Hello,
my site is blocked by avast, so some users can’t use it. Avast claims that there is a trojan or something… Adress of the website hxtp://blog.wojtek.boo.pl.
Thanks in advance
Hello,
my site is blocked by avast, so some users can’t use it. Avast claims that there is a trojan or something… Adress of the website hxtp://blog.wojtek.boo.pl.
Thanks in advance
Avast says JS:Redirector. So Javascript garbage.
AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/boo.pl/
SUCURI FINDS THE JAVA MALWARE: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fblog.wojtek.boo.pl%2F
Its just at the top of the Site Code. (Screenshot)
So your site got hacked most probaply.
Quettra detects suspicious content: hxxp://www.quttera.com/detailed_report/blog.wojtek.boo.pl
See under scanned files analysis.
Comodo Report: http://app.webinspector.com/public/reports/17225447
URL Query is taking forever…
Hi Wojteg,
This detection is correct.
Please change http in your initial post to hXtp to avoid accidental clicks.
It looks like a Blackhole Exploit kit. Also see: http://sitecheck.sucuri.net/results/blog.wojtek.boo.pl/
@Steven Winderlich Please refrain from replying multiple times as this is considered spam. Please use the edit button instead.
Thanks,
~!Donovan
Just got a gzip attack from clicking above link. Could you modify quttera link to be hxxp instead of http? Thanks.
Done.
An IP block would also be installed, see: https://www.virustotal.com/en/ip-address/91.234.217.10/information/
mchain is right here, for this IP
First Bad Host Appearance approximately 6 months, 3 weeks ago
Last Bad Host Appearance within 5 months, 2 weeks
Bad Host Appearances 12 appearance(s) in spam e-mail or spam post urls
See: http://support.clean-mx.de/clean-mx/phishing.php?ip=91.234.217.10&sort=id%20DESC
boo.pl is a known PHISH! and Sucuri scan leads to this malware flagged: http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1.php
And see: hxtp://urlquery.net/queued.php?id=42577784 won’t resolve as avast! Web Shield detects JS:Redirector-ZK[Trj] there. *
So see: http://urlquery.net/queued.php?id=42578061 and http://urlquery.net/report.php?id=5656649
Link to CookieBomb detection: http://urlquery.net/report.php?id=5549372
polonus
Blackhole exploit
https://www.virustotal.com/nb/file/a7e3def5c17057e363883c1f1357b8d242afb30c7f4774a290e4015315a834a3/analysis/1379674182/
@ Steven Winderlich
Please use the Modify button (as you had to do with the urls) rather than post 4 posts in a very short time, just makes the topic much longer. It is possible/better to do the analysis first getting the information and links then post together in the one post.
Thank you for your replies. After some struggles I think I’ve fixed my page. It would be nice if you check it
Well avast is still alerting, there is a compressed script file (the /|>{gzip} at the end of the url) being loaded when you visit the site, see attached image).
Since this is a live/real time scan by the web shield the/a problem still exists.
I don’t know how this is possible. I’ve redownload drupal files and skin folder from the Drupal Site. And the scanner shows nothing now http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fblog.wojtek.boo.pl%2F
Witam,
Nie ma problemu teraz, wszystko OK.
No alerts for the site anymore here, everything seems fine.
pozdrawiam,
polonus
Trying to reconnect using firefox 24.0 I keep getting the connection has been reset error. So currently I can’t connect.
Hi DavidR,
As said no problem going there even with NoScript and RequestPolicy allowing access.
Can you see this without any avast alert? ->: http://jsunpack.jeek.org/?report=25cca3203547b9681dd897d102ccf27f8b605cf3
Problem for you may be that the blocking of the previous site may still be there for the browser cache version of the uncleansed page,
I did not visit that before, so I got a fresh unblocked version of that site page,
Damian
@ polonus
NOTE: For the future visiting the jsunpack report page could make avast alert as it has copies of the code it analyses and or decodes.
I have an exclusion on the jsunpack report page, so I don’t get an alert, but I suspect you would if it contains a sample of the code which avast alerted in the first place.
I still can’t get the page to load perhaps because it was previously detected by the web shield and it blocked subsequent attempts to visit.
OK, Stopped and restarted the web shield and now I can visit the blog.wojtek.boo.pl site. So it looks clear now.
Thank you for your help!
You’re welcome.