Avast marking web page as virus - why

Viruses and worms
21

This should be taken up with the hosting party.

The website htxp://use-wear-talk.com/ is still being blocked and I see various server configuration issues that have not been remedied, see:3 warnings: https://asafaweb.com/Scan?Url=use-wear-talk.com

See risk status: http://toolbar.netcraft.com/site_report?url=http%3A%2F%2Fuse-wear-talk.com%2F

See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fuse-wear-talk.com%2F

and http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fuse-wear-talk.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

jQuery load page issue: assets/e4ca9e9b/jquery.js pagination issue.
Why the hxxp in this lines of code starting at line 1380


1380:  < if​rame src=hxxp://fast.wistia.net/embed/ if​rame /nogii33cpi" allowtransparency="true" frameborder="0" scrolling="no"
1381:  class="wistia_embed" name="wistia_embed" allowfullscreen mozallowfullscreen webkitallowfullscreen oallowfullscreen
1382:  msallowfullscreen width="100%"> < / if​rame > < sc​ript src=hxxp://fast
.wistia.net/assets/external/E-v1.js" async> < / sc​ript >

concerning Wistia dot com Javascript Player API → E-v1.js
→ this is malicious according to Sucuri’s: https://www.virustotal.com/en/url/f6354c32cc1358503f478e56c0a0dfe426c03556b90b63d90dff27e166283daf/analysis/

Consider: http://www.exedb.com/systemfiles/e-v1,postroll-v1.js.html
used in a combined attack with hijacked DNS and affecting the the .js.php files…

polonus (volunteer website security analyst and website error-hunter)

22

DNS passwords have been changed.
The sites are still blocked, have they been unblocked?

23

Also flagged: http://oscarotero.com/embed/demo/index.php?url=http%3A%2F%2Fwww.framesemporium.com&options[minImageWidth]=0&options[minImageHeight]=0&options[facebookAccessToken]=&options[embedlyKey]=&options[soundcloudClientId]=YOUR_CLIENT_ID&options[oembedParameters]=

polonus

24

Hi,
Apparently whole IP 85.143.216.53 was blocked - I am unblocking it now. :wink:

25

85.143.216.53 is not ours…

26

No it is not, and this also seems blocked by Avast: http://bestbuydiet.net/
because url is not valid. Suspected of ROKSO Spamming.

polonus

27

Could be however I am interested exactly why Avast blocked our sites, only suspicion is not enough.
Official answer from the team was that sites were blocked becouse of Avenger EK virus.

28

See for instance here: http://1col.ru/www.ellecouturegowns.com
I see no items, the hidden asp code is for s a state control mechanism. It is used to preserve viewstate and control state.

They are usually included in a div element,

as we see here.

polonus

29

All domains except hxxp://www.ellecouturegowns.com/ have been unblocked, thank you HonzaZ.
Please unblock this last domain aswell.

Regards,
Drazen

30

Why is this in the code there

 179 \t\t\t\t\t\t\t\t····var·ip·=·'91.201.55.91';································\r\n
\r\n

See: https://www.virustotal.com/nl/ip-address/91.201.55.91/information/

polonus

31

Where did you find this code?

32

Should be ok in the next update :slight_smile:

33

Code is given in the Russian Low Level Site Explorer, just the code from that webpage, line 179

································function·trackSearch(env,·txt)·\r\n
································{\r\n
\t\t\t\t\t\t\t\t····var·ip·=·'91.201.55.91';································\r\n
\r\n
\t\t\t\t\t\t\t\t····$.ajax({\r\n
\t\t\t\t\t\t\t\t\t····url:·'GownsWS.asmx/SearchTracking',\r\n

polonus

34

Btw several subdomains still point to malicious IPs, for example:

Name: acknowledges.ellecouturegowns.net
Address: 85.143.216.53

and many more:
acknowledges.ellecouturegowns.net
automatic.ellecouturegowns.com
strongest.ellecouturegowns.com
democratic.ellecouturegowns.info
depreciation.ellecouturegowns.net
fight.ellecouturegowns.org
ingres.ellecouturegowns.net
jean.elledancestudio.com
recognized.ellecouturegowns.org
staff.ellecouturegowns.org
analysis.ellecouturegowns.net
plains.ellecouturegowns.org

If this does not stop immediately, the domains will be blocked again!

35

We are not using ellecouturegowns.net domain at all for our webs, although we have it registered. We use only .com suffix.
85.143.216.53 was generic () godaddy DNS entry for any subdomain on ellecouturegowns class of domains (net,org,com…).
I have removed "" DNS entries, please check now. It will take some time for DNS to get propagated.

Regards,
Drazen

36

This has a Netcraft Risk Rating of 7 red out of 10: http://toolbar.netcraft.com/site_report?url=http://85.143.216.53
bulk registering.
You are out on left AS → http://bgp.he.net/AS201848 → as-block: AS201216 - AS202239
This AS number doesn’t appear to exist right now, and so we are unable to generate a report.

polonus

37

Thanks for the info, Drazen!

38

HonzaZ, ellecouturegowns.com is still blocked, please check.

Regards,
Drazen

39

I can access the website without any warning - can you post the printscreen? What does the warning say?

40

https://www.dropbox.com/s/xv9apvicx06wpcs/Screenshot%202015-08-22%2022.49.54.png?dl=0
Virus definition version: 150820-1

Regards,
Drazen