Author Topic: False Threat  (Read 3838 times)

0 Members and 1 Guest are viewing this topic.

zinck

  • Guest
False Threat
« on: October 15, 2013, 03:54:58 PM »
When I try to log into our church's website I get a message from Avast saying that it is Malware.   I don't believe that this is the case. 

Can someone review this and change it?

The site is:  hxtp://www.pvcc.org/

Thank you very much for the help!
« Last Edit: October 16, 2013, 10:26:48 AM by Milos »

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: False Threat
« Reply #1 on: October 15, 2013, 04:07:25 PM »
I will scan the site through some scanners.

You should wait for polonus to arrive he is an website analyst.

Which version of Avast are you using? 9.0.2006 is newest since some minutes.

Please change the http to htxp to break the link.
« Last Edit: October 15, 2013, 04:09:47 PM by Steven Winderlich »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: False Threat
« Reply #2 on: October 15, 2013, 04:14:23 PM »
Website is clean by about 8 scanners.

Looks like a false positive. Please wait for polonus to arrive, maybe there is something in the site code.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: False Threat
« Reply #3 on: October 15, 2013, 04:25:02 PM »
Quote
When I try to log into our church's website I get a message from Avast saying that it is Malware. 
if you mean URL:mal ... it means the url is on a blacklist for whatever reason.... does not have to be infected

this may be a general IP block ?

see here  http://urlquery.net/report.php?id=6795542
see  Recent reports on same IP/ASN/Domain you find several websites using same IP that have IDS alerts from Suricata / Snort filter
like this one  http://urlquery.net/report.php?id=5756468  /  http://urlquery.net/report.php?id=5279188

IP is also listed at  l2.apews.org  blacklist

Quote
l2.apews.org

Level 2 lists IP addresses and netblocks of known spammers, anyone who is spam-friendly, or more worse supporting spammers. Listing starts at single IP's and can escalate up till the entire netrange of a spammer or spam supporter is listed. The Level 2 list will have some inadvertent blocking (non-spammer IP addresses included in listed blocks), but can still be used by small ISPs or individuals who want a stricter level of blocking/filtering. By having a two style list, you can make the hardcore spamfighters happy; those who want to block first and ask questions later. Also, a listing in the Level 2 list may exert a bit of pressure on spam friendly sites and may keep them from turning totally bad - but that is not really the point, stopping spam is.
« Last Edit: October 15, 2013, 04:38:25 PM by Pondus »

zinck

  • Guest
Re: False Threat
« Reply #4 on: October 15, 2013, 04:33:37 PM »
I thank you for the replies. 

If you check into this I believe that you will find that it really is a FALSE POSITIVE.  I don't know why it would be blacklisted.  As I said it is a church website.

Thanks again!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: False Threat
« Reply #5 on: October 15, 2013, 04:36:14 PM »
You can report a false positive here: http://www.avast.com/contact-form.php
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False Threat
« Reply #6 on: October 15, 2013, 05:30:45 PM »
if this is a general IP block you can report a FP as Steven Winderlich states and ask your domain to be excluded.
I see this code hick-up:
commonscripts dot com/js/audioplayer/js/jquery-1.6.1.min.js benign
[nothing detected] (script) commonscripts dot com/js/audioplayer/js/jquery-1.6.1.min.js
     status: (referer=wXw.pvcc.org/)saved 91342 bytes 6fca78dac2797c02d86a4bf6514eda398b7dbe62
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     suspicious:
Quttera scan gives this potential suspicious code:
jquery-1.9.1.min.js
Severity: Potentially Suspicious
Reason: Detected procedure that is commonly used in suspicious activity.
Details: Too low entropy detected in string [['=%26=%26ontrue=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%261=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=%26=']] of length 218 which may point to obfuscation or shellcode.
For the actual theat dump, see: http://jsunpack.jeek.org/?report=8b4b79bbabe2ed04d1a3493836090a147f7a71b4

The recommended scan at Sucuri's is all green: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.pvcc.org%2F

Not a particular sp.net website but see some insecurity warnings here: https://asafaweb.com/Scan?Url=www.pvcc.org
also see: http://org.saferpage.de/pvcc

This could be at the culprit of the general IP alert (whever there are bad apples in that IP basket): http://sameid.net/ip/69.167.139.81/

There was some bad host activity in the past: http://www.projecthoneypot.org/ip_69.167.139.81

And certainly live malware launched from that same IP: http://support.clean-mx.de/clean-mx/viruses.php?review=69.167.139.81&sort=id%20DESC
Also see: https://www.virustotal.com/nl/ip-address/69.167.139.81/information/  (several sites with ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI IDS alert and T CURRENT_EVENTS Blackhole 32-hex/a.php Landing Page/Java exploit URI IDS alert and
EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval IDS alerts -> (http://urlquery.net/report.php?id=5756468 &.0)

Reason for that IP to get a general block.
See also: http://urlquery.net/report.php?id=3109232  Is also flagged by PHISHWatch.

So Pondus estmation seems a real option, a general IP block,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: False Threat
« Reply #7 on: October 16, 2013, 10:27:35 AM »
When I try to log into our church's website I get a message from Avast saying that it is Malware.   I don't believe that this is the case. 

Can someone review this and change it?

The site is:  hxtp://www.pvcc.org/

Thank you very much for the help!
Hello.
there is script tag, which leads to "commonscripts.com" and this is blocked.

Milos

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False Threat
« Reply #8 on: October 16, 2013, 03:06:23 PM »
Hi Milos,

Is this Detected CrimeBoss exploit kit? I get no response for GET /js/audioplayer/js/jquery-1.6.1.min.js HTTP/1.1
Host: wXw.commonscripts.com
Here the scan is not-flagged: https://www.virustotal.com/nl/file/c784376960f3163dc760bc019e72e5fed78203745a5510c69992a39d1d8fe776/analysis/1381216998/
nor here: http://urlquery.net/report.php?id=6842327
See: http://jsunpack.jeek.org/?report=dc2eb3b3d0148e44041e8144ee23b9ed39f8c8f0  where it says "The requested URL /js/audioplayer/js/undefined was not found on this server.</p> <p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request"

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
« Last Edit: October 16, 2013, 04:33:16 PM by Steven Winderlich »
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False Threat
« Reply #10 on: October 16, 2013, 05:05:24 PM »
The code is malcious only if an attacker has sneaked in a (spoofing) backdoor into the code.
Read: http://stopmalvertising.com/security/phpthumb-fltr-command-injection-vulnerability-exploit-scans.html link author = Kimberly
Is that the case here?
Then it should reside here: commonscripts. dot om/js/audioplayer/js/jquery-1.6.1.min.js benign
[nothing detected] (script)commonscripts  dot com/js/audioplayer/js/jquery-1.6.1.min.js
     status: (referer=wXw.pvcc.org/)saved 91342 bytes 6fca78dac2797c02d86a4bf6514eda398b7dbe62
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     error: undefined function a.getElementsByTagName
     error: undefined variable a
     suspicious: avast! Web Shield alerts HTML:Script-inf
See: https://urlquery.net/report.php?id=6847009
See: http://anubis.iseclab.org/?action=result&task_id=14caf53c8e70b79543dc711a44c2620f1&format=html

polonus
« Last Edit: October 16, 2013, 05:23:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!