false positive

My site was blocked by avast as a false positive a few days ago and I can find no indication whatsoever of a problem.

The site is wxw.favorideas.com

I (hopefully) submitted a report on this although I was afraid it would go “nowhere.”

Posting here in case someone sees a problem that I didn’t catch.

Thank you!

IP (198.55.110.8) is blacklisted here spamcannibal.org

I don’t understand … if the site has a hole in the mailservers, that’s bad, I’ll ask to have it tightened. Why would that have my website blocked as malware?

There are no other sites that report my site has any issues whatsoever. When I go t spamcannibal, I get this:

198.55.110.8.static.quadranet.com

spam source, anonymous/un-named IP
see:
198.55.110.6


My site is not on quadranet. Why does it say “see” and show another IP?

http://198.55.110.6/ has an unconfigured webserver and has no relation to mine. I see now, somehow SpamCannibal has erroneously grouped my IP in with this other server on quadranet. I read that they will penalize whole subblocks within an IP to make things easier if they see “enough” spam.

I don’t care about spamcannibal because my server is dedicated and does not send any email except to me.

How do I get this false positive removed with Avast?

Hello,
here was “favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php” (backhole2 exploit), can you confirm that you have cleaned it? I suggest to change all passwords and update all systems.

Milos

Thank you Milos, is there any site scan I can look at showing I had black hole exploit on my server? I have not removed any malware or had any reports of it, I am looking at more scanners now and nothing finds anything, can you tell me which site is reporting I had an exploit?

The following suspicious code was found on website:
w.sharethis dot com/button/buttons.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval = eval;
Threat dump: view code here: http://jsfiddle.net/jPTLx/
Threat dump MD5: 837547ABDE283EDCF7EE57C624A04B74
File size[byte]: 142536
File type: ASCII
MD5: 55DDA51CBFA57CF3E8502F703DA9D16E
Scan duration[sec]: 7.986000

For: htxp://dnn506yrbagrg.cloudfront.net/pages/scripts/0006/5172.js?
see on that script link: https://www.mywot.com/en/scorecard/dnn506yrbagrg.cloudfront.net?utm_source=addon&utm_content=rw-viewsc

polonus

The ShareThis widget is one of the more popular social sharing codes on the internet … many many sites use ShareThis …

http://support.sharethis.com/customer/portal/articles/475097-ssl-support#sthash.pUItVphv.dpbs

Hello,
the URL I posted is typical for the BlackHole2 exploit. I don’t know about website cleaning tools, but I think you have some backup of your site code so you can compare it.

Milos

Milos … I want to move forward but I don’t know what to do.

I don’t know what site is reporting my site had a black hole exploit … I don’t know where this URL is reported, it does not exist on my site … if it did exist, I don’t know when … I have never had malware reported on my site or any kind of injection reported in years. Google nor any other site reports a problem. There is nothing I know of to fix … so what now?

still blocked as a malicious URL, still no reports of malware from anyone I can find.

11 IDS alerts
Intrusion Detection Systems
the file is hidden

http://urlquery.net/report.php?id=1397702300520

http://zulu.zscaler.com/submission/show/e7aa9779b99838c665950e079f5da7a0-1396407137

excessive evals

http://wepawet.iseclab.org/view.php?hash=f363f02fd91e2792537241943e3d3cf7&t=1397703787&type=js

http://wepawet.iseclab.org/view.php?hash=c6bb1e133fef843da3478f8b31c003cc&t=1397703942&type=js

LOL!


Snort /w Sourcefire VRT	
Timestamp	Severity	Source IP	Destination IP	Alert
2014-04-17 04:37:22	1	 urlQuery Client	 198.55.110.8	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:23	1	 urlQuery Client	 198.55.110.8	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:47	1	 urlQuery Client	 173.194.70.102	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:47	1	 urlQuery Client	 173.194.70.156	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:48	1	 urlQuery Client	 173.194.70.156	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49	1	 urlQuery Client	 195.159.219.17	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49	1	 urlQuery Client	 54.224.64.238	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49	1	 urlQuery Client	 184.73.184.228	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49	1	 urlQuery Client	 195.159.219.17	EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
Suricata /w Emerging Threats Pro	
Timestamp	Severity	Source IP	Destination IP	Alert
2014-04-17 04:37:23	1	 urlQuery Client	 198.55.110.8	ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI
2014-04-17 04:37:24	1	 urlQuery Client	 198.55.110.8	ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI

