F/P detection of The Rita Langworthy Foundation ????

ky331 · 2015-10-04T14:55:25.000Z

The Rita Langworthy Foundation is a recently organized charitable organization… their website is still being developed.

I used to be able to access it, but now avast is intercepting/blocking it, claiming it has a URL:Mal infection.

database 15-10-04.00, augmented by stream 15-10-04.01

Can someone check into and clarify the situation?? If it’s a F/P, then avast needs to correct it. And if you confirm there’s some hacked/actual malware there, then I can let the owner know what to look for [details would be appreciated]… to the best of her knowledge, the site should be clean.

http://www.ritalangworthyfoundation.org/

Detection rate is 0/65 on VirusTotal’s URL test https://www.virustotal.com/en/url/fda08d82f3597b7a719dc2d42c6dd45de5f3a4eb576e4c4eef378c1345849aa8/analysis/1443969814/

Pondus · 2015-10-04T16:02:39.000Z

claiming it has a URL:Mal infection.

URL:Mal = Blacklisted ... for whatever reason

IP history. https://www.virustotal.com/en/ip-address/143.95.44.95/information/

ky331 · 2015-10-04T16:15:08.000Z

Pondus,

I understand the concept, that it was “blacklisted … for whatever reason”…

and I realize that could mean that someone hacked into The Foundation’s page, injecting malware there. But another possibility is that it could be a F/P detection on avast’s part.

Can you, or anyone else, definitively determine which one it is? And in the event it’s malware, what can I tell the owner (who’s a friend) to help her locate and remove the infection?

ky331 · 2015-10-04T16:45:30.000Z

Pondus,

I see you edited your reply while I was typing mine.

Your link shows several different URL names, that all resolve to the same IP-Address… for example,
www.RitaLangworthyFoundation.org
and
www.BeachBumBikingClub.com

When I click on each of these links (on a PC NOT using avast), I see two very distinct webpages, each corresponding to the respective name. So how can these both share the same IP address 143.95.44.95 ?

EDIT: Okay, I’ve done some reading, and apparently HTTP version 1.1 indeed allows multiple distinct websites to share a single IP-Address… this was news to me. As a consequence, if avast [or any other anti-malware detector] uses IP-Address-based filtering, and if any ONE of the websites that share an IP-Address needs to be blocked, the ALL of them get blocked in the process… is that a correct analysis of what may be happening here?

=============

EDIT: Okay, so now I think I understand: One of the sites which also shares the IP address is hXXP://paypal.uppddateyouraccountinformation DOT com , which is a malicious phishing site. And so understandably, avast wants to protect its users from accessing it.

But in the process — by blocking ALL websites that resolve into (i.e., share) that same IP address — it’s not allowing access to a legitimate site (The Rita Langworthy Charitable Foundation).

I guess that explains what’s happening. But I just know the Foundation will not be happy with this explanation.

Pondus · 2015-10-04T19:01:28.000Z

Report it here and see what avast say https://support.avast.com → avast virus lab

ky331 · 2015-10-04T19:18:20.000Z

Thank you for you assistance… I have reported it as you suggested.

HonzaZ · 2015-10-04T19:44:28.000Z

Hi,
I am unblocking the IP right now.

Just to clear up some confusion:

yes, URL:Mal is blacklist for a variety of reasons;
when anyone visits a domain that has blocked IP, Avast complains about the IP - you can see it in the popup;
we do not automatically block the whole IP when there is a malicious domain, we block just the domain. But when there are only malicious domains on a single IP, we block the IP because there is a great chance that other malicious domains will appear in the future.

ky331 · 2015-10-04T22:12:35.000Z

HonzaZ,

Thank you very much for your assistance… I can confirm that I now have access to the Rita Langworthy Foundation’s website.

Just so I understand… avast will still block the fraudulent Paypal phishing site [or any other site(s) that were causing the original objection]??

HonzaZ · 2015-10-05T05:31:45.000Z

ky331,
Exactly. We can block the domain, the IP, or both. Until yesterday, we blocked the paypal domain and the IP, so when other domains emerged on the same IP, they appear blocked. This is exactly how we want it - the chances of appearing other malicious domains is higher than of appearing a clean domain. Yesterday I unblocked the IP, so other domains will not be blocked, just the paypal one.

Announcements