False Positive Website?

system · 2014-03-18T23:00:52.000Z

Avast is blocking the following site, but VirusTotal finds nothing. Maybe the site doesn’t exist anymore but the “down or is it me” sites say it’s up.

myrtv.eu

Eddy · 2014-03-18T23:11:47.000Z

http://zulu.zscaler.com/submission/show/840a33bb5fd1ee9a111f1234902b0fb5-1395184048

Pondus · 2014-03-18T23:31:38.000Z

IP (37.7.63.134) is on these blacklists i2.apews.org / pbl.spamhause.org / zen.spamhaus.org / dyn.shlink.org

polonus · 2014-03-18T23:34:28.000Z

That zuluZscaler scan is benign.

The block is for that IP domain is on, e.g.: -http://31.7.63.194/ giving the same avast! blocking result.
IP which is blacklisted once here: http://www.ipvoid.com/scan/31.7.63.194/ for spam abuse!
IP was on a bogons list 4 years ago with threat danger level 1 according to ThreatSTOP!
I get a connection times out here: http://urlquery.net/report.php?id=1395184118782 probably because of avast’s Web Shield URL:Mal block!
Nothing here: https://www.virustotal.com/nl/url/503863c0157d5bdbebc5215e114a094410ed7821f45022ac3a42c5fb12af08ab/analysis/1395184254/
Code is up: http://web-sniffer.net/?url=http://myrtv.eu/&verbose=on
Avast flags as URL:Mal as we explained higher up why that is.
See DNS issues here: http://dnscheck.pingdom.com/?domain=myrtv.eu&timestamp=1395184490&view=1
and http://dnscheck.sidn.nl/?time=1395184419&id=1741142&view=basic&test=standard
See: https://dns.l4x.org/31.7.63.194 & http://toolbar.netcraft.com/site_report?url=http://myrtv.eu
Reason for block - spamming contact forms - dns01? Looking for something -

polonus

system · 2014-03-18T23:43:45.000Z

@polonus Can you explain in simple terms if Avast! should be blocking this site when Virustotal finds nothing. Spamming contact forms? What does that mean and if it’s such a problem why does Virustotal find a problem with it?

@Pondus None of those addresses work for me although I did find those sites. What do those sites tell me about the site I was asking about? A blacklist by whom, and for what reason?

Thanks.

Pondus · 2014-03-18T23:51:47.000Z

seems to be spam

check your IP here. http://whatismyipaddress.com/blacklist-check

polonus · 2014-03-19T00:07:39.000Z

Hi VFN,

Apparently the IP is being blocked by avast! because of spam abuse.
Although this report is not very outspoken: https://www.projecthoneypot.org/ip_31.7.63.194
IP might have been involved in forum spam and therefore being blocked
The domain has migrated from 2013-10-14 myrtv.eu 81.17.20.3 to the IP it has now.

polonus

system · 2014-03-19T00:12:53.000Z

Okay thanks polonus-don’t really understand spam abuse but I get it’s not a good thing.

@Pondus Is that link showing me that my IP has been blacklisted by a few services and thus I’m being blocked from visiting certain sites?

Pondus · 2014-03-19T00:32:14.000Z

it show that IP adress for the site you mentioned in your first post is on several blacklists…and i assume that is the reason why avast block it

when you enter that site it will display your IP…if you click the button it will check it
if you want to check another IP…the one for that site, write it in and click check button
the check may take a few minutes

system · 2014-03-19T00:45:18.000Z

Yes and my IP is blacklisted a few times.

Well. thanks for your time and help guys, I really appreciate it.

polonus · 2014-03-19T01:15:19.000Z

Hi VFN,

Just a minor incident or infection could lead to a whole range of IP double quads on a rack being blacklisted.
Especially in the States admins seems to be rather trigger happy and these blocks can go on for years and years and years.
This while incidents were never again seen or reported.
Sometimes you need to mail these folks personally (abuse addresses) in order to be able to connect out there again from that particular IP…

Check with iPilion for instance: http://www.ipillion.com/
See: http://www.ipillion.com/ip/31.7.63.194
There you may see there were none complaints for that IP recently.
The apews.org list needs to be cleansed of a lot of obsolete flags it still keeps until now,
like the rest of the Internet it is reacting like the old elephant: it will never forget. ;D

polonus

system · 2014-03-19T01:44:15.000Z

Thanks polonus, will check things out.

system · 2014-03-19T02:08:04.000Z

Just wanted to add that some time ago a friend sent me an email with a link that sent me to one of those “make money easy” sights and after I clicked it I soon realized that my email was then used to send that link to all others in my address list. It seemed like a one time thing as I could find no infection and nothing has happened since p since so maybe the blacklist has something to do with that.

polonus · 2014-03-19T13:21:47.000Z

Hi VFN,

For future issues, ask the Interwebs first ->: http://www.jasonmorrison.net/is-this-a-scam/

Scam and spam sites and mails could do redirects and redirects can go to places to load additional malcode.
Be sure to always fully update and patch your OS and third party software to be less vulknerable,
see avast av solution’s Software-updater!
Furthermore watch your clicks. Now you have found your way here, you know where to find us
whenever there is a necessity,

Be safe and secure,

Damian

system · 2014-03-19T15:03:44.000Z

I am getting (using Avast Internet Security) what appears to be a false positive for http://duxburyclipper.com. The site is in frequent use, does not get flagged by any other anti-malware products (e.g. Norton, McAfee, AVG, Kapersky, etc.), and does not seem to have infected any computers with any malaware. It is a local newspaper’s site. I called Avast support, allowed a remote session on one of my computers, and got a rather snarky assertion that something must be wrong with my computer and that there was no way this was a false positive from Avast. I’m reasonably sure, however, that it is. Anyone got any idea what’s going on here? Thanks!

polonus · 2014-03-19T16:07:02.000Z

That is a valid detection. iFrame check: Suspicious
htxp://duxburyclipper dot ma dot newsmemory.com/’
Javascript check:
Suspicious
guage=“javascript”> function dnnviewstate() { var a=0,m,v,t,z,x=new array(‘9091968376’,‘8887918192818786347374918784939277359287883421333333338896’,‘778787’,'949990
See for the SEO Spam malware detected: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fduxburyclipper.com
Site vulnerable because of: Joomla version outdated: Upgrade required.

polonus

Pondus · 2014-03-19T16:08:48.000Z

canopusresearch post:15:

I am getting (using Avast Internet Security) what appears to be a false positive for http://duxburyclipper.com. The site is in frequent use, does not get flagged by any other anti-malware products (e.g. Norton, McAfee, AVG, Kapersky, etc.), and does not seem to have infected any computers with any malaware. It is a local newspaper’s site. I called Avast support, allowed a remote session on one of my computers, and got a rather snarky assertion that something must be wrong with my computer and that there was no way this was a false positive from Avast. I’m reasonably sure, however, that it is. Anyone got any idea what’s going on here? Thanks!

you dont say what avast say? …is it URL:mal ?

urlvoid. http://www.urlvoid.com/scan/duxburyclipper.com/

system · 2014-03-19T16:21:38.000Z

Thanks for the link polonus and thanks to you both for the help.

Announcements