False Positive on IP

[Vir]

Hello,

I run a web hosting company and I think my IP address might be blacklisted as my company website, northernorange.com is being blocked by your software with URL:Mal and URL:Mal2 warnings. It is notifying me on files like favicon.ico and various .png images, which is obviously not malware. In addition to blocking my company website (which is on a dedicated IP), it appears to be blocking other websites on a shared IP that my clients use. Examples include limquity.com, keepitpumpin.net, canuckscentral.com, thenationsnews.org and more. These are all separate clients with no connection to each other.

Can something be done to fix these multiple false positives?

Thank you.

[Pondus]

You can report a possible FP here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here

[jefferson sant]

northernorange.com
This site is no longer flagged by avast.
was unlocked.





Trend Micro
URL contains malicious software or phishing.

kaspersky only detects malicious site

is not listed in the blacklist.


https://www.virustotal.com/pt/url/05e18c7a68f29c9bb798843e81195e2390ade91a5eab328ccd2a8b358b1caa9f/analysis/1371845223/

http://quttera.com/detailed_report/limquity.com

http://sitecheck.sucuri.net/results/limquity.com

http://zulu.zscaler.com/submission/show/2e7b0f6de22e522b414017f831dd55ab-1371845277

http://urlquery.net/report.php?id=3261331

http://www.urlvoid.com/scan/limquity.com/

[polonus]

Hi I get this here for http://my.northernorange.com/index.html
Not Found

The requested URL /index.html was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
see: http://www.reversemx.com/mxip/173.231.1.27/
This resolves OK: http://www.northernorange.com/

polonus

[jefferson sant]

kaspersky  e Bitdefender only detects malicious site

is not listed in the blacklist.

https://www.virustotal.com/pt/url/9bfc42ee2c83c9df1d61ec3c1b97e2269d134ecf9bc71341f1e529f2e6ee006e/analysis/1371847439/

http://quttera.com/detailed_report/keepitpumpin.net

http://sitecheck.sucuri.net/results/keepitpumpin.net

http://urlquery.net/report.php?id=3261828

http://www.urlvoid.com/scan/keepitpumpin.net/

http://siteinspector.comodo.com/public/reports/15118198

http://zulu.zscaler.com/submission/show/c3920b21a517dd0354869b065110260b-1371848088

[polonus]

But this (found earlier on that IP) could have triggered the earlier flag, see: http://urlquery.net/report.php?id=3228295
ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page &  URI & EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
while this domain was free of it at that time: http://urlquery.net/report.php?id=3225110
See: http://en.wikimix.info/ip/173.231.1.27  not blacklisted now: http://www.ipvoid.com/scan/173.231.1.27/

polonus

[jefferson sant]

nothing has been found.

http://urlquery.net/report.php?id=3262105

http://siteinspector.comodo.com/public/reports/15119170

http://www.urlvoid.com/scan/canuckscentral.com/

http://www.siteadvisor.com/sites/canuckscentral.com

https://www.virustotal.com/pt/url/aedb604a4c6a0a80875156a0a07b3d9b2c207a1f7ca033ee813d2b3d40b8d410/analysis/1371848348/

http://quttera.com/detailed_report/canuckscentral.com

http://zulu.zscaler.com/submission/show/baa79fb97fb65a3f66bb2a3620ef46b5-1371848702

[jefferson sant]

Mcafee detects this link as suspicious.

Trend Micro
URL contains malicious software or phishing.

F-Secure has found evidence of harmful behaviour on this web site.

Bitdefender detects only the site as malicious

http://urlquery.net/report.php?id=3262292

http://siteinspector.comodo.com/public/reports/15119394

http://wepawet.iseclab.org/view.php?hash=a173552e390090032f59389ed486399d&t=1371849345&type=js

http://www.siteadvisor.com/sites/thenationsnews.org

http://zulu.zscaler.com/submission/show/17b0e9f6c83361480db45d6e2588199f-1371849231

http://www.urlvoid.com/scan/thenationsnews.org/

http://quttera.com/detailed_report/thenationsnews.org

http://sitecheck.sucuri.net/results/thenationsnews.org

[polonus]

Well the cache content of the page is still very much infected. Trying to open this: htxp://webcache.googleusercontent.com/search?client=flock&channel={flock%3Acontext}&q=cache:8r5pwzqZAkoJ:http://www.thenationsnews.org/%2Bthenationsnews.org&oe=utf-8&hl=en&ct=clnk
will get me an avast!Web Shield alert for HTML:RedirBA-inf[Trj] for mentioned url||{gzip}
For the infection see examples here: http://support.clean-mx.de/clean-mx/viruses.php?virusname=HTML:RedirBA-inf%20Trj&sort=first%20desc
all with exclusive avast detections (Gdata) ->https://www.virustotal.com/en/file/28d7cec5b73ef79628dd8051ae13f5e6a3ebb1a330eeb5bcd978037ba962297e/analysis/
Question is for the live infected sites, is the avast detection genuine or FP?

HTML:RedirBA-inf is classified as a nasty computer threat which attack on system files and thus make your Windows based system almost unusable. This malware is generic detection of malicious HTML files. It contains harmful script by the help of which it changes the Google or Yahoo search and will always redirect you to unsolicited web address. Just like HTML:IFrame-HM [Trj], HTML:IFrame-JS [Trj] and W32.Ramnit!html threat, it search for FTP account and use this channel to upload a code and thus infect the user's web site. It is recommended to remove this nasty infection before it corrupt your Windows based PC.

from Thomas Clarke.

polonus