Avast blocking my sites

system · February 29, 2012, 1:43am

only blocked if you are using a windows machine… i’m seeing the site perfectly well using linux…

polonus · February 29, 2012, 2:06pm

No problems for that site htxp://wXw.sedonalibrary.org/ with avast, and here: hxtp://vscan.urlvoid.com/analysis/06d65469389a4296332450b6063c5c0d/aW5kZXg=/
htxp://wepawet.iseclab.org/view.php?hash=d512c1d1d029659eee969fcae96a76b9&t=1330524131&type=js
given suspicious here: htxp://urlquery.net/report.php?id=26523 (to click links put http for hxtp and www for wXw),

polonus

system · February 29, 2012, 7:41pm

Hi!
This website is blocked too only using Avast. wxw.capaparafacebook.com.br
Some idea why?

Thks!

DavidR · February 29, 2012, 8:05pm

Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

polonus · March 2, 2012, 5:51pm

Consider this report: htxp://zulu.zscaler.com/submission/show/ac18b6bb74677c23a5984ee41279877c-1330710418
Wordpress vulnerabilities can be found here: hxtp://sitecheck.sucuri.net/results/http://www.capaparafacebook.com.br/
Wordpress internal path: -/home/capapara/public_html/wp-content/themes/capas/index.php

polonus

system · March 2, 2012, 6:45pm

The last one was the block on the whole server, because it was hosting some Bancos malware. I changed it a bit, but still, I’d not believe the server/hosting.

system · March 7, 2012, 5:24am

Hi there & thanks for the information.

When someone is using IE on a windows machine, the error message is from avast! On-Access Scanner Message. C:\Documents and Settings\da\Local Settings\Temporary Internet Files\Content IE5\W92F0XYN\sedonalibrary.org[1].htm contains sample of ‘JS-Script-inf[Trj]’

This is a partial path as that is all I was sent.

Grateful for any ideas on how to resolve this. Thank you!

system · March 21, 2012, 2:38pm

after a site cleanup and recode of scripts, and a few weeks of no problems, i’m getting reports of one of my clients sites getting blocked by avast, again.
AVG reports nothing…

the site in question is: hxtp://www.idestino.pt/

online url scan results in no viruses:
htxp://siteinspector.comodo.com/public/reports/767102
htxp://urlvoid.com/scan/idestino.pt/
htxps://www.virustotal.com/url/e7626e0740761dc1fcac52a6c37463817cf65cf4b2dbcfbf8a544f20ccfa7131/analysis/1332339670/

can anyone please recheck this?

DavidR · March 21, 2012, 3:08pm

Looks like it has been reinfected, see http://sitecheck.sucuri.net/results/http://www.idestino.pt/.

Pondus · March 21, 2012, 3:23pm

VirusTotal - idestino.pt//js/prototype_1_7.js
https://www.virustotal.com/file/6ffcafce6b628cd461c253be405c6800659bb1b3809b0f198ee33d8d03ee1bdd/analysis/1332343322/

jotti
http://virusscan.jotti.org/en/scanresult/6bc182cfede9406011f8cd83aa82ddd60930c47f

Sucuri info

[b]Description:[/b]
A malicious javascript file was found inside the site content of the site and is being used to distribute malware.
Any user visiting the infected site could be compromised (desktop antivirus will flag it as Blackhole Exploit kit, JS:Cruzer-B or JS/Obfuscated, depending on the intermediary domains and AV product).

polonus · March 21, 2012, 3:29pm

Suspicious code found here: wXw.idestino dot pt/js/1_7.js suspicious
[suspicious:2] (ipaddr:195.22.10.105) (script) wXw.idestino dot pt/js/1_7.js
status: (referer=wXw.idestino.pt/)saved 165710 bytes d28cf8f0d2ea06ee74354e9add2b368c4f12adfb
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [iframe] -31.184.242.81/link.php this is being blocked by avast Network shield as URL:Mal
info: [decodingLevel=0] found JavaScript
suspicious:

polonus

system · March 21, 2012, 3:47pm

i just deleted all files and re-upload the originals, can i get a rescan, so i can report the problem to the ISP…

Pondus · March 21, 2012, 3:51pm

Sucuri now say clean http://sitecheck.sucuri.net/scanner/

system · March 21, 2012, 3:59pm

thank you!

DavidR · March 21, 2012, 4:00pm

Avast isn’t alerting, so it looks like it was the Web Shield (real time scanning) that detected it, so the clean-up would have an immediate effect.

So you need to investigate how these are getting reinfected as there appears to be a vulnerability, commonly out of date content management software, Joomla, PHP, WordPress, etc.

system · March 21, 2012, 4:11pm

in this case i’m not using any CMS, only php(in safe mode), html, css and Javascript (with prototype). So i’m point more to a server problem. it’s a shared host service.

i just changed the file permission to 444 (read only)

or a bug in prototype… thou i need to use an slightly outdated version, so fixing it would be a problem…

DavidR · March 21, 2012, 4:28pm

The Host software also has to have the latest versions, etc. of you are likely to revisit this problem a lot.

polonus · March 21, 2012, 4:29pm

Hi quimkaos,

After you did what DavidR suugests, you can additionally scan your website code here: http://evuln.com/tools/php-security/

polonus

Avast blocking my sites

Announcements