Avast blocking website URL:MAL

Hello,

we are running a few adult sites and one of those is blocked by avast. The error message is URL:MAL.
But why is this happend? We cannot find any solution yet since the failure message gives no information why this site is blocked.

The following domain is blocked by avast.
poornsearch[.]com

don’t worries you’ll don’t see any adult content if you enter just the main domain. Would be very nice if we could find a solution for this.

Best regards
Robin

https://sitecheck.sucuri.net/results/poornsearch.com/

Hey

thanks for this url where i can see detailed informations.
But the url /t/goto/domain?= is a common thing to track outgoing traffic. I also notice a snipped of the code


Known Spam detected. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?spam-seo.spammy_keywords.1.39
                        <a class="list-group-item" href="http://www.ultradonkey.com" title="Thousands of free sex pics and free porn movies. Ultra Donkey features the best free XXX porn links distributed in several sex related categories." target="_blank" data-site="4ac13dab-bec6-4c86-9e2e-c3f5cd83c55f" data-premium="" rel="noopener nofollow">

is even from zweiporn.com and not from my domain. Does someone have a suggestion how to fix this?

poornsearch.com/t/goto?domain=zweiporn.com

HTML scan
https://virustotal.com/en/file/f934199095672261d1b9ec3774f12d4360a5767335547afcba3996c6a8c22865/analysis/1493885327/

So,

just to understand it correct.
My domain / site is blocked by avast, because i have an internal link which redirects via 301 to zweiporn.com. And the reason is because there is any malicious content on zweiporn.com? Am i correct with this?

https://virustotal.com/de/url/c82368e00de1cc0d910b4cd589a997b083be5200d47b41801ff5858f1df39051/analysis/1493886751/
https://virustotal.com/de/url/70ccc8f54ed8b733d960246915eb7c2b11fa036e2de1915f24504e69eec46d06/analysis/1493887001/

both results are showing that everything is fine?

regards

Virustotal URL scan does not scan the website for infections, it is a blacklist check

I scanned the HTML code that indicate a malicious java script

Hey,

okay so it seems to be an js popunder problem on zweiporn.
How long will it take for avast to notice, that im not longer link to zweiporn if i remove the link, or if the admin of zweiporn fix this issue on his site? And “unblock” my website.

regards

Malware on that IP :
https://www.virustotal.com/en/ip-address/185.62.189.221/information/
http://urlquery.net/report.php?id=1493888731955

Suspicious code :
https://quttera.com/detailed_report/poornsearch.com

So,

it’ an problem of my hoster. Poornsearch is currently running on an VM and it seems to be any VM which is infected by this IP.
Thanks a lot for your help, i will contact my hoster.

regards

poornsearch[.]com was never blocked. It was the IP that this domain points to, 185.62.189[.]221, that was blocked due to it hosting alcatraz ransomware. I have now unblocked the IP, so it should be accessible again. Make sure to clean the malicious files up, or it might be blocked again automatically.

Hey,

thanks 4 this support im already in contact with the hoster of this server.

@Eddy
Suspicious code :
https://quttera.com/detailed_report/poornsearch.com

This is a minified code from jquery


var Sizzle =
/*!
 * Sizzle CSS Selector Engine v2.3.3
 * https://sizzlejs.com/
 *
 * Copyright jQuery Foundation and other contributors
 * Released under the MIT license
 * http://jquery.org/license
 *
 * Date: 2016-08-08
 */
(function( window ) {

var i,
	support,
	Expr,
	getText,
	isXML,
	tokenize,
	compile,
	select,
	outermostContext,
	sortInput,
	hasDuplicate,

	// Local document vars
	setDocument,
	document,
	docElem,
	documentIsHTML,
	rbuggyQSA,
	rbuggyMatches,
	matches,
	contains,

	// Instance-specific data
	expando = "sizzle" + 1 * new Date(),
	preferredDoc = window.document,
	dirruns = 0,
	done = 0,
	classCache = createCache(),
	tokenCache = createCache(),
	compilerCache = createCache(),
	sortOrder = function( a, b ) {
		if ( a === b ) {
			hasDuplicate = true;
		}
		return 0;
	},

	// Instance methods
	hasOwn = ({}).hasOwnProperty,
	arr = [],
	pop = arr.pop,
	push_native = arr.push,
	push = arr.push,
	slice = arr.slice,
	// Use a stripped-down indexOf as it's faster than native
	// https://jsperf.com/thor-indexof-vs-for/5
	indexOf = function( list, elem ) {
		var i = 0,
			len = list.length;
		for ( ; i < len; i++ ) {
			if ( list[i] === elem ) {
				return i;
			}
		}
		return -1;
	},

	booleans = "checked|selected|async|autofocus|autoplay|controls|defer|disabled|hidden|ismap|loop|multiple|open|readonly|required|scoped",

	// Regular expressions

	// http://www.w3.org/TR/css3-selectors/#whitespace
	whitespace = "[\\x20\\t\\r\\n\\f]",

	// http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier
	identifier = "(?:\\\\.|[\\w-]|[^\0-\\xa0])+",

	// Attribute selectors: http://www.w3.org/TR/selectors/#attribute-selectors
	attributes = "\\[" + whitespace + "*(" + identifier + ")(?:" + whitespace +
		// Operator (capture 2)
		"*([*^$|!~]?=)" + whitespace +
		// "Attribute values must be CSS identifiers [capture 5] or strings [capture 3 or capture 4]"
		"*(?:'((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\"|(" + identifier + "))|)" + whitespace +
		"*\\]",

	pseudos = ":(" + identifier + ")(?:\\((" +
		// To reduce the number of selectors needing tokenize in the preFilter, prefer arguments:
		// 1. quoted (capture 3; capture 4 or capture 5)
		"('((?:\\\\.|[^\\\\'])*)'|\"((?:\\\\.|[^\\\\\"])*)\")|" +
		// 2. simple (capture 6)
		"((?:\\\\.|[^\\\\()[\\]]|" + attributes + ")*)|" +
		// 3. anything else (capture 2)
		".*" +
		")\\)|)",

I really don’t know why quttera think this is a suspicious file

best regards