Avast is blocking our website

Hi,

Our website is schoolandhousing.com. We have been running for two years and serve many customers online. Today, we receive a report from our customer saying our website is blocked by avast. Could someone please tell me what is wrong with our code and how to remove us from the block list?

Thank a lot!

Eric

http://sitecheck.sucuri.net/results/schoolandhousing.com
http://labs.sucuri.net/db/malware/malware-entry-mwjs2368

No detection on VT…yet

https://www.virustotal.com/file/82b53e2afbf93a4333ec3b2450bf19d34f8ab587aef5d78d959692ccb1289f36/analysis/1351185315/
http://virusscan.jotti.org/en/scanresult/00807dc462e1bb496d4183f2e46615258f53071a

Hi,

I checked http://labs.sucuri.net/db/malware/malware-entry-mwjs2368 and found it is very strange. Our javascript code does not include anything like "newportalse.com
" and the sample code like "var _0x4de4=[“x64x20x35x28x29x7Bx62x20x30x3Dx32x2Ex63x28x22x33x22x29…”

I am very confused and do not know what to do. Please you please give me more help on this. Thanks!

Eric

Sucuri found it here: hxxp://www.schoolandhousing.com//js_pack/table_tooltip.js?sensor=1351186869601

I know it is the table_tooltip.js file that triggers this, but that file does not contain anything like “newportalse.com” or "var _0x4de4=[“x64x20x35x28x29x7B…” We have no idea no how to change the code to avoid that. Any hints? Thanks

We do have obfuscated code for code safety purpose, but I am surprised if that is considered as virus.

Eric

Norman lab

There is no mailicious activity found. Wepawet also says it clean now. there is no redirect link or any other malicious content found.

table_tooltip.js: Not Detected

Quttera gives another result: http://www.quttera.com/detailed_report/www.schoolandhousing.com
Potentially Suspicious
Details: Detected procedure that is commonly used in suspicious activity.
Reason 1.: Too low entropy detected in string '<span style=‘text-decoration:underline;cursor:hand;cursor:pointer;’ onclick='openNewWindow(' of length 22951 which may points to obfuscation or shellcode.
2. Potentially Suspicious
Details: Detected hidden reference to external web resource.
Reason: Detected generation of hidden DOM element [iframe],

polonus

Hi polonus,

Thanks for your help. We fixed some code and now it is clean on http://sitecheck.sucuri.net/results/schoolandhousing.com. However, our customer is still reporting avast alert. Now you mentioned another link http://www.quttera.com/detailed_report/www.schoolandhousing.com.

I have a few questions, please help us.

  1. Does avast use both sucuri and quttera to verify the code cleanliness? Any other more websites that are used? The problems is that even if we fix one, we do not know how many other verification websites avast is using and if we can pass the others.

  2. In the quttera link, there are two types of warnings: The first one is " Detected abnormal use of [iframe] elements. Treat it as suspicious.". What does that mean? What is considered as an abnormal use of iframe?

The second is “Too low entropy detected in string '<span style=‘text-decoration:underline;cursor:hand;cursor:pointer;’ onclick='openNewWindow(' of length 22951 which may points to obfuscation or shellcode.”. We guess this is because we remove all newline characters in javascript for code safety purpose. Any hints on this one?

Thanks,

Eric

Avast uses its own functions to determine if a site is infected, etc. It is just that we avast users use other tools to visit suspect sites to investigate.

Hello,
thanks for the info, we will unblock the domain.

Milos

Hi Milos,

Thank you very much! Appreciate your help a lot.

Best,

Eric

Hi ericzz,

Landed there where we wanted to land with a clean slate and avast unblocking the site.
That is what we were after in the first place, weren’t we?

No the third party scanning we do here (sucuri’s, urlquery, quttera, jsunpack, clean mx, virustotal, redleg’s file viewer, etc. etc. )
are just so many ways for “cold reconnaisance” of what is wrong with particular website code.

There is a small group of forum users, all voluntarily involved, to check resources to help establish the presence of malcode.
And as I may say some have achieved quite some expertise in this field (!Donovan, Pondus, and quite a few others).

This is quite unrelated to what the avast team does (although we report to them via virus AT avast dot com).

My main advice, update all your website software, check your input for what should not be there,
harden your server software, check on best protocol practices.

And you will feel alot better knowing that visitors of your site are not being endangered…

Stay safe and secure online and offline with avast,

polonus

Hi polonus,

Thank you very much for your help and advice! We will take a careful study for our code.

Best,

Eric