HTML:Script-inf and URL:Mal on all my sites after Avast update

[REDACTED]

Hi,

I have a website builder tool at www.sitepx.com, after the new Avast update, all users using Avast can't access any site in my plataform.

We are trying to figure out what the problem is, but we just can't understand the following erros:

HTML:Script-inf on object:
http://adm.sitepx.com/login|{gzip}

I know what HTML:Script is, that http call returns 200 on a machine without Avast.

Another error:
URL:Mal on object:
http://119.syscall.ws/img/119/guiavila-cases-5573.jpg

And the same case here, that http call returns 200.

We can't find any problem or virus in several tools, like:
virustotal.com, multirbl.valli.org, pcthreatskiller.com, zulu.zscaler.com and others.

Anybody can help me?
Thanks!

[Eddy]

There was a problem with the detection of things, but they have been solved in the latest update.
Make sure you have the latest update and check if avast still is flagging the site.

[REDACTED]

We have two machines with this error on both we updated the virus definitions.

The problem can be on my domain: syscall.ws, Looks like Avast started blocking this domain.
And the domain and IP is not blacklisted, what i'm missing?

[Eddy]

I've just checked and avast is not blocking or flagging www.sitepx.com

[REDACTED]

Ok, and the domain http://syscall.ws and subdomains (*.syscall.ws)

All images on the site builder are served on this domain, like this image:

http://119.syscall.ws/img/119/guiavila-cases-5573.jpg

If i try to access that image on a machine with Avast i get the error URL:Mal.

[Eddy]

Flagged as a phising site.
https://www.virustotal.com/en/url/2ea84c0308e5f480b101c6be70dfba27fe3d745f1fdb0c2d0e826ff1cad041cf/analysis/1476972547/
http://www.siteadvisor.com/sites/syscall.ws

There is also a detectiong from sucuri :
https://sitecheck.sucuri.net/results/syscall.ws

Malicious (or  at least suspicious) :
https://quttera.com/detailed_report/syscall.ws

Insecure library used :
http://retire.insecurity.today/#!/scan/83e8f94692db0c58de3d325b7b05304b9079d94d0f6509c4a04571147bb594bc

cc-staging.net is on the same IP.
Are you familiar with that domain ?

[REDACTED]

We don't know this domain: cc-staging.net

All images are served from syscall.ws that is under a load balance on AWS Webservices, for that reason we don't control the IPs.

We fixed a redirect when syscall.ws is access on path "/", he was redirecting to AWS, where there is 2 malicious files.
It's not happening anymore.

[REDACTED]

Hi,

I manage to remove the domain syscall.ws on all sites.

Now i got another error, when i try do loggin on http://adm.sitepx.com i got:

JS:ScriptIP-inf[Trj]
Object: http://adm.sitepx.com/core

All my customers are complaining, they can't edit their sites.

[Eddy]

No alerts with the latest updates installed when I try to access the site.

[Rednose]

No problems except for http://adm.sitepx.com/core

Greetz, Red.

[REDACTED]

I think the problem is when the user access with his credentials, i made a single sign-on (it's a test account for testing purpose)

Please, try access this url:

http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4

Here we always get the error:
JS:ScriptIP-inf[Trj]
Object: http://adm.sitepx.com/core

[HonzaZ]

Code: [Select]

wget "http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4"
--2016-10-21 09:31:52--  http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Resolving adm.sitepx.com... 52.203.64.224, 52.204.166.252
Connecting to adm.sitepx.com|52.203.64.224|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /core/#sys/_inc_site-menu,id:NDcyZGUx [following]
--2016-10-21 09:31:52--  http://adm.sitepx.com/core/
Reusing existing connection to adm.sitepx.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: `index.html'
2016-10-21 09:31:53 (199 MB/s) - `index.html' saved [9703]
The file I am getting still contains reference to syscall[.]ws.

[REDACTED]

True,

There was a reference in javascript variable, but not anymore:

$ wget "http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4"
--2016-10-21 09:15:57--  http://adm.sitepx.com/devlogin/TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4
Resolving adm.sitepx.com (adm.sitepx.com)... 52.204.166.252, 52.203.64.224
Connecting to adm.sitepx.com (adm.sitepx.com)|52.204.166.252|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: /core/#sys/_inc_site-menu,id:NDcyZGUx [following]
--2016-10-21 09:15:58--  http://adm.sitepx.com/core/
Reusing existing connection to adm.sitepx.com:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4’

TmpnJTNEXy5weC5fTWpFMUxqT     [ <=>                                 ]   9,43K  --.-KB/s    in 0s     

2016-10-21 09:15:59 (37,9 MB/s) - ‘TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4’ saved [9657]

$ cat TmpnJTNEXy5weC5fTWpFMUxqTXhNakl1TVRNdU1qY2hNVGs3TmprN01qZ18ucHguXzE0NzcwNzc2MTlfLnB4Ll9ORFUwWkdOa18ucHguX05EY3laR1V4 | grep syscall.ws
$

[HonzaZ]

What I mean is if you get "JS:ScriptIP-inf [Trj]" detection, it means there is a blocked URL in a JS. No mention of a blocked URL -> no Avast popup.

[polonus]

The "URL-Mal" on object link you gave is also given at Sucuri's as blacklisted by McAfee's. On an IP blacklist?
Could there be JFIF dd header malware - a trojan of sorts maybe?

Also AmazonS3 SSL Certificate listed here: https://www.threatminer.org/ssls.php?q=thawte%20sha256%20ssl%20ca&t=16
while it is creating an internal server error.

Only find this GradeSaver image to reside there:

DOMAIN##119 dot syscall dot ws   AmazonS3   Fri, 21 Oct 2016 11:45:31 GMT   2   80   52.4.30.251   1            0
FOLDER##/   200   0   0   0   0   0
FILE##_index_defaultpage.html   0         0      0      1   1   0   0   0   -1   0   0   0   0   0   1   
FOLDER##/img/   200   0   0   0   0   0
FILE##_index_defaultpage.html   0         0      0      1   1   0   0   0   -1   0   0   0   0   0   1   
FOLDER##/img/119/   200   0   0   0   0   0
FILE##_index_defaultpage.html   339   application/xml      301      429      1   0   0   1   1   -1   429   0   0   0   0   1   
FILE##guiavila-cases-5573.jpg   451   image/jpg      200   Thu, 10 Oct 2013 03:35:11 GMT   0      0   0   0   1   0   -1   0   0   0   0   0   0   

polonus