Author Topic: Website reported as blocked for URL:Mal, report false infection?  (Read 23960 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32436
  • malware fighter
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #45 on: January 29, 2018, 10:01:20 PM »
Domain probably blocked by avast because of malware on that particular IP: https://www.threatcrowd.org/ip.php?ip=64.37.52.189
Also in attack archive: http://overflowzone.com/archive/geoip/64.37.52.189/

Only avast team members can unblock or exclude your domain from a general IP block,
wait for one to appear and give the final verdict.

We here are just volunteers with relevant knowledge, but cannot unblock,

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline zapappa

  • Newbie
  • *
  • Posts: 5
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #46 on: February 21, 2018, 04:42:15 AM »
mchain, I get a clean report for my daughter's web site, www.katinaarnott[.]com, from your suggested web sites:

  - https://www.virustotal.com/#/home/url
  - https://sitecheck.sucuri.net/
  - http://urlquery.net/

I have also run tests on several other sites like pentest-tools.com and webinspector.com with no issues.   Also I have a blacklist monitor at mxtoolbox.com and it shows no entries on 103 blacklists. But still Avast insists on aborting connections to www.katinaarnott.com "because it is infected with URL:Mal".

Now, of course I want get a clean bill of health for this website but I'm also concerned as to why Avast calls it an infection (URL:Mal) and just leaves it at that.  I have googled URL:Mal extensively and cannot find a definition of a virus/infection of this name. I do, however, see posts like these:

  - What is URL:MAL and How to remove URL:mal virus from Windows
  - Remove URL:Mal Virus Infection (Uninstall Guide)

Both of these posts just give a generic description of how to clean up a pc.

So, if we can agree that "because it is infected with URL:Mal" means that Avast has detected an issue on the target website, then for goodness sake, Avast, tell us what the issue is.

As for my specific web site, the only issue of which I'm aware is the lack of SPF/DKIM/DMARC.  This is a problem I'm having with GoDaddy because they used to be set up ok.  I still have absolutely no idea what Avast thinks is wrong at my website.



« Last Edit: February 21, 2018, 11:58:30 AM by HonzaZ »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 64673
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #47 on: February 21, 2018, 04:46:20 AM »
You can report a suspected FP (File/Website) here: https://www.avast.com/false-positive-file-form.php
Win 8.1 [x64] - Avast PremSec 20.4.2408.B#3 [UI.520] - CC 5.65 - EEK - FF ESR 68.8 [NS/AOS/uBO/PB] - TB 68.8.1 - ASB/ACP/ASL.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1130
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #48 on: February 21, 2018, 12:03:16 PM »
Hi, this was caused because the IP (50.116.55.30) was blocked due to Blackhole EK.
I hope the IP is clean now, and I am unblocking it.

Offline zapappa

  • Newbie
  • *
  • Posts: 5
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #49 on: February 23, 2018, 12:34:27 AM »
Hi HonzaZ, I am very grateful for your input.  Can you please tell me how you found out that my site was blocked due to Blackhole EK?  Like I've been saying, the Avast warning just says the site is blocked (URL:Mal) but doesn't say why.  More importantly, how can I determine what the cause was?

And thank you for unblocking.  I also "hope the IP is clean now" but I have run checks from just about every web site I can find plus I have installed and run the AntiVirus and ExploitScanner WordPress plugins. No problems reported.

Again,many thanks and I look forward to your response.


Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36631

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1130
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #51 on: February 23, 2018, 09:04:58 AM »
Cannot add much more than what Pondus already said/linked, but if you have other questions, feel free to ask :)

Offline zapappa

  • Newbie
  • *
  • Posts: 5
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #52 on: February 24, 2018, 11:00:56 PM »
HonzaZ,

There is still my main point, which is that the Avast warning just says the site is blocked (URL:Mal) but doesn't say why.  If it is Avast that has determined there is a problem then Avast knows what the problem is (e.g. Blackhole EK) so why not display that information?  It would save people like me (and many others) from having to bother you guys by asking over and over "what caused the URL:Mal".

In other words, just displaying the cause of the issue would save everybody time and effort.

But again, thanks for all your help.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32436
  • malware fighter
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #53 on: February 25, 2018, 12:31:20 PM »
Hi zapappa,

Little old me was abroad and away for a week without my regular laptop and only on android, so when I saw this thread, I performed a few third part scans to make you feel more comfortable with the avast alert and to help and amend issues.

