False Positive: Site Blocked - HTML:Script-inf

[rocksteady]

New location to report either a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

@Pondus
I suggest that the new FP FN reporting page should be added to the information and guidance located in your post here: https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

[polonus]

Quttera also flags as Detected Malicious Files
File name   /fw/1928094.html
Threat name   M.BL.Domain.gen
File type   HTML
Reason   Detected reference to malicious blacklisted domain -homesitetask.zbjimg dot com
Details   Detected reference to blacklisted domain
Threat dump   [[homesitetask.zbjimg dot com]]
Threat MD5   D17ED955D52B07C816EEFBFDA6A60017
File MD5   58619576420A044529D3D1B08D0DCF8B
Line   Available via API only.
Reason: The file contains a reference to a blacklisted domain, -homesitetask.zbjimg.com, which is known to be malicious.
Threat dump: The blacklisted domain -homesitetask.zbjimg dot com
Threat MD5: D17ED955D52B07C816EEFBFDA6A60017
File MD5: 58619576420A044529D3D1B08D0DCF8B

Also consider: https://www.virustotal.com/gui/url/af592aa3aa8984375bb8e3518c32e5a20c65cfc0eac2b1604435349872c5bbce

Wait for a final verdict from avast, as with generic finds there is always the possibility for a FP.
Redirections

HTTP Status Code 404

Content Size 30

Content Type application/json

IP Address 27.221.82.41

Country CN

Web Server JSP3/2.0.14



polonus

[polonus]

Why is it flagged? M.BL.Domain.gen is likely a part of a GraphQL schema, specifically a part of a generated schema from a.NET Core project using the Microsoft.EntityFrameworkCore package.

When you run dotnet ef dbcontext scaffold to generate a DbContext and its related entities, it can generate a GraphQL schema using the Microsoft.EntityFrameworkCore.Tools package. The generated schema will include types like M.BL.Domain.gen, which represent the entities and relationships in your database.

In an API response, these types would typically be returned as JSON data, so yes, M.BL.Domain.gen could appear in an application/json response. For instance, the M.BL.Domain.gen type would correspond to the user entity in the GraphQL schema. The actual JSON payload would depend on the specific schema and the queries executed against the database.

polonus

[DavidR]

New location to report either a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

I suggest that the new FP FN reporting page should be added to the information and guidance located here: https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Not my Post, I can't modify it, that post is from Pondus.

[rocksteady]

New location to report either a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

I suggest that the new FP FN reporting page should be added to the information and guidance located here: https://forum.avast.com/index.php?topic=14433.msg1289438#msg1289438

Not my Post, I can't modify it, that post is from Pondus.

Yes the FP FN info post was by @Pondus. I have Modified my post above in the hope @Pondus may see it and do the edit.

EDIT: Actually the "new reporting page" posted by @DavidR is the "selector" page that sits above the separate FP and FN pages that @Pondus posted. Both are valid and can be used, so not a big deal.

[DavidR]

Yes, but we no longer have to differentiate between False Positive and False Negative.

[rocksteady]

Yes, but we no longer have to differentiate between False Positive and False Negative.

@DavidR The "selector" page i.e. https://www.avast.com/submit-a-sample#pc  sits above the FP FN forms. So if you go there, you will see you have to choose to submit either FP or FN form. See screenshot.

[DavidR]

Correct, but it still means only having to post one link not different links depending on what the issue is.

[dovidio]

Hello!
My Avast Ultimate is blocking the pages: https://fm945bariloche.com.ar/ and https://www.intecnus.org.ar/turnos/ telling me that it is infected with HTML:Script-inf[Susp].

I think it is a "false positive" because none of my friends, who have other antiviruses, have problems with these pages.

Could you please check if it could be a "false positive"?


Can anyone here help me check if they are indeed false positives?

I attach the two screenshots for more information!

Thank you very much for your time.

Claudio

[DavidR]

Hello!
My Avast Ultimate is blocking the pages: hXXps://fm945bariloche.com.ar/ and hXXps://www.intecnus.org.ar/turnos/ telling me that it is infected with HTML:Script-inf[Susp].

I think it is a "false positive" because none of my friends, who have other antiviruses, have problems with these pages.

Could you please check if it could be a "false positive"?


Can anyone here help me check if they are indeed false positives?

I attach the two screenshots for more information!

Thank you very much for your time.

Claudio

Please modify your links (as I have in the quoted text) or just post the domain name leaving the www out completely, so it isn't active to prevent accidental exposure.

You can use the link given previously to report it:

New location to report either a False Positive and or a False Negative (for File or URL) - https://www.avast.com/submit-a-sample#pc

I have used one of the URLs fm945bariloche.com.ar - the two alerts (screenshots) are related to the same domain, just different locations within that domain:
6 detections here - https://www.virustotal.com/gui/url/5ba161046a6380e9e19e4e2e4e0a0e3f505419d2ee6c753ce9791a484d6a9a58?nocache=1
Considered a low security risk here - https://sitecheck.sucuri.net/results/fm945bariloche.com.ar - but the scan timed out, there are also hardening improvements suggested.
Some security pointers here - https://en.internet.nl/site/fm945bariloche.com.ar/2925435/

The above may or may not be why Avast is alerting - but could impact the sites security.

