Author Topic: Avast blocking my home server, why? (RESOLVED)  (Read 17971 times)

0 Members and 1 Guest are viewing this topic.

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #15 on: March 26, 2009, 09:26:33 PM »

Rargh, what the heck. >:(

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #16 on: March 26, 2009, 09:29:53 PM »
Trying to put on pastebin as we speak...hopefully AVAST won't choke on it there

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #17 on: March 26, 2009, 09:31:06 PM »
There...I can load this without avast complaining....

http://pastebin.com/mf0fd75f

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #18 on: March 26, 2009, 10:02:37 PM »
I've looked through this a few times now...I still don't see anything malicious (myself) but I'm at work and not able to dedicate my full brain to it - nothing like the HTML:iframe-net exploit which adds a link at the bottom of all index/html/php, so its nothing glaringly obvious to me.

I've run another AV's scanner here at work against these php scripts, Our corporate AV here at work is fine with them as far as I can tell...

onlysomeone

  • Guest
Re: Avast blocking my home server, why?
« Reply #19 on: March 26, 2009, 10:10:44 PM »
have you already tried to upload this file to Virus Total?
If not, you could try this and post the results...

yours
onlysomeone

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #20 on: March 26, 2009, 10:20:46 PM »

Results are as follows...only Avast and gdata....this is for the wp-admin PHP code for wordpress 2.7.1

Code: [Select]
a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 HTML:Script-inf
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 HTML:Script-inf
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 24616 bytes
MD5...: aab734658c2d155d5ba859bf49070cf7
SHA1..: 13ea1826b14c9fcff1c20e71bb697c9f9150c313
SHA256: f4466a62ec9d4f586f3e90316593572e1b68017116379525e13d1e402eddd2c9
SHA512: f58d75321b45409cf2eeb1cbb21a6f863413649d70d8112b77a27ecde54d103f
99a5a652e973db45daa033f8221494a47b9a5184c19b251ffd210ac2cf2a9041
ssdeep: 384:StuqXV+QM1xi9j3v8R/6sy3lVZsn2Mah+2tznnSt7yZC4PSufcDDIo:StuLi
R3kR/6sy3lLsnJ2tznnbC26so
 
PEiD..: -
TrID..: File type identification
HyperText Markup Language with DOCTYPE (80.6%)
HyperText Markup Language (19.3%)
PEInfo: -
RDS...: NSRL Reference Data Set
 

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #21 on: March 26, 2009, 10:28:13 PM »

Results for index.php, which avast is tagging as a malicious website...0/40 on this one...

Code: [Select]
Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.26 -
AhnLab-V3 5.0.0.2 2009.03.26 -
AntiVir 7.9.0.129 2009.03.26 -
Antiy-AVL 2.0.3.1 2009.03.26 -
Authentium 5.1.2.4 2009.03.26 -
Avast 4.8.1335.0 2009.03.25 -
AVG 8.5.0.283 2009.03.26 -
BitDefender 7.2 2009.03.26 -
CAT-QuickHeal 10.00 2009.03.26 -
ClamAV 0.94.1 2009.03.26 -
Comodo 1085 2009.03.26 -
DrWeb 4.44.0.09170 2009.03.26 -
eSafe 7.0.17.0 2009.03.26 -
eTrust-Vet 31.6.6418 2009.03.26 -
F-Prot 4.4.4.56 2009.03.26 -
F-Secure 8.0.14470.0 2009.03.26 -
Fortinet 3.117.0.0 2009.03.26 -
GData 19 2009.03.26 -
Ikarus T3.1.1.48.0 2009.03.26 -
K7AntiVirus 7.10.682 2009.03.26 -
Kaspersky 7.0.0.125 2009.03.26 -
McAfee 5565 2009.03.26 -
McAfee+Artemis 5565 2009.03.26 -
McAfee-GW-Edition 6.7.6 2009.03.26 -
Microsoft 1.4502 2009.03.26 -
NOD32 3966 2009.03.26 -
Norman 6.00.06 2009.03.26 -
nProtect 2009.1.8.0 2009.03.26 -
Panda 10.0.0.10 2009.03.26 -
PCTools 4.4.2.0 2009.03.26 -
Prevx1 V2 2009.03.26 -
Rising 21.22.32.00 2009.03.26 -
Sophos 4.40.0 2009.03.26 -
Sunbelt 3.2.1858.2 2009.03.26 -
Symantec 1.4.4.12 2009.03.26 -
TheHacker 6.3.3.7.292 2009.03.26 -
TrendMicro 8.700.0.1004 2009.03.26 -
VBA32 3.12.10.1 2009.03.26 -
ViRobot 2009.3.26.1664 2009.03.26 -
VirusBuster 4.6.5.0 2009.03.26 -
Additional information
File size: 17604 bytes
MD5...: 56b2da71b9fad48ef4c1de9498174b74
SHA1..: cb36d258079f0d1f816e35b88ad2e8312b1864f8
SHA256: 2d2b8e45f476c09f8c322d3bd3e7dde48d83eb0830a78ecb7ad01ab58f91ff64
SHA512: 63d47ba6fbc0b671c34cbf23cff1245045b754359d65b2d659293d3bfa682b1d
6daab21711c10c35eceb70560c00f26f44501764061137ad71a697fbd8d0bcff
ssdeep: 96:Ojh/QgaIpHha/H9aDH7rVuwKTjaR2a/HPhNlvbt+ESOyrQrW6hYerjjxrlpKt
eTw:OjhdvIya07tXmKWOHlsGJrLnojjUvJo
 
