[SOLVED] Strange URL:Mal detections...

[NON]

I got an strange URL detected as URL:Mal only sometimes.
Sometimes I can access that page, sometimes (minutes after?) that page got blocked by Network Shield.
No update was coming during this test.
Some other images also blocked sometimes.

Here is the URL:
hxxp://tabakonomi.web.fc2.com/i/seven_samurais.jpg

Any ideas about this?

[DavidR]

Well it isn't the image that is the problem (clean on avast and VT) as the Network Shield is the one alerting and it is either the domain (Red) or one of the sub-domain (Green) or (Blue) tabakonomi.web.fc2.com/i/seven_samurais.jpg

Personally I find it strange when the network shield names a file rather than the domain alone. I would report as a possible false positive (network shield) it using the load styles contact page, http://www.avast.com/contact-form.php?loadStyles for further investigation.

[polonus]

Hi NON and DavidR,

Site is not listed at hpHosts. Given safe here: http://urlquery.net/report.php?id=15044
and here: https://new.virustotal.com/url/9adef545171b9fcd5c628ca5385ea9000c7399e6af93d48f88c2d54b40893b0a/analysis/1325950934/
But there is something out there and avast Network shield seems to flag that...
Possibly suspicious code resides here: -static.fc2.com/share/fc2parts/js/jquery.js suspicious
[suspicious:2] (ipaddr:208.111.161.254) (script) -static.fc2.com/share/fc2parts/js/jquery.js
     status: (referer=-tabakonomi.web.fc2.com/i/samurais.jpg)saved 57272 bytes fd09a826a62fc6f5809d0a67bf0f80b3b76ca894
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: invalid flag after regular expression:
          error: line:3: filter(function(){return this.name&&!this.disabled&&(this.checked||/select|textarea/i.test(this.nodeName)||/text|hidden|password|search/i.test(this.type))}).map(function(E,F){var G=o(this).val();return G==null?null:o.isArray(G)?o.map(G,function(I,H){retur
          error: line:3: ^
     error: undefined function T.insertBefore
     error: undefined variable T
     suspicious:
Also a redirect to -http://error.fc2.com/web/403.html Cpan perl code...
The IP has a history of IE redirect virus and was in the  bothunter activity listing,

polonus

[NON]

Hello DavidR and polonus,

So this detection could be a remnant of old infection.
I'll report this as a false positive and see results.

Thanks for answering.

[DavidR]

You're welcome.

Well old/previous infections (or hacked site), if they have subsequently had a lot of alerts on the web shield from other avast users, that 'could possibly' have added it to the network shield malicious sites list, via the CommunityIQ feature.

But yes it needs further investigation.

[NON]

I found this FC2 web hosting service shares one server (one IP) among several domains, and all of them are blocked.

Does network shield block per IP address, not domain names?

Many innocent domains get involved in this detection.

[DavidR]

Well there is nothing published on exactly what is covered by the blocking (otherwise those seeking to exploit would have useful info). It rather depends on how widespread infections might be, but as far as I'm aware they try to block at the lower level, it used to be domain level so all sub-domains would be covered. I'm not sure it is IP based blocking as that is server based and may well cover many sub-domains, again nothing published.

Many of these quasi hosting sites have the host providing the integrated software SQL, wordpress, etc. so if that were the case then any vulnerability in it would extend to the sub-domains.

Which is why it needs further investigation by avast.

[NON]

False positive seems resolved.

Thanks everyone!

[DavidR]

You're welcome, thanks for the feedback.