Avast marking web page as virus - why

[Pondus]

Do you know of any other services which offer one time cleaning + continuous protection on per server basis?

Have you talked with Sucuri and asked what they can offer?

there is also  http://www.quttera.com/home

try google  >  web server security   

[HonzaZ]

Hi,
I am unblocking the domain now ;-)!

[REDACTED]

Thank you, please unblock this sites also:

hxxp://www.framesemporium.com
hxxp://www.shadesbroker.com
hxxp://www.framesbroker.com
hxxp://www.alpharettacleaningdepot.com/
hxxp://www.ellecouturegowns.com/

Regards,
Drazen

[HonzaZ]

I am unblokcing them, but I spotted some very suspicious subdomains pointing to 85.143.216.53:
automatic.ellecouturegowns.com
strongest.ellecouturegowns.com
etc.

I strongly suggest updating all systems and changing all passwords (especially passwords of DNS hosting), or the domains might automatically be blocked in the future again.

[REDACTED]

Thank you.
Any other suspicious subdomains?
We'll change passwords for DNS hosting.
When will your updates be live?

[polonus]

This should be taken up with the hosting party.

The website htxp://use-wear-talk.com/ is still being blocked and I see various server configuration issues that have not been remedied, see:3 warnings: https://asafaweb.com/Scan?Url=use-wear-talk.com

See risk status: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fuse-wear-talk.com%2F

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fuse-wear-talk.com%2F

and http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fuse-wear-talk.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

jQuery load page issue: assets/e4ca9e9b/jquery.js pagination issue.
Why the hxxp in this lines of code starting at line 1380

Code: [Select]

1380:  < if​rame src=hxxp://fast.wistia.net/embed/ if​rame /nogii33cpi" allowtransparency="true" frameborder="0" scrolling="no"
1381:  class="wistia_embed" name="wistia_embed" allowfullscreen mozallowfullscreen webkitallowfullscreen oallowfullscreen
1382:  msallowfullscreen width="100%"> < / if​rame > < sc​ript src=hxxp://fast
.wistia.net/assets/external/E-v1.js" async> < / sc​ript >

concerning Wistia dot com Javascript Player API -> E-v1.js
-> this is malicious according to Sucuri's: https://www.virustotal.com/en/url/f6354c32cc1358503f478e56c0a0dfe426c03556b90b63d90dff27e166283daf/analysis/

Consider: http://www.exedb.com/systemfiles/e-v1,postroll-v1.js.html
used in a combined attack with hijacked DNS and affecting the  the .js.php files....

polonus (volunteer website security analyst and website error-hunter)

[REDACTED]

DNS passwords have been changed.
The sites are still blocked, have they been unblocked?

[polonus]

Also flagged: http://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fwww.framesemporium.com&options%5BminImageWidth%5D=0&options%5BminImageHeight%5D=0&options%5BfacebookAccessToken%5D=&options%5BembedlyKey%5D=&options%5BsoundcloudClientId%5D=YOUR_CLIENT_ID&options%5BoembedParameters%5D=

polonus

[HonzaZ]

Hi,
Apparently whole IP 85.143.216.53 was blocked - I am unblocking it now. ;-)

[REDACTED]

85.143.216.53 is not ours...

[polonus]

No it is not, and this also seems blocked by Avast: http://bestbuydiet.net/
because url is not valid.  Suspected of ROKSO Spamming.

polonus

[REDACTED]

Could be however I am interested exactly why Avast blocked our sites, only suspicion is not enough.
Official answer from the team was that sites were blocked becouse of Avenger EK virus.

[polonus]

See for instance here: http://1col.ru/www.ellecouturegowns.com
I see no items, the hidden asp code is for s a state control mechanism. It is used to preserve viewstate and control state.

They are usually included in a div element, <div></div> as we see here.

polonus

[REDACTED]

All domains except hxxp://www.ellecouturegowns.com/ have been unblocked, thank you HonzaZ.
Please unblock this last domain aswell.

Regards,
Drazen

[polonus]

Why is this in the code there

Code: [Select]

179 \t\t\t\t\t\t\t\t····var·ip·=·'91.201.55.91';································\r\n
\r\n See: https://www.virustotal.com/nl/ip-address/91.201.55.91/information/

polonus