PEiD..: -
TrID..: File type identification
Text - UTF-16 (LE) encoded (64.4%)
MP3 audio (32.2%)
Lumena CEL bitmap (2.0%)
Corel Photo Paint (1.3%)
PEInfo: -
RDS...: NSRL Reference Data Set
-
packers (F-Prot): Unicode

However I find it interesting that that check is seeing it as 32% MP3 audio...haha, this is in unicode because the page will be in partial japanese.

onlysomeone

  • Guest
Re: Avast blocking my home server, why?
« Reply #22 on: March 26, 2009, 10:42:24 PM »
if you have the file in your virus chest you should send a false-positive-report out of your chest...

if its not in your chest you can send an email to virus (at) avast (dot) com
include the file (the best way would be zipped with a password protection)
describe your problem and tell that it is a false positive, also give them a link to this topic...
and if you used a password for zipping the file, also tell them the password ;)

if it is indeed a false positive (and it seems to be one) it usually is corrected very fast.

yours
onlysomeone

kubecj

  • Guest
Re: Avast blocking my home server, why?
« Reply #23 on: March 26, 2009, 10:47:55 PM »
It's not catching at my local debug copy. I'd wait for the vps which will be released in few minutes and please rescan, I believe it was a false in dyndns-like webservice url.

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #24 on: March 26, 2009, 10:53:51 PM »

Cool, so my server didn't catch the internet AIDs afterall.

I already shipped out a false positive, and kubecj...vps?

Orochium

  • Guest
Re: Avast blocking my home server, why?
« Reply #25 on: March 26, 2009, 11:42:11 PM »

It lives!  Updating the VPS seems to have fixed it!  Thanks everyone for putting up with my whining! :)

Offline scythe944

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 2913
    • My Tech Blog
Re: Avast blocking my home server, why? (RESOLVED)
« Reply #26 on: March 26, 2009, 11:48:27 PM »
Glad you got it sorted out finally.  Also glad it wasn't a nasty code either!
For generic computer (not avast) problems, you can also visit my forum for help: http://www.jacobytech.net/forum

CharleyO

  • Guest
Re: Avast blocking my home server, why?
« Reply #27 on: March 26, 2009, 11:55:56 PM »
***


It lives!  Updating the VPS seems to have fixed it!  Thanks everyone for putting up with my whining! :)


It's ok ... we were preparing to send you some cheese if we got to page 3.    ;D



Joking of course, glad to know that it has been resolved !    :)


***

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Avast blocking my home server, why?
« Reply #28 on: March 27, 2009, 12:02:15 AM »
***
An attempt to download that attachment will give a warning from avast ... connection aborted.
***

I thought it was going to do that as changing the file to a txt file won't get round what is being detected.

This would appear to be related to a link in a script see below, that avast must have on the network shield malicious sites list. I have tried searching on dontexist.org and can find no reference to malware. I have removed the <tags> and broken the link to try and avoid a direct alert on this page.

Code: [Select]
script type='text/javascript' src='hXXp://catgirls.dontexist.org/wp-includes/js/jquery/jquery.js?ver=1.2.6'> /script

@ Orochium
You will need to remove the attachment.

I tried to download the attachment to let avast alert and submitted it as a possible false positive, the above text forming the basis of the report and giving this topic's URL.
So hopefully, it will be quickly investigated, as the real problem is the dontexist.org being considered a malicious site by the network shield. So if the web shield also finds it it to would alert but it would refer to the script and not the url like the network shield.

It seems the site must have been removed.
« Last Edit: March 27, 2009, 12:04:23 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security