Author Topic: Avast marking web page as virus - why (Read 12467 times)

REDACTED · « **Reply #30 on:** August 20, 2015, 10:45:48 PM »

Where did you find this code?

Quote from: polonus on August 20, 2015, 10:40:31 PM

Why is this in the code there
Code: [Select]
179 \t\t\t\t\t\t\t\t····var·ip·=·'91.201.55.91';································\r\n \r\n See: https://www.virustotal.com/nl/ip-address/91.201.55.91/information/

polonus

HonzaZ · « **Reply #31 on:** August 20, 2015, 10:50:33 PM »

Should be ok in the next update :-)

polonus · « **Reply #32 on:** August 20, 2015, 10:55:53 PM »

Code is given in the Russian Low Level Site Explorer, just the code from that webpage, line 179

Code: [Select]

································function·trackSearch(env,·txt)·\r\n
································{\r\n
\t\t\t\t\t\t\t\t····var·ip·=·'91.201.55.91';································\r\n
\r\n
\t\t\t\t\t\t\t\t····$.ajax({\r\n
\t\t\t\t\t\t\t\t\t····url:·'GownsWS.asmx/SearchTracking',\r\n

polonus

HonzaZ · « **Reply #33 on:** August 21, 2015, 10:20:18 AM »

Btw several subdomains still point to malicious IPs, for example:

Name: acknowledges.ellecouturegowns.net
Address: 85.143.216.53

and many more:
acknowledges.ellecouturegowns.net
automatic.ellecouturegowns.com
strongest.ellecouturegowns.com
democratic.ellecouturegowns.info
depreciation.ellecouturegowns.net
fight.ellecouturegowns.org
ingres.ellecouturegowns.net
jean.elledancestudio.com
recognized.ellecouturegowns.org
staff.ellecouturegowns.org
analysis.ellecouturegowns.net
plains.ellecouturegowns.org

If this does not stop immediately, the domains will be blocked again!

REDACTED · « **Reply #34 on:** August 21, 2015, 11:35:33 AM »

We are not using ellecouturegowns.net domain at all for our webs, although we have it registered. We use only .com suffix.
85.143.216.53 was generic (*) godaddy DNS entry for any subdomain on ellecouturegowns class of domains (net,org,com...).
I have removed "*" DNS entries, please check now. It will take some time for DNS to get propagated.

Regards,
Drazen

polonus · « **Reply #35 on:** August 21, 2015, 12:40:35 PM »

This has a Netcraft Risk Rating of 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://85.143.216.53
bulk registering.
You are out on left AS -> http://bgp.he.net/AS201848 -> as-block: AS201216 - AS202239
This AS number doesn't appear to exist right now, and so we are unable to generate a report.

polonus

HonzaZ · « **Reply #36 on:** August 21, 2015, 02:58:21 PM »

Thanks for the info, Drazen!

REDACTED · « **Reply #37 on:** August 22, 2015, 09:38:49 PM »

HonzaZ, ellecouturegowns.com is still blocked, please check.

Regards,
Drazen

HonzaZ · « **Reply #38 on:** August 22, 2015, 10:42:48 PM »

I can access the website without any warning - can you post the printscreen? What does the warning say?

REDACTED · « **Reply #39 on:** August 22, 2015, 10:55:05 PM »

https://www.dropbox.com/s/xv9apvicx06wpcs/Screenshot%202015-08-22%2022.49.54.png?dl=0
Virus definition version: 150820-1

Regards,
Drazen

essexboy · « **Reply #40 on:** August 22, 2015, 10:56:42 PM »

No problems with IE11 or Edge here

jefferson sant · « **Reply #41 on:** August 22, 2015, 11:04:05 PM »

Using Internet Explorer 11 and Firefox 40.02
tested in both load normally there is no problem.

REDACTED · « **Reply #42 on:** August 23, 2015, 09:12:17 AM »

Same with freshly installed Firefox 40.02, virus definition version 150822-0
https://www.dropbox.com/s/uk6q5ha1p5anyv4/Screenshot%202015-08-23%2009.11.11.png?dl=0
HonzaZ, please check.

Regards,
Drazen

HonzaZ · « **Reply #43 on:** August 23, 2015, 09:20:30 AM »

I have no idea why it appears as malicious. The URL is definitely not blocked now. Perhaps it is still in the cache somewhere? Did you try restarting your PC?
Rest assured that your visitors do not see any warnings now, as Essexboy and Jefferson confirmed :-)

REDACTED · « **Reply #44 on:** August 23, 2015, 09:35:24 AM »

It should not be in any cache since this is fresh install of Firefox 40.02.
Restarting the PC helped

Regards,
Drazen