Author Topic: Domain and IP blocked by Avast  (Read 8631 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Domain and IP blocked by Avast
« on: July 03, 2015, 04:43:58 PM »
Hello,
I hope this is the right forum to post about a possible false positive.

Since few days, my company website trucchislotmachine.com has been blocked by avast, it says URL:MAL

I have analyzed the website and the server and I don't see any problem with it. Could you please check if it's a false positive? I already sent a request through the contact form but I didn't receive any reply.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Domain and IP blocked by Avast
« Reply #2 on: July 03, 2015, 06:11:54 PM »
Flagged here: https://www.virustotal.com/nl/domain/trucchislotmachine.com/information/
Potentially Suspicious files:
Detected unconditional redirection to external web resource in 17 instances.
[[<meta HTTP-EQUIV="REFRESH" content="0; url=htxp://resources.32red.com/redirect.aspx?pid=10399%26bid=2607">]]
[[<meta HTTP-EQUIV="REFRESH" content="0; url=https://mediaserver.bwinpartypartners.it/renderBanner.do?zoneId=1657529">]] etc. etc.
Web application version:
Joomla Version 2.5.20 for: htxp://trucchislotmachine.com/media/media/js/mediamanager.js
Joomla Version 2.5.20 for: htxp://trucchislotmachine.com/language/en-GB/en-GB.ini
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5
Outdated Web Server Apache Found: Apache/2.2.15  (has been mitigated?)

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftrucchislotmachine.com%2Fmedia%2Fmedia%2Fjs%2Fmediamanager.js

External malware link: htxp://js.users.51.la/17675171.js -> https://www.virustotal.com/nl/url/8a976a1485f7a38701566af9a0253ae095f74f84faf574ab4b87bf50662ffe40/analysis/1435939856/

PHP vulnerable: ftp://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/lang/php54/README.html

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6710
  • Trust only what you test yourself!
Re: Domain and IP blocked by Avast
« Reply #3 on: July 03, 2015, 06:16:49 PM »
Multiple blacklists http://multirbl.valli.org/lookup/188.121.50.243.html

Not a safe site at all.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

REDACTED

  • Guest
Re: Domain and IP blocked by Avast
« Reply #4 on: July 06, 2015, 11:40:44 AM »
Thank you for your support,
some issues are not real at all (e.g: meta HTTP-EQUIV="REFRESH" which are affiliate redirects to 100% safe websites), I'm going to fix remaining ones and let you know.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31210
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Domain and IP blocked by Avast
« Reply #5 on: July 06, 2015, 11:56:30 AM »
The refresh issue is real and is considered as malicious behavior.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Domain and IP blocked by Avast
« Reply #6 on: July 06, 2015, 02:08:03 PM »
Eddy is right, flagged by Malware Script Detector v.2.0. detected Malware Customized XSS Malware in source:
https://s0.wp.com/_static/?? etc. etc. This is the Meta Tag "HTTP-EQUIV "REFRESH" - the client has to resolve: expound-v2.css?ver=2013-02-15s2.wp.com/wp-content/blog-plugins/wor…   0   B
https://s0.wp.com/_static/??-eJx9kdFO…   50.3   kB
Quote
Basic Principle: Never attribute to malice what you can attribute to incompetence. The first place to look is for a problem on the page itself.
Quote Info credits - Bob Trower.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Domain and IP blocked by Avast
« Reply #7 on: July 07, 2015, 12:07:26 AM »
Polonus I don't understand your post.

I don't get if you're saying META REFRESH are bad in general, or if my website has one ore more malicious meta refresh.

Eddy is right, flagged by Malware Script Detector v.2.0. detected Malware Customized XSS Malware in source:
https://s0.wp.com/_static/?? etc. etc. This is the Meta Tag "HTTP-EQUIV "REFRESH" - the client has to resolve: expound-v2.css?ver=2013-02-15s2.wp.com/wp-content/blog-plugins/wor…   0   B
https://s0.wp.com/_static/??-eJx9kdFO…   50.3   kB
Quote
Basic Principle: Never attribute to malice what you can attribute to incompetence. The first place to look is for a problem on the page itself.
Quote Info credits - Bob Trower.

polonus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Domain and IP blocked by Avast
« Reply #8 on: July 07, 2015, 12:30:04 AM »
Hi Matteo45,

I mean as general it isn't an elegant solution, a 301 isn't.
These test however were passed succesfully: http://mobilefriendlytest.website/index.php
Mind the advice there. The refresh gets carried through resolving in multiple alert boxes.
If there were a malicious Meta Tag it would not be visible for the public (visitors).
In that case the easiest and safest fix is to completely wipe your public server space and DB,
then reinstall from a known clean backup.

polonus
« Last Edit: July 07, 2015, 12:36:10 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Domain and IP blocked by Avast
« Reply #9 on: July 13, 2015, 10:21:42 PM »
I'm a bit curious in knowing how avast decides wether blocking a site or not.
I requested to get out of siteadvisor blacklist, few minutes ago site was removed and now avast is not blocking trucchislotmachine.com anymore. So it just checks mcafee blacklist? COOL!
I'm glad I don't use MS win...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Domain and IP blocked by Avast
« Reply #10 on: July 13, 2015, 11:02:09 PM »
The website - trucchislotmachine.com is still being blocked by Avast Webshield as with URL:Mal
One of these domains on the same IP can also be responsible for the blocking:
http://sameid.net/ip -> http://sameid.net/ip/188.121.50.243/
What should be done is that the server shouldn't give out excessive server version info: Apache/2.2.15 (CentOS) to the world and attackers.
This could be easily mended by settings in the server configuration, so we get Apache period.
While even with CentOS 6.3 apache/2.2.15 (centos) is not vulnerabe to exploits, just turn off the Apache and PHP versions in the headers and miraculously you might get a clean bill of health....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Domain and IP blocked by Avast
« Reply #11 on: July 16, 2015, 10:30:25 PM »
Hi polonus,
thank you for your support.
I've hidden Apache and PHP version info in http header and all the previous issues, except:
- email blacklists: most of them are automatic and/or distribuited and I cannot find out how to submit site for review
- https://sitecheck.sucuri.net/results/trucchislotmachine.com => forced a rescan but it incorrectly sees website blacklisted on siteadvisor
- meta refresh: I understand your concerns about unconditional redirects but unfortunately I cannot move to other solutions like php header redirect

Matteo

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33669
  • malware fighter
Re: Domain and IP blocked by Avast
« Reply #12 on: July 16, 2015, 10:46:05 PM »
Hi Matteo,

Report to virus@avast.com and ask for an exclusion (refer to this thread here). They could consider that, I cannot as unblocking websites is only reserved for avast team members, I am just a volunteer here with relevant knowledge. Anyway you considerably improved your website security by reporting here. Stay secure with Avast!

Damian

P.S. Joomla scan OK: https://hackertarget.com/joomla-security-scan/
Note that this site: -http://www.open-society-kz.org/modules/mod_roknavmenu/themes/basic/code.php
had  a threat identified as: Exploit.HTML.IFrame-6

pol
« Last Edit: July 17, 2015, 12:56:03 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Domain and IP blocked by Avast
« Reply #13 on: July 24, 2015, 03:17:07 PM »
I sent an email 5 days ago, no reply and no action. Website trucchislotmachine.com is still blocked by avast.

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31210
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Domain and IP blocked by Avast
« Reply #14 on: July 24, 2015, 03:34:36 PM »
A email?
You need to submit a ticket.