[christianp]

The same (I hope) false positive response with the site www.leonestore.shop.

https://unmask.sucuri.net/security-report/?page=www.leonestore.shop

[DavidR]

The same (I hope) false positive response with the site leonestore.shop.

https://unmask.sucuri.net/security-report/?page=www.leonestore.shop

Please modify your links (as I have in the quoted text) or just post the domain name leaving the www out completely, so it isn't active to prevent accidental exposure.


Though - nothing found here https://www.virustotal.com/gui/url/345abc3e14f3925b4b3e8b13517eb54dc5891a9b6cd7ed0b3256d930e549024c?nocache=1
You can check against the others I used.

If you still feel it is a false positive you can report it using the link I gave in my reply above your post.

[polonus]

Consider these vulners found using Retire.JS.
jquery   1.10.2   Found in -https://databi.zbj.com/click/jquery.js _____Vulnerability info:
medium   2432 3rd party CORS request may execute CVE-2015-9251 GHSA-rmxg-73gg-4p98   
medium   CVE-2015-9251 11974 parseHTML() executes scripts in event handlers GHSA-rmxg-73gg-4p98   
medium   CVE-2019-11358 4333 jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution GHSA-6c3j-c64m-qhgq   
medium   CVE-2020-11022 4642 Regex in its jQuery.htmlPrefilter sometimes may introduce XSS GHSA-gxr4-xjj5-5px2   
medium   CVE-2020-11023 CVE-2020-23064 4647 passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. GHSA-jpcq-cgw6-v4j6   1
low   73 jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates   

Avast now gives it the all green,

polonus

[polonus]

One avast find is valid: https://quttera.com/detailed_report/fm945bariloche.com.ar

Re: Detected Potentially Suspicious Files
File name   /wp-content/plugins/unlimited-elements-for-elementor/assets_libraries/owl-carousel-new/owl.carousel.min.js?ver=1.5.121
Threat name   PS.HiddenJS.gen
File type   ASCII
Reason   Detected hidden potentially suspicious procedure unescape Invoked procedure
Details   Suspicious JavaScript code injection.
Threat dump   [[width:"+t.width+"px;height:"+t.height+"px;":"",r=e.find("img"),a="src",h="",l=this._core.settings;if(e.wrap(c("<div/>",{class:"owl-video-wrapper",style:o})),this._core.settings.lazyLoad%26%26(a="data-src",h="owl-lazy"),r.length)returni(r.attr(a)),r.remove(),!1;"youtube"===t.type?(n="//img.youtube.com/vi/"+t.id+"/hqdefault.jpg",i(n)):"vimeo"===t.type?c.ajax({type:"GET",url:"//vimeo.com/api/v2/video/"+t.id+".json",jsonp:"callback",dataType:"jsonp",success:function(t){n=t[0].thumbnail_large,i(n)}}):"vzaar"===t.typ]]
Threat MD5   440F3EBE7DAD9C42EEA570EDCB5DE595
File MD5   C3DA0569393BB077DD0B33E23AED3986
Line   Available via API only.
Offset   Available via API only.
File size   Available via API only.
File type   Available via API only.
 The following plugins were detected by reading the HTML source of the WordPress sites front page -    
unlimited-elements-for-elementor 1.0   Warning    latest release (1.5.121)
-http://unlimited-elements.com

See vulnerabilities at hoster: https://www.shodan.io/host/45.227.161.44 (for Apache/2.4.38 (Debian)

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

@ christianp,

Quttera detects malware at htxp://www.leonestore.shop/. Detected Malicious Files
File name   /media/attachments/slideritem/1715170207/bomboniere_1_2.jpeg
Threat name   Heur.HTML.Defacement.gen.F4279
File type   JPEG
Reason   Website Potentially Defaced
Details   Detected malicious PHP content
Threat dump   [[[VzK1V}%}{T2cTr=gSM2Q.wo{(gv75=In5Nsq;eZ^F\%7F/nN>|}=NbJNUqZ?OB]-s^yMv,4KOD?gEXy%7FcRZBT`e|,iCi8;B?vIRIlPmWsSe5226Vv+!jv<YF?pKi,I:+.r92V)!(x';~;NOjkwmdW8tjL*,%Pe6A7q7+eOymMsYgv33t]]
Threat MD5   570368F82D6A0F778AC620A1DE4AEAD6
File MD5   60459D9BE36BB6F523AA21B6C2CD0876

Malware being blocked
URL website:
-www.leonestore.shop
URL malware: -polyfill.io

Potential malicious activity has been blocked and using Browser Guard one could safely visit.

polonus