AND


Malicious 
100/100 Send us feedback

Domain history:
http://www.favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php on 04/17/2014 at 02:57 GMT
http://Shop.favorideas.com/ on 04/02/2014 at 02:56 GMT
http://www.favorideas.com/ on 04/02/2014 at 02:51 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/wp-includes/js/l10n.js?ver=20101110 on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/wp-includes/bk-image-fileupload.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/astrack.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php on 02/13/2013 at 17:41 GMT
http://www.favorideas.com/wp-content/plugins/wp-jquery-lightbox/lightbox.min.css?ver=1.2 on 12/25/2012 at 17:03 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 12/25/2012 at 16:56 GMT
http://www.favorideas.com/learn-about/wedding-planning/choosing-your-wedding-colors/ on 12/25/2012 at 16:56 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 12/25/2012 at 16:51 GMT

Technically speaking. Your website has a 102/100 Malicious feed back… So, ug yeah. Not looking good.

Apart from that their is excessive header information singing around globally and to potential attackers:
http://fetch.scritch.org/%2Bfetch/?url=+www.favorideas.com&useragent=Fetch+useragent&accept_encoding= (see overview)
This is a suspicious external script link: htxp://dnn506yrbagrg.cloudfront.net/pages/scripts/0006/5172.js?
Virus and adware on there: https://www.mywot.com/en/scorecard/dnn506yrbagrg.cloudfront.net?utm_source=addon&utm_content=rw-viewsc
hidden link: f755/5b0978e6d4b7036419922419d954f8c96f4a from google.com/coop/cse/brand?form=014978267664617683492:hnmfrer6nuy (2559 bytes, 314 hidden) …see jsunpack scan web cache: http://webcache.googleusercontent.com/search?q=cache:geTZ_GA-Sj0J:jsunpack.jeek.org/%3Freport%3D84aecf821a3c03ad64c04cb1308a1f41adf26e96+&cd=1&hl=nl&ct=clnk&gl=nl
code hick-up: wXw.favorideas.com/wp-includes/js/comment-reply.js?ver=20090102 benign
[nothing detected] (script) wXw.favorideas.com/wp-includes/js/comment-reply.js?ver=20090102
status: (referer=wXw.favorideas.com/wedding-themes/multicultural-themes/paris-theme-wedding/)saved 786 bytes 6185b986af821a054a3019dc326fc42420b63009
info: [decodingLevel=0] found JavaScript
suspicious:

pol

Two of the sites you list above show no threats at all on favorideas … the other two that you list are for this page:

favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php

but this page does not exist …

I do not see any humor in this and I hope it is not frustrating, I would just like to get it resolved. If there are elements of my site that are, in fact, malicious in some way, I would be happy to remove them, but facebook sharing widgets, google ads, sharethis etc. are not malicious.T

I do not see any reports of any problem on the site in your last posts other than this q page which I have never seen and cannot see now. Are you able to load it?

I suspect your site is IP blacklisted. Reason being is because other sites on the same IP as yours have been infected with the Blackhole Exploit kit.

http://urlquery.net/report.php?id=1397702300520

On your ASN:
http://urlquery.net/report.php?id=1398620237407
http://urlquery.net/report.php?id=1398638723135

Oh, this looks very promising, thank you!!

I can ask my host to change the IP address.

I am embarrassed to say I am not sure what this ASN issue is or why I am grouped with those west african servers.

I am still mystified by this “q” page reported on that site. Is anyone able to load this, or could this be some kind of crossover from other domains reported on that ASN?

http://en.wikipedia.org/wiki/Autonomous_System_(Internet)

Thank you so much, I have thrown this at my host, hopefully they can give me an IP with less dodgy associates and this issue will clear up quickly!

Do know, I don’t work for AVAST!. But my guess is the IP is blacklisted given the other sites… What’s the Warning? URL:Mal?