Hi,
how can I see why hxxp://use-wear-talk.com/ is blocked by Avast?
This started several days ago.
hey and welcome to the forum.
first please make the link unclickable so chance the link to wxw or something. we don’t want ussers to get infected by cliking that link.
second zulu scan did pick something up that could tell why avast is allerting the site.
http://zulu.zscaler.com/submission/show/f500dd549a7601eec3e7046bb4f967ae-1439360925
but im no expert at this. but according the reult above it has something about known malware code in the past. hoppefully someone more knowledge can check this up. and give you some more information for you.
zulu.zscaler.com reports score 34/100 (Benign)
The only point of concern is “Autonomous System Risk” which shows that IP range where site is hosted had problems in the past.
www.urlvoid.com shows that reputation is “green” (0/29), no problems detected.
So why is this site blocked by Avast?
I get three major warnings here: https://asafaweb.com/Scan?Url=use-wear-talk.com
There could be an XSS vulnerability in the client-side validation plug-in: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fuse-wear-talk.com (do you have all your JQuery updated and patched?).
Results from scanning URL: //fast.wistia.net/assets/external/E-v1.js please explain this code: R0lGODlhAQABAIAAAAAAAP///ywAAAAAAQABAAACAUwAOw==
Does it mean, it is the last element in the set to fire the load event, then the callback func will fire?
Seems quite harmless.
I think the problem is indeed with the hoster of the domain for that IP:
DNS seems OK, except for abuse responding: http://www.dnsinspect.com/use-wear-talk.com/1439373839
IP does not seem to resolve here: http://toolbar.netcraft.com/site_report?url=http://50.97.76.64
Website Risk Status for IP 9 red out of 10.
And more precisely I find also 7 out of 10 red for 50.97.76.64-static.reverse.softlayer.com: http://toolbar.netcraft.com/site_report?url=50.97.76.64-static.reverse.softlayer.com
Third party scan result info: 80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) *
|_http-methods: No Allow or Public header in OPTIONS response (status code 404)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found - Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
→ http://www.scip.ch/en/?vuldb.76457 Naming and privilege escalation problem.
- There are programming flaws in common UPnP discovery protocol (SSDP) implementations, which can be exploited to crash the service and execute arbitrary code, the exposure of the UPnP control interface (SOAP) on private networks, and programming flaws in both UPnP HTTP and SOAP overall.
You have to take this up with SoftLayer Technologies Inc.,US in Texas ;), as I can do no more than give you third party cold reconnaissance results, because I fear there are definitely issues with that server configuration for that IP.
polonus (volunteer website security analyst and website error-hunter)
Thank you for your answer polonus.
Maybe someone from Avast team could share exact reason why this page ws blocked.
if you think it is wrong, report it here https://support.avast.com > avast virus lab
you should then get a reply with info
Hi drazen.petrek2,
Just asked someone from Avast team to have a look at this very thread.
I cannot guarantee, but I hope some-one will react and clarify detection,
polonus
I think this was flagged:
iFrame check: Suspicious
-//fast.wistia.net/embed/iframe/nogii33cpi’
See web rep flagged: https://www.mywot.com/en/scorecard/fast.wistia.net?utm_source=addon&utm_content=popup
Javascript check: Suspicious
<iframe src="-//fast.wistia.net/embed/iframe/nogii33cpi" allowtransparency="true" frameborder="0" scrolling="no"This seems not to be there anymore: htxp://wistia.com/deliveries/d0de334c6442621fed1773cbed919bd6bb8faddf.bin
polonus
Also Virustotal shows all green
https://www.virustotal.com/hr/url/03deb7d1a8ce59550f89a5e603f54529c8ba6ec0e03419967d67e46f246dd226/analysis/1439392940/
Waiting for official Avast reply on this.
Avast team replied that website is infected with Angler EK and thats why it is blocked.
Can someone shed some information on how to remove and prevent this infection?
virustotal.com URL scanning found nothing on the site.
There is a specific obfuscated code pattern that takes visitors of the page to the Angler exploit landing place, this could be hidden in malvertised ad campaigns for instance or could work through an injected iFrame… The particular pattern is being detected by Avast AV. Avast Team member Milos’ advice is;
Clean the files on hosting, change passwords, update systems. And then create ticket in https://support.avast.com/ → Avast Virus Lab for unblocking.That is all we know so far,
polonus
I’ve reported to Avast team (via ticket on support.avast.com) that several of web sites hosted on our server were blocked by their antivirus software. They replied that three of them contained Avenger EK. They did not mention why they blocked other sites that were not affected by Avenger, but also said that those sites will be unblocked in upcoming virus definitions. It remains a mystery why those sites were blocked. Anyway, as far as for those sites which are affected by Avenger, I’ve installed Avast file server security product in trial mode, scanned folders containing the sites that Avast support team found containing Avenger, only to find out that antivirus software runing on our server did not find Avenger. Also, Virustotal URL scanner found nothing on same sites. Who can explain this? Also, how do we proceed from this point? We are loosing money and time because of this situation.
You should wait for an explanation by an Avast team member what their URL;Mal general detection is based on.
We here are volunteers with relevant knowledge, but not Avast team members.
e.g. Results from scanning URL: http://use-wear-talk.com/assets/e4ca9e9b/jquery.yiiactiveform.js
Number of sources found: 117
Number of sinks found: 92
Site has XSS DOM weaknesses, but that particular scan is not flagged, only going directly to the maim site gives a webshield alert.
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fuse-wear-talk.com
polonus
Also, Virustotal URL scanner found nothing on same sites.Virustotal does not scan site for infections, it is a blacklist check
Sucuri may help you. https://sucuri.net/
Guys, thank you for your patience on this.
This has still not been resolved, neither I see it resolving anytime soon.
Avast team responded that just cleaning the server with their server product won’t do.
They said: "Only scanning the server won’t fix the Angler infection. Our Virus lab suggests to change all passwords and revisit web hosting data for malicious/suspicious files. "
Can someone translate “revisit web hosting data”?
Anyway I’ve asked for additional information on where Avenger is.
About Sucuri. It is great, but works on per-site basis. We need whole server solution. Also, they do not offer any kind of one-time-job cleaning services.
Do you know of any other services which offer one time cleaning + continuous protection on per server basis?
Just tested hxxp://use-wear-talk.com with
scanurl.net
sitecheck.sucuri.net
quttera.com
app.webinspector.com
www.siteguarding.com
Nothing found (surprise surprise)
Regards,
Drazen
Do you know of any other services which offer one time cleaning + continuous protection on per server basis?Have you talked with Sucuri and asked what they can offer?
there is also http://www.quttera.com/home
try google > web server security
Hi,
I am unblocking the domain now ;-)!
Thank you, please unblock this sites also:
hxxp://www.framesemporium.com
hxxp://www.shadesbroker.com
hxxp://www.framesbroker.com
hxxp://www.alpharettacleaningdepot.com/
hxxp://www.ellecouturegowns.com/
Regards,
Drazen
I am unblokcing them, but I spotted some very suspicious subdomains pointing to 85.143.216.53:
automatic.ellecouturegowns.com
strongest.ellecouturegowns.com
etc.
I strongly suggest updating all systems and changing all passwords (especially passwords of DNS hosting), or the domains might automatically be blocked in the future again.
Thank you.
Any other suspicious subdomains?
We’ll change passwords for DNS hosting.
When will your updates be live?