« previous next »
Pages: [1]   Go Down

Author Topic: Help resolving site blocking issue  (Read 5020 times)

0 Members and 1 Guest are viewing this topic.

MaxBounty Steve

  • Guest
Help resolving site blocking issue
« on: March 07, 2014, 07:05:05 PM »
Hello there,

I run an internet advertising network called MaxBounty. Over the past few days, I've received numerous complaints from my customers that they are getting "URL: mal" blocks from Avast on my main domain (maxbounty.com) and at least one of my advertising tracking links (mb103.com). In particular, one tracking link URL that was blocked was: http://www.mb103.com/lnk.asp?o=6073&c=918271&a=146014

If you are willing, I'd appreciate your help in identifying why my site and that particular URL was blocked by Avast. While I don't think this is a false positive, I'd like to identify the root cause of the block so that I can correct the root cause and eliminate the block.

I've tried using a few of the tools/sites I've seen in some of the other threads here, and in a lot of cases, my domains come up clean, or I can't tell exactly what the problem is from the log.

Again, I'd really appreciate any help to not only remove the block, but to avoid inadvertently advertising any known bad actors.

I've tried the Avast contact us form, but have received no response.

Thank you very much in advance for any help you can provide me.

EDIT: My IP, if needed is 66.40.15.30

Steve Sauve
MaxBounty
« Last Edit: March 07, 2014, 07:08:51 PM by MaxBounty Steve »
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37534
  • Not a avast user
Re: Help resolving site blocking issue
« Reply #1 on: March 07, 2014, 07:15:16 PM »
urlvoid  http://www.urlvoid.com/scan/maxbounty.com/

WOT  https://www.mywot.com/en/scorecard/maxbounty.com


Dr WEB

Quote
htxp://maxbounty.com is in Dr.Web malicious sites list!



Checking: htxp://maxbounty.com/js/utils.js
File size: 3879 bytes
File MD5: b7d4d938bc0868fada3b8c96272570ec

hxtp://maxbounty.com/js/utils.js - archive JS-HTML
>htxp://maxbounty.com/js/utils.js/JSFile_1[0][f27] - Ok
htxp://maxbounty.com/js/utils.js - Ok

Checking: htxp://maxbounty.com
Engine version: 7.0.7.12100
Total virus-finding records: 5015389
File size: 7854 bytes
File MD5: 1041dfe3dd4d4e2cb8956aa70141c409

htxp://maxbounty.com - archive JS-HTML
>htxp://maxbounty.com/JSTAG_1[4e9][40] - Ok
>htxp://maxbounty.com/JSTAG_2[9bf][131] - Ok
>htxp://maxbounty.com/JSTAG_3[165b][61] - Ok
>htxp://maxbounty.com/JSEvent_4[63] - Ok
htxp://maxbounty.com - Ok

« Last Edit: March 07, 2014, 07:24:19 PM by Pondus »
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37534
  • Not a avast user
Re: Help resolving site blocking issue
« Reply #2 on: March 07, 2014, 07:22:31 PM »
if you think this is wrong.....

You can report issues to avast  here : http://www.avast.com/contact-form.php  (select subject according to Your case)
you may add a link to this topic in case they reply here



Logged

MaxBounty Steve

  • Guest
Re: Help resolving site blocking issue
« Reply #3 on: March 07, 2014, 07:35:38 PM »
Thank you for the feedback Pondus. I have had that reputation in WOT for a long time, and it hasn't changed recently, so I'm surprised Avast is suddenly flagging my site. Dr. Web unfortunately provides no feedback as to why a site is listed.

Do you know if Avast suddenly changed their algorithm to include, or increase the weight on WOT listings?  Better yet, are you able to tell if that's the reason why I'm suddenly being flagged?

I'm just trying to identify the root cause so I can get this fixed up.

Thank you again.
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37534
  • Not a avast user
Re: Help resolving site blocking issue
« Reply #4 on: March 07, 2014, 07:48:56 PM »
« Last Edit: March 07, 2014, 07:53:17 PM by Pondus »
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33905
  • malware fighter
Re: Help resolving site blocking issue
« Reply #5 on: March 08, 2014, 01:06:59 AM »
Pondus I think this is what is being flagged, while I got some help from my Dr. Web url check scanner here.
And the guys from Saint Petersburg have the 7search uri in their malicious list!

htxp://www.maxbounty.com/7search_bonus.cfm redirects to htxp://7search.com/landing/maxbounty/

htxp://www.maxbounty.com/7search_bonus.cfm is in Dr.Web malicious sites list!