In addition to what has been said in the thread above, which of course is right, I add the following:

First a retirable and vulnerable jQuery script running: http://retire.insecurity.today/#!/scan/c807bedbcf04aa0acd86b08811f455bbabb6ebc4433266431625a22828d30b5a

See that the site has been banned here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.katinaarnott.com&ref_sel=GSP2&ua_sel=ff&fs=1

Reason:
Quote
Your IP address has been automatically flagged as abusive. You are currently banned from viewing this site. To remove the ban, please < a href="https://app.getflywheel.com/unban?name=fw071912&error=481"> visit the un-ban page< /a> .< /p>

The ban should be lifted here
Quote
Reputation Check
PASSED
Google Safe Browse: OK
Spamhaus Check: OK
Compromised Hosts: OK
Dshield Blocklist: OK
Shadowserver C&C: OK
Web Server:
nginx/1.12.1 + Phusion Passenger 5.1.8
X-Powered-By:
Phusion Passenger 5.1.8
IP Address:
-54.243.154.12
Hosting Provider:
Amazon.com   
Shared Hosting:
2 sites found on -54.243.154.12

Also consider:
Quote
Loaded Resources

Compromised sites will often be linked to malicious javascript or iframes in an attempt to attack users of your WordPress installation. Look over the listed resources, you should be familiar with all scripts and investigate ones you are not sure. In addition removal of unneeded javascript will speed up your website.

-https://app.getflywheel.com/unban?name=fw071912
GoogleSafe:
OK   Load:
111ms   Server: -54.225.179.161
nginx/1.12.1 + Phusion Passenger 5.1.8   ASN: 14618 United-States
Amazon.com, Inc.   Reverse DNS:
-ec2-54-225-179-161.compute-1.amazonaws.com
-http://fonts.googleapis.com/css?family=Source+Sans+Pro:200,300,700,900
GoogleSafe:
OK   Load:
20ms   Server: -172.217.7.138
ESF   ASN: 15169 United-States
Google Inc.   Reverse DNS:
iad30s08-in-f10.1e100.net
-https://js-agent.newrelic.com/nr-1071.min.js
GoogleSafe:
OK   Load:
25ms   Server: -151.101.34.110
AmazonS3   ASN: 54113 United-States
Fastly   Reverse DNS:
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3ik4zwlxdo.woff
GoogleSafe:
OK   Load:
17ms   Server: -172.217.7.131
sffe   ASN: 15169 United-States
Google Inc.   Reverse DNS:
iad30s08-in-f3.1e100.net
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3i94_wlxdo.woff
GoogleSafe:
OK   Load:
17ms   Server: -172.217.7.131
sffe   ASN: 15169 United-States
Google Inc.   Reverse DNS:
-iad30s08-in-f3.1e100.net
h-ttp://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdo.woff
GoogleSafe:
OK   Load:
18ms   Server: -172.217.7.131
sffe   ASN: 15169 United-States
Google Inc.   Reverse DNS:
-iad30s08-in-f3.1e100.net
-http://fonts.gstatic.com/s/sourcesanspro/v11/6xKydSBYKcSV-LCoeQqfX1RYOo3iu4nwlxdo.woff
GoogleSafe:
OK   Load:
19ms   Server: 172.217.7.131
sffe   ASN: 15169 United-States
Google Inc.   Reverse DNS:
-iad30s08-in-f3.1e100.net
-https://bam.nr-data.net/1/d31ab27ce7?a=23297107&v=1071.385e752&to=Jg1YQBRcCVpdS0taUwwMGUEIUQRYF0wKVVML&rst=190&ref=-https://app.getflywheel.com/unban&qt=1&ap=5&be=108&fe=160&dc=159&af=err,xhr,ins&perf=%7B%22timing%22:%7B%22of%22:1519556150832,%22n%22:0,%22f%22:0,%22dn%22:0,%22dne%22:0,%22c%22:0,%22ce%22:0,%22rq%22:0,%22rp%22:0,%22rpe%22:111,%22dl%22:102,%22di%22:159,%22ds%22:159,%22de%22:160,%22dc%22:160,%22l%22:160,%22le%22:161%7D,%22navigation%22:%7B%7D%7D&jsonp=NREUM.setToken
GoogleSafe:
OK   Load:
194ms   Server: 162.247.242.20
ASN: 23467 United-States
New Relic   Reverse DNS:
-bam-8.nr-data.net
 Login for

To fix it you can:
    1. In the Slider Settings -> Troubleshooting set option: Put JS Includes To Body option to true.
    2. Find the double jquery.js include and remove it.   Your client address was checked by-> https://toolbar.netcraft.com/site_report?url=https://l2.io

More issues and recommendation: https://observatory.mozilla.org/analyze.html?host=www.katinaarnott.com

Issue should be taken up with the AS - Net Access Corporation e.q. Flywheel, comsider Linode abuse.
Re: https://urlquery.net/report/51cf5840-4139-456a-b321-93773bccf4c1

Netcraft risk score 9 red out of 10: https://toolbar.netcraft.com/site_report?url=http://50.116.55.30

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline HonzaZ

  • Avast team
  • Advanced Poster
  • *
  • Posts: 1130
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #54 on: February 27, 2018, 07:16:56 AM »
There is still my main point, which is that the Avast warning just says the site is blocked (URL:Mal) but doesn't say why.  If it is Avast that has determined there is a problem then Avast knows what the problem is (e.g. Blackhole EK) so why not display that information?  It would save people like me (and many others) from having to bother you guys by asking over and over "what caused the URL:Mal".

