False positive doctorbormental.ru (37.200.68.79)

Hello!

About week I have blacklisted client’s site doctorbormental.ru (IP 37.200.68.79) that it’s fully clear from malware & viruses (https://www.virustotal.com/ru/url/45319d055e9fe604cc2915f7572877b0c5f87f3e4793992cd09d4c41a10eaecd/analysis/ https://www.metascan-online.com/en/ipscan/ZG9jdG9yYm9ybWVudGFsLnJ1). All messages to Russian support do nothing. Avast is up to date.
What can I do for removing site from your black list?

VT doesn’t scan websites, it only checks some blacklists.

Lots of serious problems on the same IDS (about 200!!!):
http://urlquery.net/report.php?id=1417722066839

Redirection:
http://zulu.zscaler.com/submission/show/3290250791a004417ce511eec3403dbb-1417721885

Blacklisted IP:
http://multirbl.valli.org/lookup/37.200.68.79.html

Malicous code:
http://maldb.com/doctorbormental.ru/

Unable to connect to server:
https://www.ssllabs.com/ssltest/analyze.html?d=doctorbormental.ru

http://www.domxssscanner.com/scan?url=http%3A%2F%2Fdoctorbormental.ru

http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fdoctorbormental.ru&useragent=Fetch+useragent&accept_encoding=

Our forum friend, Eddy. already went over the most striking issues and scan results.
I have added some points below to stress some security issues,
after doing a 3td party cold reconnaissance web security test.
This with the follwoing results (also some probably used attack code explained:

The following is being flagged in Included Scripts Scan: Suspect - please check list for unknown includes

Suspicious Script:
doctorbormental dot ru//bitrix/js/main/core/core_ajax.js?141084693734917
document.createelement(‘iframe’); bx.hide_object(bx.ajax.history.obframe);document.body.appendchild(bx.ajax.history.obframe); *
Suspicious Script:
doctorbormental dot ru///vk.com/js/api/openapi.js
This is anomaly behavior detected (possible malware). Details: http://sucuri.net/malware/malware-entry-mwanomalysp8

404 error Check: Suspicious

Suspicious 404 Page:

Web rep stat issue: https://www.mywot.com/en/scorecard/moscow.doctorbormental.ru?utm_source=addon&utm_content=popup

polonus
(volunteer third party security website analyst and error-hunter)

Hello, Eddy & polonus!
Many thanks for quick answer!

But do you manualy check this links & results?

Lots of serious problems on the same IDS (about 200!!!): http://urlquery.net/report.php?id=1417722066839
WAT?! I check this test 5 or 6 times in different browser and get "No alerts detected" and no one other problem.
Redirection: http://zulu.zscaler.com/submission/show/3290250791a004417ce511eec3403dbb-1417721885
Yes, doctorbormental.ru redirect user to closest (by geolocation) to him subdomain .doctorbormental.ru, for ex. moscow.doctorbormental.ru - is it suspicious?
Blacklisted IP: http://multirbl.valli.org/lookup/37.200.68.79.html
I see only 2 Blacklisted result of 280 and I think that's very good result for 13+ years old company with site services such a forum & different user notifications.
Malicous code: http://maldb.com/doctorbormental.ru/
* http://doctorbormental.ru/ redirect to http://moscow.doctorbormental.ru/ - is it suspicious? * 404 Not Found of http://moscow.doctorbormental.ru/vk.com/js/api/openapi.js/ , http://moscow.doctorbormental.ru/yandex.st/jquery/2.1.1/jquery.min.js/ and other - is it suspicious? In html code links to some files on CDN or social netwoks API servers write with protocol-less format such a "//vk.com/js/api/openapi.js" for loading external content both on https & httpS without modifing code - is it suspicious? maldb.com's parser doesn't know about such links and treat it as site's directory and get 404 error. Rest of maldb.com's results - clean.
Unable to connect to server: https://www.ssllabs.com/ssltest/analyze.html?d=doctorbormental.ru
Yes, site doesn't work on httpS and 443 port is closed.
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fdoctorbormental.ru
Doesn't see any problem. Please write more details about it suspicious if it exist.
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fdoctorbormental.ru&useragent=Fetch+useragent&accept_encoding=
301 Moved Permanently to http://moscow.doctorbormental.ru/ thats is clear too. Doesn't see any problem. Please write more details about it suspicious if it exist.
Web rep stat issue: https://www.mywot.com/en/scorecard/moscow.doctorbormental.ru?utm_source=addon&utm_content=popup
This reputation has a low confidence, which means not many people have rated the site.
- is it suspicious?

So, which real problems/suspicious make site blacklisted and can I resolve it and delete site from blacklist?

Hi mvs,

Now I went over that website for anything I could find of possible suspicious code and issues and errors.
This does not say why the site should not be benign. I have no reason to say it is malicious as such!
Anyone with the final verdict on this could only be an avast team member.
We are not. I am just a volunteer (not an avast member) with some relevant knowledge from years and years of “digesting” and analyzing code and malcode.
So contact avast via virus@avast.com and link to this thread and wait for a reaction.
Whenever a false positive detections is found up, avast members are known to react rather quicly and unblock.
Anyway I like to thank you for reporting here and the responsible attitude towards the security of your website’s visitors.
I wished a lot of other website owners and webmasters acted accordingly. :wink:

kind regards,

polonus

Hello polonus!

Thanks for hard site checking :slight_smile:

There are some strange problem with avast team: I was make 2 tickets to its support in last week and receive 2 positive answers that site is good and will be removed from blacklist at update, but this still not happen.

Pol provided an e-mail, did you try it yet…!?

Hello,
domain was unblocked yesterday.

Milos

mvs,
solved by avast within 24 hours :wink:

WAT?! I check this test 5 or 6 times in different browser and get "No alerts detected" and no one other problem.
The internet is like a ocean, it is always in motion. When I checked there was one domain on the same IDS that had 185(!) level 1 issues. It can ofcourse be the host removed it, or the owners of the site removed it after I ran the test and before you did.

A redirection is by default suspicious.
This doesn’t mean it is bad by default, just that it can be.
It depends on how and why the redirection takes place.
Example:
I have www.ache.nl and it is about malware checking (and some other things)
I can create a subdomain like scanformalware.ache.nl
Just to make it easier for people to find my site.
Ofcourse it is not needed to have a duplicate site on each (sub)domain.
So I redirect from scanformalware.ache.nl to www.ache.nl
That way I only have to maintain one website.
Completely legitimate and not harmful at all.

But a redirection can also take a visitor to “takemymoneyaway.please.com
Which is a scam site.
In that case a redirection is ofcourse not wanted.

So, which real problems/suspicious make site blacklisted and can I resolve it and delete site from blacklist?
It depends on the blacklist. Some allow you to contact them to ask for a review/removal of the domain. Others don't allow you (like apews, which you can't take serious since they never cleanup their database)

Anyway, most important is that the experts of avast had a look and the domain was removed from the block list.
Every user with the latest updates for avast should be able to visit the domain without any problems now. :slight_smile:

If you run into a problem or have a question, you know where to find this webboard :wink:

Hi mvs, Eddy and Milos,

Always like it when a thread like this one ends in a success story and can get a final: SOLVED added to it.
All parties involved gain by this and most important the visitors of a partucular site will run less risks.
So to all website owners and webmasters alike whenever a problem arrives report your issues here,

polonus

Yes, this topic have happy end. Thanks all for all support!