I maintain a blog website, and we have been receiving reports that Avast is blocking access to our website. I submitted a ticket for a false positive, as site scanning websites report the site as clean.

Avast replied back that it was not a false positive "…because of this: themommynest.com/0ca7gxhjv87bik "
I am using Joomla as a cms, and being a dynamic website, any bad urls just redirect to the main page, which is what this one does. I cannot find any instance of this url on the website, and I have no idea where to go from here.

Can anyone help me out? My website is themommynest.com

Thanks!!

Sucuri report http://sitecheck.sucuri.net/results/themommynest.com

Hi shellie77,

There is also malware launched from the IP you share with other sites: http://support.clean-mx.de/clean-mx/viruses.php?review=50.63.40.1&sort=first%20desc (most malware is dead, closed, but some still active)
avast! detects for instance JS:Iframe-CSU[Trj] there.
Also see here: http://urlquery.net/report.php?id=8326511 and specially for recent reports on same IP/ASN/Domain there.

As Sucuri scan reported this issue also should be tackled: Web application version:
Joomla Version: 2.5.6
Joomla Version 2.5.x - 3.0.x for: htxp://themommynest.com/media/system/js/caption.js
Joomla version outdated: Upgrade required.

Also look at the code at from themommynest dot com/components/easyblog/assets/images/loader.gif
via : http://jsunpack.jeek.org/?report=e51768ce4223a47e0fa7b64b301e672bcfefb411
(View link in browser with NoScript and RequestPolicy extensions active and in a sandbox or VM - for security researchers only)
Furthermore a code hick-up here:
info: [script] ps-us.amazon-adsystem dot com/domains/thmone01-20_f2ad21c9-3e63-40f6-b367-28434cffde05.js
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
error: line:3: SyntaxError: missing = in XML attribute:
error: line:3:
error: line:3: …^

Check EasyBlog for vulnerabilities: http://www.exploit-db.com/exploits/27129/
e.g. in some scripts as a HTML injection vulnerability in /hr/blog/blogger/mortetm?type=
→ htxp://1337day.com/exploits/21036 This just to let you be aware!

This gives the site as risky: http://zulu.zscaler.com/submission/show/bed46bc54129a54a943197efd3d1f76e-1386759264

polonus

What about the reason Avast said it was blocking me? A url that doesnt exist on my site.
Now, Im just confused and not sure where to go from here… since the “risky” things arent really anything I can do about.

The Joomla is the latest version in the 2.5 line. 3.0 requires a total database migration I’m not sure I want to do yet.
How do I go about dealing with the IP issue?
I cant really do much about EasyBlog…

zscaler showed “benign” for me?

Help!

Hello,
avast! does not block IP but only the domain, because we saw there “themommynest.com/0ca7gxhjv87bik”. It looks it was hacked (exploited) through vulnerable cms.

Milos

Where are you “seeing” this url? I cannot find anything on the server that references that. Clicking the link only leads to the main site, like any bad url would.

I am trying to fix this so we can get unblocked. We’ve already had a blogger quit because she can no longer access the site.

Avast? There has been no response to the ticket I submitted about the issue.

We still need help with this please

The detection is an URL;Mal detection, which is a general one.
What is

GIF89alhh\YYXUUc__755(''OLL:88*((PMM!a^^[XXgcc]ZZfccMJJDAAURReaa!NETSCAPE2.0!Created with ajaxload.info!,-  di @85p{@.s EB!,$`a`iX/(;!,6  a,$"cb(e2[KNU*N!,5  ET4b$I<uy;>bGs9y*R!!,2  diXDQHbRUE]:^f_Q#cJ!,7  di$q]biahm] a.M$4_-66R!,/  diDQr%R5pq^-4CY!,/  diDQr%R5pq^-4CY;

? SHell hack

polonus

Where is that found?

In the attached image you see what generates this → http://jsunpack.jeek.org/?report=e51768ce4223a47e0fa7b64b301e672bcfefb411

pol