Author Topic: Clients site being flagged for infection, but cannot find a problem with on-site (Read 2171 times)

REDACTED · « **on:** January 06, 2017, 05:55:36 PM »

I am consistently getting Infection Blocked notices when visiting a client's site. I have scanned the client's site with malware/virus scanning tools and cannot find anything. The site was hacked about a month ago but was cleaned and verified by Google.

The warning I'm getting is this:
Avast Filesystem shield has blocked a threat and moved it to the Chest.
Infection: HTML:Script.inf
User: stephenfoster1
Process: /System/Library/Frameworks/WebKit.framwork/Versions/A/XPCServices/com.apple.WebKit.Networking
File: /Users/stephenfoster1/Library/Caches/com.apple.Safari/WebkitCache/Version9/Records/No partision/Resource/81276CF1D35B4895614E87VF087287CBBB7E197A

I need to know if this is legit or a false positive and how to fix it. My client is concerned as am I that there is still something wrong and that others will see the same warning and avoid the site.

Eddy · « **Reply #1 on:** January 06, 2017, 06:30:53 PM »

There is not much to say without knowing what domain you are talking about.

REDACTED · « **Reply #2 on:** January 06, 2017, 09:12:54 PM »

Sorry, I'm sure that would help. http://www.cheekwoodgolfclub.com

Eddy · « **Reply #3 on:** January 06, 2017, 09:30:44 PM »

One of the scripts on that site/page is triggering the alert.
I don't know which one as I do not work for avast.
It can be e.g. a statistics counter.
I suggest to contact avast > https://www.avast.com/report-a-url.php

Some thins I found when checking the site :

Browser difference and links can be to blacklisted sites :
https://www.websicherheit.at/website-malware-viren-scanner/?url=www.cheekwoodgolfclub.com

Wordpress insecurity :
Warning Directory Indexing Enabled

Blacklistings on that ASN :
http://urlquery.net/report.php?id=1483733901991

Vulnerable library detected :
http://retire.insecurity.today/#!/scan/acf110093fd92e43c3046b611a711864478d1983d945f5c82992b0eed9d24085

tumic · « **Reply #4 on:** January 09, 2017, 02:10:34 PM »

The infection alert is from the file system shield, not from the webshield. According to the path, it looks like it is a file from
Safari's web content cache. What is kind of weard is, that the web shield does not trigger any alert...

Can you post here the "infected" file (/Users/stephenfoster1/Library/Caches/com.apple.Safari/WebkitCache/Version9/Records/No partision/Resource/81276CF1D35B4895614E87VF087287CBBB7E197A
), so we can analyze it? Maybe it is a falsepositive, but without the file, we can't say anything about it.

Author Topic: Clients site being flagged for infection, but cannot find a problem with on-site (Read 2171 times)

REDACTED

Clients site being flagged for infection, but cannot find a problem with on-site

Eddy

Re: Clients site being flagged for infection, but cannot find a problem with on-site

REDACTED

Re: Clients site being flagged for infection, but cannot find a problem with on-site

Eddy

Re: Clients site being flagged for infection, but cannot find a problem with on-site

tumic

Re: Clients site being flagged for infection, but cannot find a problem with on-site