system
1
My site was blocked by avast as a false positive a few days ago and I can find no indication whatsoever of a problem.
The site is wxw.favorideas.com
I (hopefully) submitted a report on this although I was afraid it would go “nowhere.”
Posting here in case someone sees a problem that I didn’t catch.
Thank you!
Pondus
2
IP (198.55.110.8) is blacklisted here spamcannibal.org
system
3
I don’t understand … if the site has a hole in the mailservers, that’s bad, I’ll ask to have it tightened. Why would that have my website blocked as malware?
There are no other sites that report my site has any issues whatsoever. When I go t spamcannibal, I get this:
198.55.110.8.static.quadranet.com
spam source, anonymous/un-named IP
see:
198.55.110.6
My site is not on quadranet. Why does it say “see” and show another IP?
http://198.55.110.6/ has an unconfigured webserver and has no relation to mine. I see now, somehow SpamCannibal has erroneously grouped my IP in with this other server on quadranet. I read that they will penalize whole subblocks within an IP to make things easier if they see “enough” spam.
I don’t care about spamcannibal because my server is dedicated and does not send any email except to me.
How do I get this false positive removed with Avast?
Milos
4
Hello,
here was “favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php” (backhole2 exploit), can you confirm that you have cleaned it? I suggest to change all passwords and update all systems.
Milos
system
5
Thank you Milos, is there any site scan I can look at showing I had black hole exploit on my server? I have not removed any malware or had any reports of it, I am looking at more scanners now and nothing finds anything, can you tell me which site is reporting I had an exploit?
The following suspicious code was found on website:
w.sharethis dot com/button/buttons.js
Severity: Potentially Suspicious
Reason: Detected potentially suspicious content.
Details: Detected potentially suspicious initialization of function pointer to JavaScript method eval = eval;
Threat dump: view code here: http://jsfiddle.net/jPTLx/
Threat dump MD5: 837547ABDE283EDCF7EE57C624A04B74
File size[byte]: 142536
File type: ASCII
MD5: 55DDA51CBFA57CF3E8502F703DA9D16E
Scan duration[sec]: 7.986000
For: htxp://dnn506yrbagrg.cloudfront.net/pages/scripts/0006/5172.js?
see on that script link: https://www.mywot.com/en/scorecard/dnn506yrbagrg.cloudfront.net?utm_source=addon&utm_content=rw-viewsc
polonus
system
7
The ShareThis widget is one of the more popular social sharing codes on the internet … many many sites use ShareThis …
http://support.sharethis.com/customer/portal/articles/475097-ssl-support#sthash.pUItVphv.dpbs
Milos
8
Hello,
the URL I posted is typical for the BlackHole2 exploit. I don’t know about website cleaning tools, but I think you have some backup of your site code so you can compare it.
Milos
system
9
Milos … I want to move forward but I don’t know what to do.
I don’t know what site is reporting my site had a black hole exploit … I don’t know where this URL is reported, it does not exist on my site … if it did exist, I don’t know when … I have never had malware reported on my site or any kind of injection reported in years. Google nor any other site reports a problem. There is nothing I know of to fix … so what now?
system
10
still blocked as a malicious URL, still no reports of malware from anyone I can find.
LOL!
Snort /w Sourcefire VRT
Timestamp Severity Source IP Destination IP Alert
2014-04-17 04:37:22 1 urlQuery Client 198.55.110.8 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:23 1 urlQuery Client 198.55.110.8 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:47 1 urlQuery Client 173.194.70.102 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:47 1 urlQuery Client 173.194.70.156 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:48 1 urlQuery Client 173.194.70.156 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49 1 urlQuery Client 195.159.219.17 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49 1 urlQuery Client 54.224.64.238 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49 1 urlQuery Client 184.73.184.228 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
2014-04-17 04:37:49 1 urlQuery Client 195.159.219.17 EXPLOIT-KIT Blackhole Exploit Kit landing page retrieval
Suricata /w Emerging Threats Pro
Timestamp Severity Source IP Destination IP Alert
2014-04-17 04:37:23 1 urlQuery Client 198.55.110.8 ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI
2014-04-17 04:37:24 1 urlQuery Client 198.55.110.8 ET CURRENT_EVENTS Blackhole 16/32-hex/a-z.php Landing Page URI
AND
Malicious
100/100 Send us feedback
Domain history:
http://www.favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php on 04/17/2014 at 02:57 GMT
http://Shop.favorideas.com/ on 04/02/2014 at 02:56 GMT
http://www.favorideas.com/ on 04/02/2014 at 02:51 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/wp-includes/js/l10n.js?ver=20101110 on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/wp-includes/bk-image-fileupload.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/astrack.js on 02/13/2013 at 17:42 GMT
http://www.favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php on 02/13/2013 at 17:41 GMT
http://www.favorideas.com/wp-content/plugins/wp-jquery-lightbox/lightbox.min.css?ver=1.2 on 12/25/2012 at 17:03 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 12/25/2012 at 16:56 GMT
http://www.favorideas.com/learn-about/wedding-planning/choosing-your-wedding-colors/ on 12/25/2012 at 16:56 GMT
http://www.favorideas.com/wp-content/themes/favoride/headerscripts.js on 12/25/2012 at 16:51 GMT
Technically speaking. Your website has a 102/100 Malicious feed back… So, ug yeah. Not looking good.
system
15
Two of the sites you list above show no threats at all on favorideas … the other two that you list are for this page:
favorideas.com/2daf778b87c90c055cead7323ecf8bc6/q.php
but this page does not exist …
I do not see any humor in this and I hope it is not frustrating, I would just like to get it resolved. If there are elements of my site that are, in fact, malicious in some way, I would be happy to remove them, but facebook sharing widgets, google ads, sharethis etc. are not malicious.T
I do not see any reports of any problem on the site in your last posts other than this q page which I have never seen and cannot see now. Are you able to load it?
I suspect your site is IP blacklisted. Reason being is because other sites on the same IP as yours have been infected with the Blackhole Exploit kit.
http://urlquery.net/report.php?id=1397702300520
On your ASN:
http://urlquery.net/report.php?id=1398620237407
http://urlquery.net/report.php?id=1398638723135
system
17
Oh, this looks very promising, thank you!!
I can ask my host to change the IP address.
I am embarrassed to say I am not sure what this ASN issue is or why I am grouped with those west african servers.
I am still mystified by this “q” page reported on that site. Is anyone able to load this, or could this be some kind of crossover from other domains reported on that ASN?
system
19
Thank you so much, I have thrown this at my host, hopefully they can give me an IP with less dodgy associates and this issue will clear up quickly!
Do know, I don’t work for AVAST!. But my guess is the IP is blacklisted given the other sites… What’s the Warning? URL:Mal?