because of PHP-error flagged?
But could be this code is being detected because packed and obfuscated: htxp://banid.pl/banid-widget.js
info: [decodingLevel=0] found JavaScript
suspicious Security warning in the URL: info: [script] banid.pl/banid-widget.js

But more likely an error here:
htxp://www.psychostats.usmerfa.pl/index.php
Discussed here: http://labs.sucuri.net/db/malware/php-error-fatal-error

Probably site detection is a false positive, but this scanner is more certain about what is being flagged:
http://evuln.com/tools/malware-scanner/www.usmerfa.pl/

polonus

polonus · « **Reply #9 on:** April 07, 2013, 06:49:27 PM »

And it is not only avast that detects this site:

AvastJS:Iframe-AMQ [Trj]

ComodoTrojWare.JS.Iframe.FK

KasperskyHEUR:Trojan.Script.GenericVIPREExploit.HTML.Iframe.dm (v)

AVGHTML/Framer

GDataJS:Iframe-AMQ

ESET-NOD32JS/Iframe.HH

polonus

uSmerfaAdm · « **Reply #10 on:** April 07, 2013, 07:50:14 PM »

Are You kidding me? Im curious how Your Kaspersky could find anything if mine didn't

. Anyway as i can see now this whole malware is afected in signin code

yesterday i have upgraded my IPB version so i signin code is originally from IPB and now is the question You wanna tell me that IPS is developing malware

? Are You serious

? Nahh...... If Avast ain't gona take off the blockade i will report it to IPS and i'm not sure how will it finish

However if its rly true with this malware i would like to ask someone to give me some guide how to clean it from website.

polonus · « **Reply #11 on:** April 07, 2013, 10:31:25 PM »

This is being flagged as malicious: htxp://www.usmerfa.pl/public/min/index.php?ipbv=b8510b7e13675a5a1150be164f6ef30c&charset=UTF-8&f=public/js/ipb.js,cache/lang_cache/2/ipb.lang.js,public/js/ips.hovercard.js,public/js/ips.quickpm.js,public/js/ips.signin.js
This was reported before here: http://xwis.net/forums/index.php/topic/176435-blackhole-exploit-kit-xwisnet/
Not flagged here: http://wepawet.iseclab.org/view.php?hash=d1a661e5bb70c11cff397efea08571c7&t=1365365811&type=js
See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fwww.usmerfa.pl%2Fpublic%2Fmin%2Findex.php%3Fipbv%3Db8510b7e13675a5a1150be164f6ef30c%26charset%3DUTF-8%26f%3Dpublic%2Fjs%2Fipb.js%2Ccache%2Flang_cache%2F2%2Fipb.lang.js%2Cpublic%2Fjs%2Fips.hovercard.js%2Cpublic%2Fjs%2Fips.quickpm.js%2Cpublic%2Fjs%2Fips.signin.js&ref_sel=Google&ua_sel=ff (I get a failure: <urlopen error timed out>) and a HTTP/1.1 404 Not Found
because this was performed onto the site...and is blocked by avast! Web Shield as /.../.../ips.signin.js - URL:Mal
is a Cross-Site-Request forgery also known as a "one-click-attack" input validation attack which will deliver -> includes/printable.asp?
This attack is also being performed in Bank Website Phishing!

polonus

polonus · « **Reply #12 on:** April 07, 2013, 10:53:22 PM »

More about these kind of attacks here: http://www.insecure.in/input_validation.asp (link source = Insecure Lab, India)
Also read this: http://security.stackexchange.com/questions/24044/what-is-a-shrink-wrap-code-attack (link reply author = Iszi)

polonus

jefferson sant · « **Reply #13 on:** April 09, 2013, 02:54:47 AM »

Quote from: uSmerfaAdm on April 07, 2013, 07:50:14 PM

Are You kidding me? Im curious how Your Kaspersky could find anything if mine didn't . Anyway as i can see now this whole malware is afected in signin code yesterday i have upgraded my IPB version so i signin code is originally from IPB and now is the question You wanna tell me that IPS is developing malware ? Are You serious ? Nahh...... If Avast ain't gona take off the blockade i will report it to IPS and i'm not sure how will it finish

However if its rly true with this malware i would like to ask someone to give me some guide how to clean it from website.

Is not blocked in current VPS. The update fixes the issue 130408-2 the site is functioning normally

Thanks Milos

uSmerfaAdm · « **Reply #14 on:** April 11, 2013, 01:10:46 PM »

What upgrade u mean? 3.4.3 , 3.4.4, or patch realesed after 3.4.3 realese ? (actually i have 3.4.3+patch)

Author Topic: Website blocked. (Read 10103 times)

uSmerfaAdm

Website blocked.

Pondus

Re: Website blocked.

jefferson sant

Re: Website blocked.

jefferson sant

Re: Website blocked.

uSmerfaAdm

Re: Website blocked.

Pondus

Re: Website blocked.

uSmerfaAdm

Re: Website blocked.

Pondus

Re: Website blocked.

polonus

Re: Website blocked.

polonus

Re: Website blocked.

uSmerfaAdm

Re: Website blocked.

polonus

Re: Website blocked.

polonus

Re: Website blocked.

jefferson sant

Re: Website blocked.

uSmerfaAdm

Re: Website blocked.