Domain and IP blocked by Avast

polonus · 2015-07-06T12:08:03.000Z

Eddy is right, flagged by Malware Script Detector v.2.0. detected Malware Customized XSS Malware in source:
https://s0.wp.com/_static/?? etc. etc. This is the Meta Tag "HTTP-EQUIV “REFRESH” - the client has to resolve: expound-v2.css?ver=2013-02-15s2.wp.com/wp-content/blog-plugins/wor… 0 B
https://s0.wp.com/_static/??-eJx9kdFO… 50.3 kB

[i]Basic Principle: Never attribute to malice what you can attribute to incompetence. The first place to look is for a problem on the page itself[/i].

Quote Info credits - Bob Trower.

polonus

system · 2015-07-06T22:07:26.000Z

Polonus I don’t understand your post.

I don’t get if you’re saying META REFRESH are bad in general, or if my website has one ore more malicious meta refresh.

polonus post:7:

Eddy is right, flagged by Malware Script Detector v.2.0. detected Malware Customized XSS Malware in source:
https://s0.wp.com/_static/?? etc. etc. This is the Meta Tag "HTTP-EQUIV “REFRESH” - the client has to resolve: expound-v2.css?ver=2013-02-15s2.wp.com/wp-content/blog-plugins/wor… 0 B
https://s0.wp.com/_static/??-eJx9kdFO… 50.3 kB

[i]Basic Principle: Never attribute to malice what you can attribute to incompetence. The first place to look is for a problem on the page itself[/i].
Quote Info credits - Bob Trower.
polonus

polonus · 2015-07-06T22:30:04.000Z

Hi Matteo45,

I mean as general it isn’t an elegant solution, a 301 isn’t.
These test however were passed succesfully: http://mobilefriendlytest.website/index.php
Mind the advice there. The refresh gets carried through resolving in multiple alert boxes.
If there were a malicious Meta Tag it would not be visible for the public (visitors).
In that case the easiest and safest fix is to completely wipe your public server space and DB,
then reinstall from a known clean backup.

polonus

system · 2015-07-13T20:21:42.000Z

I’m a bit curious in knowing how avast decides wether blocking a site or not.
I requested to get out of siteadvisor blacklist, few minutes ago site was removed and now avast is not blocking trucchislotmachine.com anymore. So it just checks mcafee blacklist? COOL!
I’m glad I don’t use MS win…

polonus · 2015-07-13T21:02:09.000Z

The website - trucchislotmachine.com is still being blocked by Avast Webshield as with URL:Mal
One of these domains on the same IP can also be responsible for the blocking:
http://sameid.net/ip → http://sameid.net/ip/188.121.50.243/
What should be done is that the server shouldn’t give out excessive server version info: Apache/2.2.15 (CentOS) to the world and attackers.
This could be easily mended by settings in the server configuration, so we get Apache period.
While even with CentOS 6.3 apache/2.2.15 (centos) is not vulnerabe to exploits, just turn off the Apache and PHP versions in the headers and miraculously you might get a clean bill of health…

polonus

system · 2015-07-16T20:30:25.000Z

Hi polonus,
thank you for your support.
I’ve hidden Apache and PHP version info in http header and all the previous issues, except:

email blacklists: most of them are automatic and/or distribuited and I cannot find out how to submit site for review
https://sitecheck.sucuri.net/results/trucchislotmachine.com => forced a rescan but it incorrectly sees website blacklisted on siteadvisor
meta refresh: I understand your concerns about unconditional redirects but unfortunately I cannot move to other solutions like php header redirect

Matteo

polonus · 2015-07-16T20:46:05.000Z

Hi Matteo,

Report to virus@avast.com and ask for an exclusion (refer to this thread here). They could consider that, I cannot as unblocking websites is only reserved for avast team members, I am just a volunteer here with relevant knowledge. Anyway you considerably improved your website security by reporting here. Stay secure with Avast!

Damian

P.S. Joomla scan OK: https://hackertarget.com/joomla-security-scan/
Note that this site: -http://www.open-society-kz.org/modules/mod_roknavmenu/themes/basic/code.php
had a threat identified as: Exploit.HTML.IFrame-6

pol

system · 2015-07-24T13:17:07.000Z

I sent an email 5 days ago, no reply and no action. Website trucchislotmachine.com is still blocked by avast.

Eddy · 2015-07-24T13:34:36.000Z

A email?
You need to submit a ticket.

system · 2015-07-24T22:58:05.000Z

polonus post:13:

Report to virus@avast.com and ask for an exclusion (refer to this thread here). They could consider that, I cannot as unblocking websites is only reserved for avast team members, I am just a volunteer here with relevant knowledge. Anyway you considerably improved your website security by reporting here. Stay secure with Avast!

That’s why I sent an email.

Where should I submit a ticket? I think I already did it, but I need to double check.

Matteo

Asyn · 2015-07-25T05:33:35.000Z

Matteo45 post:16:

Where should I submit a ticket? I think I already did it, but I need to double check.

Matteo

→ https://support.avast.com/Tickets/Submit

system · 2015-08-12T08:51:55.000Z

Asyn,
I submitted a ticked some weeks ago, I received an automatic reply and nothing else.
Domain is still blocked, I don’t understand why.

Do you think this is fair? My website is losing about 40-50 customers per day, I’m losing lot of money and Avast is not taking care of this false positive.

Someone please help me in contacting Avast.

Asyn · 2015-08-12T08:53:21.000Z

Post your ticket-ID.

system · 2015-08-16T08:44:15.000Z

Ticket ID: #IST-853-68707

jefferson sant:

The website is exploited by Angler ExploitKit. They need to clean all malware files on their hosting, change all their passwords and update all the systems.

Could you please give more details? Do you mean webserver tries to attack and exploit target pc installing angler exploit kit?

Thank you for your help.

Matteo

system · 2015-08-16T20:11:09.000Z

I used another pc with a new ip address to access the website, and I logged every communication with wireshark network analyzer.

I went through every single packet and I didn’t notice anything suspicious.

Do you have more details about infected files? Maybe there are some injected javascript functions I don’t see.

jeffersonsant · 2015-08-16T20:24:00.000Z

Matteo45 post:21:

I used another pc with a new ip address to access the website, and I logged every communication with wireshark network analyzer.

I went through every single packet and I didn’t notice anything suspicious.

Do you have more details about infected files? Maybe there are some injected javascript functions I don’t see.

Hello

I will check again there was a small problem on support
there was a response of duplicity, maybe tomorrow I can return feedback.

system · 2015-08-19T07:40:15.000Z

Thank you,
I’ll wait for some more info.

Matteo

jeffersonsant · 2015-08-19T21:30:01.000Z

Matteo45 post:23:

Thank you,
I’ll wait for some more info.
Matteo

It was sent to the analysts
Because there was no answer at least to get or delays resolution of issues support.
verification requested ID ticket has progress.

jeffersonsant · 2015-08-20T11:13:44.000Z

Matteo45 post:23:

Thank you,
I’ll wait for some more info.
Matteo

virus specialists informed me que website hxxp://trucchislotmachine.com/ is exploited by Angler ExploitKit as well.

Please let the owner of the website que know there is need to clean the website, update all the systems and change all passwords Their.

HonzaZ · 2015-08-20T20:05:00.000Z

Hi,
You still didn’t confirm that you changed passwords - if you didn’t, please do so immediately. I am unblocking the domain now.
Honza

Announcements