In other words, just displaying the cause of the issue would save everybody time and effort.

You are a very rare user though. We block thousands of URLs a day and you are one of the few who cares, and even of those who care and want their website without any warnings, most people don't know or care what happened earlier. They will just wipe it, update it, change passwords, and that's it. I am literally talking about one person a week who wants to know what happened and knows what "being infected by an exploit kit" means.

And even if there were many people who cared, it would be difficult to change the GUI, and I am not even talking about all the trouble with localization...

All in all, I understand, but I feel like it is too much effort for too little gain.

Offline zapappa

  • Newbie
  • *
  • Posts: 5
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #55 on: March 08, 2018, 05:01:02 PM »
Hi polonus,  that was some very useful input.  Thanks very much!


HonzaZ, fair comment, thanks for your help.

Offline [GR]ToxicShock

  • Newbie
  • *
  • Posts: 5
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #56 on: May 28, 2018, 09:19:50 PM »
My web site www.gamereplays[.]org is experiencing the same problem.    Many users that have been able to contact me through other means are reporting that they are being presented with the same message and are unable to access the site.     They say they are unable to over-ride the block.

We are a respectable site.   Please fix this obviously spurious problem and unblock our site.
« Last Edit: May 29, 2018, 03:23:32 PM by HonzaZ »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36631
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #57 on: May 28, 2018, 10:08:19 PM »
My web site www.gamereplays.org is experiencing the same problem.    Many users that have been able to contact me through other means are reporting that they are being presented with the same message and are unable to access the site.     They say they are unable to over-ride the block.

We are a respectable site.   Please fix this obviously spurious problem and unblock our site.
Well according to Sucuri your website containe spam  >>  https://sitecheck.sucuri.net/results/www.gamereplays.org

Malware entry: spam-seo.spammy_keywords
http://labs.sucuri.net/db/malware/spam-seo.spammy_keywords?3.14




« Last Edit: May 28, 2018, 10:11:27 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32436
  • malware fighter
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #58 on: May 29, 2018, 12:40:41 AM »
Hi [GR]ToxicShock,

Nothing flagged: http://isithacked.com/check/http%3A%2F%2Fwww.gamereplays.org%2F
& https://urlquery.net/report/ec516cc4-4ecb-4803-a193-29b062e0b26f

What can be flagged is a second redirect via http - https -> to: hxtp://www.gamereplays.org/portals.php -> htxps://www.gamereplays.org/portals.php
See sources and sinks here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.gamereplays.org%2Fportals.php
uMatrix blocks: -http://cdn.assets.craveonline.com/comscore_branding/cr-branding.js?useDarkLogo=true
(bug-hunter's) script error on site
Quote
-cdn.assets.craveonline.com/branding/cr-branding.js?useDarkLogo=true
     info: [decodingLevel=0] found JavaScript
     error: undefined variable clearTimeout
     error: undefined function d[m]
     error: undefined variable d
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD XHTML 1.0 Transitional/EN"
          error: line:3: ...............^
Also see here: https://www.scamadviser.com/check-website/gamereplays.org
Last update of your website -> 2017-11-27 16:36:03 (6 months & 1 day ago)  according to your WHOIS data
- Cxxxs Dxxxk, : Array, London, W1G8RJ, GB , hosted by GoDaddy on wXw.pir.org server

We are just volunteers with relevant knowledge, unblocking can only be performed by avast team members.
Wait for one to arrive here in this thread and give the final verdict on your website.

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: May 29, 2018, 12:42:30 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Char#

  • Newbie
  • *
  • Posts: 1
Re: Website reported as blocked for URL:Mal, report false infection?
« Reply #59 on: May 29, 2018, 02:37:47 AM »
Today have been getting URL:Mal threat detection alerts from Web Shield for all attachments, images or links in emails on Shaw webmail:

wm-so.glb.shawcable.net

Sucuri site checker doesn't show any problems. I added the site to exclusions in Avast settings so I can access my email, but wondering why it has been blocked?