Greentings,
My website (wXw.ambracollege.com) is being blocked by Avast! and I don’t know the reason. We’ve scanned our server for worms or viruses and couldn’t find anything. What should we do in order to unblock it and discover detailed information regarding the blocking reason?
Appreciate an answer ASAP as our website is unaccessible and could be dangerous to unprotected visitors.
Thanks.
Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?
Also, please, check if there are infected gif images (resolved as infected server generated messages): http://forum.avast.com/index.php?topic=45658.0
Check here how to clean and make a website secure.
Hi francisco.neto, welcome to the forum
Please could you modify your post to deactivate the link(change www to wXw) to prevent others potentially becoming infected.
-
avast! also blocks the site via the network shield, which is usually down to continued infection
-
From looking at the site, it appears that there is a script that is causing avast! to alert, I cannot say what this script does exactly, all I know is that it is causing and alert…I will need someone from the avast! team to tell us why.
Scott
There is an indication that the home page is also loading a compressed javascript file and avasts’s web shield would also alert on that, see image.
Your site is also flagged by another tool, http://www.mywot.com/en/scorecard/ambracollege.com and this may be related to the current or prior infection.
Hello Again, Thanks for all previous replies.
We’ve migrated our website to a new and clean cloud instance, double-checked for viruses or worms, and putted it behind a hardware firewall.
It still being flagged as infected by Avast!.
Curiously if you access the website using one of our domain aliases (e.g. wXw.ambracolege.com, where college is written with just one “L”) it is not flagged as infected by Avast! even leading to the same website.
It looks like the domain ambracollege.com has been included in some sort of static Avast! infected domain list.
Is there such kind of list? Is there a way to know the exact reason why (which virus, worm, or file) our site is being flagged as infected by Avast!?
Appreciate any help, thanks.
Francisco.
Network Shield will continue to block the webpage. Generally they remove it from the blacklist once found clean.
Not sure how long that might take…
Is there a way I ask someone from Avast! to verify if my domain is clean?
Report from Anubis - Analyzing Unknown Binaries
Scanned Url: hxxp://www.ambracollege.com
http://anubis.iseclab.org/?action=result&task_id=19260594e0dfdad04cd6da0e6264afa7c&format=html
The report shows the following risks:
*Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
*Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
*Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.
Report from Wepawet, a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.
Scanned Url: hxxp://www.ambracollege.com
http://wepawet.iseclab.org/view.php?hash=5512238680c584c9c9f3698b2c6c04ef&type=js
The report shows the following results:
* The last time we found it to be benign was at 2010-09-10 08:05:17.
* We never found it to be suspicious.
* We never found it to be malicious.
NOTE: Only avast! and GData showed a positive result in the VirusTotal link.
Currently letting Anubis analyze this link: hxxp://www.ambracollege.com/tracker.js
EDIT:
Second Report From Anubis
Scanned Url: hxxp://www.ambracollege.com/tracker.js
http://anubis.iseclab.org/?action=result&task_id=1768221bfa09c6d548d15658768f4d4d7&format=html
The report shows the following results:
*Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web.
*Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary.
*Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.
I’m really not sure if Anubis report has a relation with Avast! infected flagging. Anubis report shows same results for:
- my domain (http://anubis.iseclab.org/?action=result&task_id=1f57c1bb1cef08394b9ac6072d7505791&format=html)
- www.google.com (http://anubis.iseclab.org/?action=result&task_id=1e6a14b44203b53c4a9359ea6812edbfe&format=html)
- www.avast.com (http://anubis.iseclab.org/?action=result&task_id=1730795cbf08140c4590d1f9fdda0c249&format=html)
I still being flagged as infected by Avast! and GData only. Anyone has any suggesting what I should do?
Thanks.
It basically supports the avast detection, if for no clear common cause.
Why would this compressed javascript file be loaded in the first place on your site ?
Why would said compressed javascript file make changes to IE security settings; why would it modifies and destructs files which are not temporary; why would it reads and modifies registry values ?
The report shows the following results: *Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. *Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. *Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys.
So to me it is still at the very least highly suspect.
Read the Anubis report again and look at the files it creates, reads, the registry values it reads, creates and modifies, then ask yourself why (all this is necessary for an on-site script) ?
To be completely honest, if we’re just going to rely on the reports I posted, then I’m taking francisco.neto’s side. I mean, if I had to pick a side. He made a very good point by linking Anubis’s report of Google.com.
Google.com’s results showed that it took almost exactly the same actions as his site (or rather, Google took the same actions and then some).
But obviously Anubis’s reports aren’t going to give us all the answers.
The question I have to ask: Does your website have a counter to report the number of visitors?
EDIT: I asked because I’ve heard that certain web counters (i.e. wxw.webstat.net and wxw.webstats.motigo.com) can be used to transmit malware.
http://malwaredatabase.net/blog/index.php/2008/09/04/antivirus-2009-brought-to-you-by-motigo/
(I realize both the last quote and the link are from '09 and '08, respectively.)
Another EDIT: I couldn’t find anything obviously suspicious viewing the Page Source of hxxp://www.ambracollege.com/
I went ahead and disabled avast! for the sake of looking over the site. I’ll let you guys know if my PC dies on me
the URL-block will be fixed with next VPS update…
Thank you for all help, domain is now unblocked!