Author Topic: False +ve on phoenix.untd.com and cyclops.untd.com  (Read 4498 times)

0 Members and 1 Guest are viewing this topic.

opmaity

  • Guest
False +ve on phoenix.untd.com and cyclops.untd.com
« on: September 06, 2013, 06:54:17 AM »
Juno and Netzero users are complaining about getting trojan alerts for phoenix.untd.com and cyclops.untd.com.

Can you please look into this and remove these false +ves.

Regards,

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #1 on: September 06, 2013, 07:45:34 AM »
are you the site owner?
« Last Edit: September 06, 2013, 07:47:14 AM by Pondus »

opmaity

  • Guest
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #2 on: September 06, 2013, 07:49:12 AM »
Yes, I work for untd.com.

Also can you please confirm which version introduced these URLs.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #3 on: September 06, 2013, 07:51:17 AM »
trying to access those site from a ipad..... they seem to be empty / taken down ?


opmaity

  • Guest
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #4 on: September 06, 2013, 07:58:12 AM »
These are internal URLs for our webmail site and those need additional parameters.

Going to webmail.juno.com and will generate requests for these two domains.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #5 on: September 06, 2013, 08:00:06 AM »
do they get the same message as reported here.   http://forum.avast.com/index.php?topic=134059.0

if you think this warning is wrong....
You can report FP to avast lab here: http://www.avast.com/contact-form.php
you may add a link to this topic in case they reply here





Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #6 on: September 06, 2013, 08:01:03 AM »
Hello,
I don't see any detection -- post screenshot of avast! alert window and IP addresses on which the URLs translates to you, please.

Milos

opmaity

  • Guest
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #7 on: September 06, 2013, 08:12:09 AM »
I haven't received any screenshot from members yet. But received only complaints.

Yes, it has to be related to Ads and similar to http://forum.avast.com/index.php?topic=134059.0.

One such complaint is "My antivirus application (Avast) is reporting the trojan HTML:HideMe-D every time I load the page that lists my email.".

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #8 on: September 06, 2013, 08:49:41 AM »
Yes the sites are being blocked by various extensions, for instance blocked from Google Chrome.
See what here: http://www.whatrunswhere.com/domainPreview.php?domain=cyclops.untd.com
The website Cyclops.Prod.Untd.com contains tracking cookies as well as pop-ups that can attempt to install other malicious items on your computer, such as Trojans. Fortunately, you can prevent Cyclops.Prod.Untd.com from loading altogether by blocking the website with your computer's registry.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False +ve on phoenix.untd.com and cyclops.untd.com
« Reply #9 on: September 06, 2013, 10:02:43 AM »
Scanned IP against 111 blacklists, all came up OK! Congratulations... 64.136.44.18
D

Loopscan results with quite some issues:
Domain:   
   
Scan
Loopscan
Quick Zone Preview

;; Truncated, retrying in TCP mode.
untd.com.      600 IN TXT "spf2.0/pra ip4:64.136.0.0/20 ip4:64.136.16.0/21 ip4:64.136.22.0/24
ip4:64.136.28.0/22 ip4:64.136.30.0/24 ip4:64.136.32.0/20 ip4:64.136.50.0/23 ip4:64.136.52.0/22 ?all"
untd.com.      600 IN TXT "v=spf1
ip4:64.136.0.0/20 ip4:64.136.16.0/21 ip4:64.136.22.0/24 ip4:64.136.28.0/22 ip4:64.136.30.0/24 ip4:64.136.32.0/20 ip4:64.136.50.0/23
ip4:64.136.52.0/22 ?all"
untd.com.      600 IN MX 10 mx.dca.untd.com.
untd.com.      600 IN MX 10 mx.vgs.untd.com.
untd.com.      600 IN A
64.136.53.45
untd.com.      600 IN A 64.136.45.45
untd.com.      600 IN SOA authns.vgs.untd.com. hostmaster.noc.untd.com. (
            2013022102 ;
serial
            3600       ; refresh (1 hour)
            300        ; retry (5 minutes)
            864000     ; expire (1 week 3 days)
            600        ;
minimum (10 minutes)
            )
untd.com.      600 IN NS authns.iad.untd.com.
untd.com.      600 IN NS authns.dca.untd.com.
untd.com.      600 IN NS
authns.vgs.untd.com.


Authoritative name servers
DNS Server    TTL    IPv4 address    IPv4 glue    IPv6 address    Serial no.    Query time
d.root-servers.net   518400   6d    199.7.91.13         not authoritative
e.root-servers.net   518400   6d    192.203.230.10         not authoritative
f.root-servers.net   518400   6d    192.5.5.241         not authoritative
g.root-servers.net   518400   6d    192.112.36.4         not authoritative
h.root-servers.net   518400   6d    128.63.2.53         not authoritative
i.root-servers.net   518400   6d    192.36.148.17         not authoritative
j.root-servers.net   518400   6d    192.58.128.30         not authoritative
k.root-servers.net   518400   6d    193.0.14.129         not authoritative
l.root-servers.net   518400   6d    199.7.83.42         not authoritative
m.root-servers.net   518400   6d    202.12.27.33         not authoritative
a.root-servers.net   518400   6d    198.41.0.4         not authoritative
b.root-servers.net   518400   6d    192.228.79.201         not authoritative
c.root-servers.net   518400   6d    192.33.4.12         not authoritative