Checking: htxp://7search.com/landing/maxbounty/
Engine version: 7.0.7.12100
Total virus-finding records: 5016693
File size: 6270 bytes
File MD5: d5331824af56dcb8c21505f7a91f4b3b

htxp://7search.com/landing/maxbounty/ - archive JS-HTML
>htxp://7search.com/landing/maxbounty//JSTAG_1[156][1f3] - Ok
htxp://7search.com/landing/maxbounty/ - Ok

Read about 7search infects: http://www.bleepingcomputer.com/forums/t/443980/7search-adware-infected/

Think the quttera find is JQuery code stretching and bending round the curves, but not malicious as such: http://jsunpack.jeek.org/?report=356c8080b0344eebe329b9cd947e2be4b3a5e633

Although 7search took McAfee to court because they took 7search as spyware, it certainly is unwanted adware.
We flagged it before here: http://forum.avast.com/index.php?topic=142247.0 , remember?
Removal instructions for 7search: http://www.pcinfected.com/7search-com-removal/

Also this could lead to further compromise of website, outdated CMS: Web application version:
WordPress version: WordPress 3.6.1
Wordpress version from source: 3.6.1
Wordpress Version 3.6.1 based on: htxp://blog.maxbounty.com//wp-admin/js/common.js
WordPress theme: htxp://blog.maxbounty.com/wp-content/themes/lifestyle/
WordPress version outdated: Upgrade required.
blog dot maxbounty dot com,,,Ghosted,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33905
  • malware fighter
Re: Help resolving site blocking issue
« Reply #6 on: March 08, 2014, 01:28:21 AM »
Now the specific link MaxBounty Steve provides:
Server redirect check:
Code: 302,  htxp://www.maxbounty.com/lnk.asp?o=6073&c=918271&a=14601
Redirect to external server! -> htxp://www.maxbounty.com/def.cfm?i=0&o=6073 -> htxp://khvx.redirrus.com/?offer=6073&s1=0 ->
htxp://exclusiverewards.myprizersavingzsurveys.eu/?sov=333912405&hid=djhfjnlntfhrptjp&id=XNSX. -> htxp://exclusiverewards.myprizersavingzsurveys.eu/
 Content displayed is from the redirect location = the URL htxp://exclusiverewards.myprizersavingzsurveys.eu/?sov=333912405&hid=djhfjnlntfhrptjp&id=XNSX.
no description in google because of robot.txt  see: http://killmalware.com/www.maxbounty.com/lnk.asp?o=6073&c=918271&a=14601
found as sign of earlier compromittal -> htxp://maxbounty.com/test404page.js
Spam check: Suspicion of Spam
er und frauen. sie sind nicht pornostars oder prostituierte. <br><br></td> </tr> <tr> <td style="padd...
see spam report here: http://www.knujon.com/domains/mb103.com.html
Is this scam? -> htxp://rewardzone.prizesavingzonlini.eu/?sov=214828802&hid=bdbjfbbjrrhn&id=XNSX.124441
Google/Browser difference: Not identical

Google: 15088 bytes       Firefox: 13709 bytes
Diff:         1379 bytes

First difference:
<head> <meta htXp-equiv="content-type" content="text/html; charset=utf-8" /> <title>umfragemeinung 2014</title> <script src="//ajax.googleapis dot com/ajax/libs/jquery/1...
Content after the < /html> tag should be considered suspicious.
192:< !-- Mini 1394239957 -->
The IP history of badness on VT: https://www.virustotal.com/nl/ip-address/66.40.15.30/information/
10 appearance(s) in spam e-mail or spam post urls 2 weeks ago.

ThreatSTOP flagged that IP 3 months ago for the threat Parasites - danger level 1 - no active threats recorded.

polonus
« Last Edit: March 08, 2014, 02:09:24 AM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »