Avast have blacklisted our website which is now clean

[Sarah Rushton]

Our website is www.hobbytronics.co.uk.
We discovered a malware apache intrusion yesterday that has now been resolved. The website 'Yandex' had blacklisted us but have resubmitted our site and it now reports our site as 'Clean'.
Can the blacklist be removed as this is having a serious effect to our visitors.
Thank you 

[JuninhoSlo]

Check your website with:

-virustotal.com
-securi.net
-unmaskparasites.com

Contact Avast team:
http://www.avast.com/contact-form.php

Thank you.

Bye

[bob3160]

Our website is www.hobbytronics.co.uk.
We discovered a malware apache intrusion yesterday that has now been resolved. The website 'Yandex' had blacklisted us but have resubmitted our site and it now reports our site as 'Clean'.
Can the blacklist be removed as this is having a serious effect to our visitors.
Thank you 

The following should help you accomplish that task:
http://forum.avast.com/index.php?topic=7779.msg62586#msg62586

[Sarah Rushton]

Thanks for the link but this deals with infected files on websites. As I said, I think we have cleared the infection and are getting clean reports from a multitude of checker. Just want avast to update the status.
Thanks

[polonus]

Site apparently clean: Checking:http://www.hobbytronics.co.uk/catalog/view/javascript/jquery/tab.js
File size:545 bytes
File MD5:28e93d3989dde04a06c719374adba692

htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/tab.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.easing-1.3.js
File size:5565 bytes
File MD5:747222608476f823d43ef81b5eaaadc0

htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.easing-1.3.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.easing-1.3.js/JSFile_1[0][15bd] - Ok
htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.easing-1.3.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/common.js
File size:698 bytes
File MD5:48c56f290f23ad3efa164caabd07218d

htxp://www.hobbytronics.co.uk/catalog/view/javascript/common.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/common.js/JSFile_1[0][2ba] - Ok
htxp://www.hobbytronics.co.uk/catalog/view/javascript/common.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/header.js
File size:1822 bytes
File MD5:77b01cf556a95196a73a9fbfdc965043

htxp://www.hobbytronics.co.uk/catalog/view/javascript/header.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/header.js/JSFile_1[0][71e] - Ok
htxp://www.hobbytronics.co.uk/catalog/view/javascript/header.js - Ok

Checking:hxtp://www.hobbytronics.co.uk/catalog/view/javascript/bookmark.js
File size:411 bytes
File MD5:f251a2c324e26263a4aab9ed643ae244

htxp://www.hobbytronics.co.uk/catalog/view/javascript/bookmark.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/bookmark.js/JSFile_1[0][19b] - Ok
htxp://www.hobbytronics.co.uk/catalog/view/javascript/bookmark.js - Ok

Checking:hxtp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/ajax_add.js
File size:1016 bytes
File MD5:da5d817e57229f29682451b1cb5aaa08

htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/ajax_add.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/ajax_add.js/JSFile_1[0][3f8] - Ok
hxtp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/ajax_add.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.fancybox-1.3.4.js
File size:26.72 KB
File MD5:a82904ccd5244d58c35f247a2c2d2975

htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.fancybox-1.3.4.js - archive JS-HTML
htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/fancybox/jquery.fancybox-1.3.4.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/jquery-1.3.2.js
File size:117.68 KB
File MD5:a450a51b5ee72fc00a371183477c41be

htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/jquery-1.3.2.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/jquery-1.3.2.js/JSTag_1[60d1][175e4] - Ok
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/jquery-1.3.2.js/JSTag_2[15a1b][7c9a] - Ok
htxp://www.hobbytronics.co.uk/catalog/view/javascript/jquery/jquery-1.3.2.js - Ok

Checking:htxp://www.hobbytronics.co.uk/catalog/view/javascript/fancybox.js
File size:665 bytes
File MD5:108c16b2434d838bf3f879b5eab6799f

htxp://www.hobbytronics.co.uk/catalog/view/javascript/fancybox.js - archive JS-HTML
>htxp://www.hobbytronics.co.uk/catalog/view/javascript/fancybox.js/JSFile_1[0][299] - Ok
hxtp://www.hobbytronics.co.uk/catalog/view/javascript/fancybox.js - Ok

Checking:htxp://www.hobbytronics.co.uk/
Engine version:7.0.4.9250
Total virus-finding records:4012529
File size:44.84 KB
File MD5:798a744243beb724fc7b161f17f7cdbd

htxp://www.hobbytronics.co.uk/ - archive JS-HTML
>htxp://www.hobbytronics.co.uk//JSTAG_1[58c][58] - Ok
>htxp://www.hobbytronics.co.uk//JSTAG_2[5d89][39e] - Ok
>htxp://www.hobbytronics.co.uk//JSTAG_3[ad36][1b7] - Ok
>htxp://www.hobbytronics.co.uk//JSTAG_4[b17d][1cb] - Ok
>htxp://www.hobbytronics.co.uk//JSTag_5[5d8e][399] - Ok
>hxtp://www.hobbytronics.co.uk//JSEvent_6[77] - Ok
>htxp://www.hobbytronics.co.uk//JSEvent_7[56] - Ok
>htxp://www.hobbytronics.co.uk//JSEvent_8[56] - Ok
>htxp://www.hobbytronics.co.uk//JSEvent_9[56] - Ok
htxp://www.hobbytronics.co.uk/ - Ok

Apparently site was attacked 7 months ago and just beyond 1 week ago.
These general PHP vulnerabilities should be checked: http://www.cvedetails.com/version/36749/PHP-PHP-5.1.6.html
with this as a likely candidate: http://www.cvedetails.com/vulnerability-list/vendor_id-74/product_id-128/version_id-36749/year-2013/opbyp-1/PHP-PHP-5.1.6.html

polonus

[DavidR]

Thanks for the link but this deals with infected files on websites. As I said, I think we have cleared the infection and are getting clean reports from a multitude of checker. Just want avast to update the status.
Thanks

The first link given by JuninhoSlo is capable of dealing with false positives in regard to websites, you just need give more information in the report.

Use the on-line contact form, http://www.avast.com/contact-form.php?loadStyles for:  * Sales inquiries; Technical issues; Website issues; Report false virus alert in file; Report false virus alert on website; Undetected Malware; Press (Media), issues.

- If you are reporting an FP, then you get another input field open, enter the web URL for the site you wish to submit for review (Network Shield), etc. A link to this topic also wouldn't hurt.

[Sarah Rushton]

Thanks for the file check showing the site is clean.

I used the contact form yesterday to report the false positive but haven't heard anything. I will retry but with a link to this arrticle.  Is there a way on the avast website to check a website link to see if they have it blacklisted currently? Don't know how long it takes to clear the block.

Thanks also for the links on how to stop further intrusions. Checking those out. I think it is worth mentioning we are now using md5deep to run a check on the files on our website every few hows and report any changes. Almost impossible to stop intrusions in practice but this should help us clean up an intrusion quickly.

[DavidR]

The easiest way to check is to try to visit the site again and currently avast still alerts on it.

Usually avast are quick to correct something like this when/if confirmed to be an FP.

[SugarD-x]

The easiest way to check is to try to visit the site again and currently avast still alerts on it.

Just checked it for you guys. It's still blacklisted.

[DavidR]

You will see from the text that you quoted I already confirmed that

[SugarD-x]

You will see from the text that you quoted I already confirmed that

Shh!

[polonus]

Site found might have (had) hidden iFrame malware, blacklisted at: http://yandex.ru/infected?l10n=en&url=http://hobbytronics.co.uk/
and http://www.avgthreatlabs.com/sitereports/domain/hobbytronics.co.uk
Must be connected somewhere to activities of a malicious packer find from a link to "upfront.thefind.com"
http://www.threatexpert.com/report.aspx?md5=63e2dd0079ac63a3fe75eeb51451bb4b
see: http://forum.opencart.com/search.php?author_id=13286&sr=posts  compromise...

polonus

[jefferson sant]

detected as clean

https://www.virustotal.com/pt/url/d12311d82662892ce3e93c93c6a2f642db878cbe0823e37e98cc3a61521d4680/analysis/1368796720/

http://quttera.com/detailed_report/www.hobbytronics.co.uk

http://www.webutation.net/go/review/hobbytronics.co.uk

http://sitecheck.sucuri.net/results/www.hobbytronics.co.uk/

http://zulu.zscaler.com/submission/show/2503c2bb438af012d4aa5b594a3d1b02-1368796809


http://wepawet.iseclab.org/view.php?hash=89d8cf69b2099df5db27d807cfdc871a&t=1368796821&type=js

http://www.urlvoid.com/scan/hobbytronics.co.uk/

Reported to analysts

[Milos]

Our website is www.hobbytronics.co.uk.
We discovered a malware apache intrusion yesterday that has now been resolved. The website 'Yandex' had blacklisted us but have resubmitted our site and it now reports our site as 'Clean'.
Can the blacklist be removed as this is having a serious effect to our visitors.
Thank you 

Hello,
it will be unblocked.

Milos

[bob3160]

http://www.hobbytronics.co.uk/
No longer blocked.    Thanks Milos