Authoritative name servers info
DNS Server    IPv4 address    BGP Prefix    ASN    Country Code    Registry    Date Alocated
d.root-servers.net   199.7.91.13   199.7.91.0/24    27    US    arin    2007-12-07
e.root-servers.net   192.203.230.10   192.203.230.0/24    42 297    US    arin    1992-11-18
f.root-servers.net   192.5.5.241   192.5.4.0/23    3557    US    arin    1984-03-12
g.root-servers.net   192.112.36.4   192.112.36.0/24    5927    US    arin    1991-06-26
h.root-servers.net   128.63.2.53   128.63.2.0/24    13    US    arin    1985-03-12
i.root-servers.net   192.36.148.17   192.36.148.0/24    29216    SE    ripencc    2000-03-17
j.root-servers.net   192.58.128.30   192.58.128.0/24    26415 36618 36626 36632    US    arin    2000-11-30
k.root-servers.net   193.0.14.129   193.0.14.0/24    25152    NL    ripencc    1993-09-01
l.root-servers.net   199.7.83.42   199.7.83.0/24    20144    US    arin    2006-02-06
m.root-servers.net   202.12.27.33   202.12.27.0/24    7500    JP    apnic    1997-03-04
a.root-servers.net   198.41.0.4   198.41.0.0/24    26415 36619 36620    US    arin    1993-01-04
b.root-servers.net   192.228.79.201   192.228.79.0/24    4    US    arin    2003-05-01
c.root-servers.net   192.33.4.12   192.33.4.0/24    2149    US    arin    1987-10-22

SOA record ( )
mname (master name)    rname (responsible name)    serial    refresh    retry    expire    minimum

NS records from ( )
Domain name    TTL    NS

MX records from ( )
Domain name    TTL    MX records    IPv4 address
NO MX RECORDS FOUND.

A records from ( )
Domain name    TTL    IPv4 address
NOT FOUND

AAAA records from ( )
Domain name    TTL    IPv4 address
NOT FOUND

SRV records from ( )
Domain name    TTL    pri    weight    target    IPv4 address    IPv6 address
NOT FOUND

List of Performed Tests
Test name    Test details    Status    Indicator
DNS Servers response   All name servers for this domain name respond to DNS queries.   PASS   
Zone serial numbers   All name servers for this domain name respond with same serial ( ).   PASS   
Authority of name servers   Some name servers listed at parent servers don't respond as authoritative for this domain name.
# d.root-servers.net
# e.root-servers.net
# f.root-servers.net
# g.root-servers.net
# h.root-servers.net
# i.root-servers.net
# j.root-servers.net
# k.root-servers.net
# l.root-servers.net
# m.root-servers.net
# a.root-servers.net
# b.root-servers.net
# c.root-servers.net
   ERROR   
Required glue records   All required glue records on parent server exist.   PASS   
Glue records match   All glue records and A records match.   PASS   
Existance of NS records   All NS records don't exist in the domain name zone.   ERROR   
NS records match   NS records from parent server and authoritative name server match.   PASS   
Recursive queries   All name servers for this domain name don't respond to recursive queries.   PASS   
Public zone transfer (AXFR)   All name servers for this domain name don't respond to AXFR queries.   PASS   
Name servers on public IP   All name servers for this domain name are on public IP addresses.   PASS   
Number of name servers   This domain has more than 7 name servers thus UDP packets with DNS responses can easily overdraw the limit of 512 bytes and this communication must be repeated using TCP protocol. This error is not relevant for root zone and top level domain names (TLDs) (13).   WARNING   
TTL values on parent server   All TTL values on parent server match.   PASS   
TTL values on authoritative server   All TTL values in authoritative records match.   PASS   
Reverse records of name servers   Reverse records of DNS servers match with their IP addresses   PASS   
NS in different AS   NS at least in 2 different autonomous systems thus their availability is not dependent on one network.   PASS   
NS in different subnets   NS at least in 2 different subnets.   PASS   
Different IPv4 addresses of NS   Name servers have different IP addresses.   PASS   
Server from SOA MNAME as NS record   Primary name server ( ) from SOA MNAME entry is not listed as primary NS at your parent NS.   WARNING   
MNAME entry check   SOA MNAME entry is missing dot at the end and that is not syntactically valid. ( )   ERROR   
MNAME in SOA from all NS   All DNS servers return the same MNAME value in SOA record. ( )   PASS   
RNAME entry check   SOA RNAME entry is not syntactically valid. ( )   ERROR   
Format of serial number   The serial number of the zone hasn't got recommended syntax YYYYMMDDnn. ( )   WARNING   
SOA REFRESH value check   SOA REFRESH value ( =) is not within recommended range 20 minutes to 12 hours.   WARNING   
SOA RETRY value check   SOA RETRY value ( =) is not within recommended range 15 minutes to SOA REFRESH ( =).   WARNING   
SOA EXPIRE value check   SOA EXPIRE value ( =) is not within recommended range 14 to 31 days.   WARNING   
SOA MINIMUM value check   SOA MINIMUM value ( =) is not within recommended range 1 to 3 hours.   WARNING   
No MX records found   MX records missing at your name servers.   ERROR   
Domain AAAA records   Domain A records and AAAA records missing at your name servers.   WARNING   
No WWW records found   WWW records missing at your name servers.   WARNING   
SRV SIP records check   No SRV records detected. No further tests performed.   INFO   
DNSKEY records check   No DNSKEY records detected. No further tests performed.   INFO   
Scanning took 45.417 seconds.

polonus
« Last Edit: September 06, 2013, 10:15:14 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!